Cyber security case study: Bitsadmin ioc

Here’s a case study for anyone studying to move into cyber security or any existing cyber security analysts that want to look for this attack within their own environment, as is is a very recent attack. This post focuses only on identifying the attack and determining the scope of how many users and devices have been compromised before sending the information to the relevant teams for remediation.

For those simply wanting to check for this attack within their own environment, skip to the very bottom for a roundup of IOC’s.

Detection:

One of our endpoint security systems alerted on a Bitsadmin indicator of compromise. our endpoint security tool gives the following description… “Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.”

As i’m sure is the case for most organisations, we have a lot of false positives created by all our tools and so the first thing we want to do is try and verify if this is a genuine alert that needs to be investigated or a false positive The endpoint tool includes the command line arguments for when this process was executed and so that is the first piece of evidence I look at… (some info has been censored for confidentiality and privacy reasons)

bitsadmin1

That looks a bit small so if you’re unable to read that properly, the main thing I’m focusing on here is this section…

bitsadmin2

If the download had been some internal file on our own network that I could verify I wouldn’t be too worried after some verification. However as this is downloading something from an external source it is worth some investigation into what is being downloaded.

Running this site through Symantec site review shows the URL is categorized as a security risk and so is a known malicious site.  This is enough information for me to treat this as a genuine alert and not a false positive, as a download has occurred from a malicious site.

Analysis:

Using the endpoint tool, and looking at the processes running on the device and files created around the time of the alert, I can see an email was opened just prior to the alert being triggered. For this reason, I use our email security system to investigate what emails the user (identified from the command line argument) has received shortly before the alert was triggered.

Looking through the emails received by this user, one stands out as suspicious. Looking into the details of the email I can see a link contained within the email that looks suspicious and requires further investigation.

bitsadmin3

Checking this URL in Symantec site review also shows that it is malicious. (note if Symantec didn’t say this was malicious, I would carry out my own analysis to confirm).

Reviewing the end point tools it looks as though, when URL within the email is clicked, it downloads an xlsx file, which in turn runs a powershell script which in turn uses bitsadmin to download the payload.

At this point, I want to determine every user that has potentially been infected so their devices can be remediated. In order to do this, I want to compile a full list of emails received, a full list of the URLs contained within the emails and a full list of the URL’s that bitsadmin has downloaded payloads from.

Emails:

In order to determine all the emails received I follow the processes laid out here…

To be a Cyber Security Analyst – Emails

And also here…

To be a Cyber Security Analyst – Web interaction tracking

After following these processes, it was noticed that despite emails having different subject lines and having been sent from different senders, all the URLs contained within the emails ended with “order-status-fulfilled”. Knowing this allowed us to generate a list of potentially affected users.

Using this list of affected users and analysing the web proxy logs and endpoint tools, we also determine that despite the very large number of URL’s contained within the emails, there are only 3 URL’s that bitsadmin attempts to download from.

bitsadmin4

IOC ROUNDUP:

This attack was executed between the 8th and 12th October 2018

To check for this attack within your own environment, check your proxy logs or web interaction tracking tools for connections to url’s ending with “order-status-fulfilled

Also check for connections to any of the following… (note, I believe these sites are currently down, but check your historical logs)

bitsadmin4

Advertisements

To be a Cyber Security Analyst – Web interaction tracking

In my previous post To be a Cyber Security Analyst – email security tools I talked about using your email security tool to hunt down malicious emails from a campaign using subject lines and sender addresses. In this post I want to talk about a feature of IronPort (Ciscos email security appliance) and most likely other email security systems called “Web interaction tracking” which will let us use links contained within emails, and patterns within those links, to identify other emails in a malicious campaign, even if the sender and subject lines are different.

What web interaction tracking does is tell you if any of the links that were contained in emails received through your email security system have been clicked. It also tells you if those clicks were successful, or if they were blocked.

So how can this help us identify emails in a campaign with different subject lines and senders? Well as before, let’s use a real life example in a case where I used this technique. (with details omitted for privacy and confidentiality)

So in our case we detected the following malicious email with subject line…

“Mr , Confirmation of your Package 18B5528 Mr , Confirmation of your Package 18B5528”

And the sender was  lewis.******@***kahanddavid.com

webint1

In the picture above I can see the recipient also sent an automated reply to the sender. Looking into the email details we find the malicious URL…

***********************com/.safetyadvicearea/09220431109-order-receipt  (I have not included the full link because I don’t want my site to be flagged up!)

So lets see if we can use this URL to find other malicious emails that were received. To access web interaction tracking with Cisco IronPort, click “Reporting” in the tabs along the top, and then in the drop down menu select “web interaction tracking”. I have circled the options below…

webint2

Now select the time range you would like to see the interaction tracking over, using the drop down menu in the top left corner. All you can do here is select the approximate, suspected time range of the malicious email campaign. In my case, I will go back a full week, bearing in mind this will generate many thousands of results.

webint3

Due to the large number of results, they will need to be exported to be able to see them and manipulate them properly. Click export at the bottom right…

webint4

OK so now we have a spreadsheet filled with every link that was clicked over X period of time, lets search for our link by looking for URL’s containing “order-receipt” (the substring at the end of the URL)

This search shows us multiple other URL’s…

.com/.safetyadvicearea/07013533390-order-receipt

.com/.safetyarea/25ES-57738-order-receipt

.com/.safetyarea/00029321-order-Receipt

So from this, I notice the pattern that each URL contains this substring “.com/.” the .com/ is usual but the . following the / is not exactly usual. And so, from this observation I search the spreadsheet again for URL’s containing “.com/.” The results of this search show me 8 URL’s in total. Each of these results then allows me to go back into my email search, locate the email containing the link, and once again pivot off of subject lines and senders.

And so that in a nutshell, is how you use web interaction tracking to hunt malicious emails in an email campaign with different subject lines and email senders.

 

To be a Cyber Security Analyst – email security tools

In my introduction to this series I mentioned that the job of a cyber security analyst is essentially to use the tools at their disposal. Following my previous few posts around dealing with malicious email campaigns, this post focuses on using your email security tool to identify these emails. Obviously the exact tool you may have when you start working in a SOC (Security Operations Center) may vary, but essentially they all mostly do the same thing with some variations in interfaces and some specific features unique to some. But the point is, if you learn how to use one security tool, then learning another is usually just a case of learning the different user interface and a couple of unique features.

IronPort

I will focus on Cisco’s email security tool in this post as that is the tool I have the most experience with. When opening IronPort you’ll be taken to this screen. In this post we are going to be concentrating on message tracking, to identify malicious emails in a campaign, using the techniques I set out in the previous few posts. To be a Cyber Security Analyst – Emails

ironport1

Message tracking will take you to the main search screen. Lets focus on the basic search options first, and then we will delve into the advanced search options later. As always, I’d like to approach this using a hypothetical or real situation. In this case lets use a real attack that happened recently… (some details will be changed or hidden to protect personal information)

A user reported they have received an email that they believed looked suspicious. The email is set out to look like the user has received a voice mail and they are required to click a link within the email to listen to the message. Hovering over the link shows me the URL that it redirects to. I’m not going to share the actual link because I don’t want my site getting flagged up as containing malicious links, but I could tell from the name it wasn’t anything to do with voicemails.

The subject of the email was “Voice mail from (661)374-0699”. So at this point I have 3 pieces of information I can use to search for further activity. The subject line, the sender address and the URL within the email. Using the URL will be the subject of a later post, so lets concentrate on the sender address and the subject line for now.

So the way I look at it, is like this… I can use the sender address to try and find out if there are multiple emails with this, or potentially different subject lines. I can use the subject line to see if there are other senders other than this one. And failing that, I can use a subsection of the subject line to see if there are other emails in the campaign with different but similar subject lines and from different senders. If you’re re-reading that thinking “what the hell did he just say?” don’t worry. I’ll break it down bit by bit.

Let’s start off searching the sender to see if there are any more emails, or if this is a one off incident…

ironport2

Notice at the top of the screen in the image above there are 3 fields to search in. Sender, Recipient and Subject. As we are searching for any other emails from this sender I have used the “Sender” field. Obviously. To the left of each search field as well is a drop down menu with the following options, “Contains”, “Begins with” and “is”

I am looking for other emails from this exact address but if I wanted to find other emails from senders in the same domain, in this case  @*****chamberofcommerce.com then I would have used the contains search and searched only the domain. For example instead of searching tom@gmail.com i’d search contains @gmail.com.

So the search above has shown that there are 2 emails from this sender, over the past week. The time frame can be set using the options under the search fields, either “last day”, “last week” or “custom range” OK so I know there is more than one email involved, this is not an isolated incident.

Lets use the Subject search to see if there are any more senders…

ironport3

So searching on the subject line shows me that there are actually 5 senders (only 3 pictured above). So the intelligent thing to do now would be to search each of these senders individually to see if they have sent any other emails with different subject lines. It’s like pulling a thread, and we don’t want loose ends.

note: its worth mentioning here by the way, I never take action against these senders other than at most, blocking them from the network. They are likely just people who have been compromised and their email accounts are being used maliciously. In a short amount of time the attackers will have moved onto different email accounts. So there’s no point emailing them harassing them for trying to hack your company.

So I searched each of the 5 senders and no new subject lines were found (these searches are not pictured as I didn’t see the point). So my last question, the only loose end, is are there any more emails with similar subject lines in this campaign. So the way I personally would go about searching for this, in this instance, would be to search a subsection of the subject. In this case, if I was an attacker and I wanted to vary my subject lines while maintaining the same method of attack, I would change the number in the voice mail.

So to search if this has happened, I will search subject contains “voice mail from (”

ironport4

In this case, no new email subjects were found. But hopefully this gives you an idea how you can use a part of the subject line to search for variations in the subject line using the “contains” search field.

And that in a nutshell is how you use the basic search functions in an email security system to search out malicious email campaigns. There are more advanced search options as well as reports that I will go into in future posts, but hopefully if you’re not already familiar with email security systems, this has given you a little insight into what to expect.

To be a Cyber Security Analyst – emails part 3

Welcome to part 3 of this mini series, dealing with malicious emails. Written for aspiring cyber security analysts to give some insight into the thought processes and day to day life of an analyst without getting too technical.

In the previous post (To be a Cyber Security Analyst – Emails part 2 ) I talked about how I react to malicious emails sent to my network that contain malicious links or URL’s. In this post I will talk about reacting to a malicious email campaign that contains malware or virus’ in the form of attachments.

So as before, I am searching for the shortest path to being able to say, “we are protected against this attack” And as before, being able to make this statement depends on answering a few questions. Each of which I will go into in more detail shortly…

  1. How many users have received emails with the malicious attachments?
  2. How many different versions of the malware is there?
  3. Does our antivirus protect us from some or all of this malware.
  4. If not, can we determine if the unprotected malware has been executed on the users machines?
  5. If executed, what is the impact, and has this allowed the malware to spread further across the network.

 

The order of these questions is set out to try and end the incident as quickly as possible so that I can move onto the next incident. Time is precious! And so I will not start looking into potential impacts of malware detected before I know if we are protected against it or not. Because frankly, if we are protected against a piece of malware, I don’t care what it does.

So lets look deeper into each of the questions set out above…

How many users, how many versions.

When determining how many users have received the email and how many different versions of the malware is attached, I use a lot of the same tactics I set out in my previous post (To be a Cyber Security Analyst – Emails ). This includes but is not limited to…

  • Searching by the sender and/or sender domain
  • Searching by subject line (in part of in full)
  • Searching by patterns noticed in subject lines
  • Searching using the SHA256 (unique fingerprint) of the attachment
  • Searching using the attachment name (in part or in full)
  • Searching using patterns noticed in attachment names.
  • Using open source intelligence (posts on the net)  to find out about other versions of this malware.

Note: What do I mean by other versions? If I create malware that tells your computer to connect to my server on the internet, that can be one version of a piece of malware I create. Now what if I create the exact same piece of malware but it tells your computer to connect to a different server on the internet? Well that will have a completely different SHA256 fingerprint even though it does essentially the same thing.

In fact, some malware will have random strings (lines of text) coded into them, that change each time the malware is reproduced. And even a single letter that is different will create a completely different SHA256 fingerprint. So when I talk about different versions, I am typically talking about the same piece of malware but with similar or exactly the same behaviors.

Ok back to the topic, using the methods listed above, we now have a list of users that have received the malware, and the different versions of the malware that they have received.

Are we protected?

magnum

Always use protection! Now we have our list of different versions of the malware we have received, we can use this list to cross reference which of these our antivirus is already aware of. If all of the computers in our network have Norton Antivirus for example, and I have malware version A, B and C, I can check which of these Norton is already aware of, and protecting against.

Lets say for our example, that our antivirus is already aware of versions A and B, but is completely unaware of version C. My first mitigating action here would be to inform Norton of this new version of the malware, so they can push out an update as soon as possible. (By the way, this stage also represents our first chance to shut this incident down early, if we are protected against all versions of the malware, there is no risk to our network).

 

Has the malware been executed?

So we know one version of the malware is currently unprotected against. We have informed our antivirus vendor of the new version, but in the meantime, we need to determine if some maniac has gone ahead and executed the malware. There are a couple of options to determine this depending on what tools you have available on your network. Some networks will give you the ability to see what files have been executed on each computer, and this makes this stage very easy, but lets say for our example we don’t have this ability. The next possible action we can do is look for IOC’s

confused2

 

An IOC is an Indicator of Compromise. Something you can look for that tells you that you have been infected. If your screen goes red with a big skull and crossbones and a message appears saying “pay money into this bitcoin wallet or your files will be encrypted forever”… thats a pretty big IOC.

Most malware though does its thing in the background, and so we need to look for clues to tell us which computers have been infected. So, we know version C is the one we need to worry about. I would look online to see if there is already some intel on this version. Lets say for our example I find some analysis someone else has already carried out, and from this analysis I can see the malware connects to an IP address out on the internet. Great, this connection is now an IOC, and I can search all the outbound internet connections through my firewall to see if anyone has connected to this IP address. If anyone has, Bingo, there’s a pretty good chance they have executed the malware (unless the IP address is also used for other, less malicious, activities.

If this intelligence hadn’t already been available online, I would have needed to try and obtain a sample of the malware and carry out some analysis myself but that is a post for another day.

Has it spread? Whats the damage?

Lets assume for our example that we did detect someone connecting to the IP address we found in the intel from the web. And lets also assume that this IP address is not shared by some legitimate content. We now have one probable (I would just assume definite) infected user. So at this point we need to know, what is the damage?

As far as spreading across the network goes, we would hope we would find this information out in the analysis we found online, or in the analysis we carried out ourselves. But on top of this, we can continue to monitor connections to the malicious IP address (usually using dashboards, like an ongoing live search which shows us in real time if some activity is seen). In addition, I would usually look very closely at the network logs for this user to see if  anything suspicious was going on.

So what is the damage? Most malware is aimed at stealing something or gaining access to something, and so in the case that the intent of the malware isn’t already obvious from the online intel, you can use tools such as Wireshark (think phone tapping but for networks) to see what information is sent out when executing the malware in a protected sandbox environment. Sometimes it can be a keylogger, gathering all keystrokes for a set amount of time before sending them to the attacker, sometime’s it’s information about the computer you are using, such as your IP address, what services you are running etc, which is usually a prelude to a further attack. In one case I saw malware that waited until the user accessed one of many banking sites and then sent the keystrokes used on that site.

In reality, most decent sized SOC’s (Security Operation Centers) will have a dedicated digital forensics team. In the event I was unsure what a piece of malware was doing on a computer, and if it had installed further malware to try and persist once the original malware was deleted, I would escalate to my digital forensics team.

Thats it…

Hopefully I’ve covered everything, without getting too technical and giving a good overview of the general thought process behind what to do when receiving one or many malicious emails. As I mentioned in the introduction I really wrote this to give an insight into the day to day life of a security analyst for those wanting to get into the cyber security industry. Please leave any questions in the comments section and I will answer ASAP.

To be a Cyber Security Analyst – Emails part 2

In the last post (To be a Cyber Security Analyst – Emails) I looked at the steps I go through when determining if a reported email is malicious or not. In this post I will go through the steps I take to make sure the network is protected in the case of a malicious email being received, or in tech speak, making sure the threat is mitigated.

Often in my day to day role, there can be so many events and suspicious emails being reported that it can become quite overwhelming. There just isn’t enough time to look at everything and so when it comes to mitigating a potential threat, I am looking for the shortest possible path. I will explain in more detail what I mean shortly.

So here are the basic step’s i’m taking after deciding an email is malicious and I will go into more detail for each one after…

  1. How many emails have been received as part of this attack?
  2. If malicious links are included, how many different links are there?
  3. Of these links, which are we susceptible to and which are protected against?
  4. If we are, or were, susceptible to any of the links, have we been compromised by it?
  5. If there is malware included as attachments, how many different versions are there?
  6. Of these versions, which are we protected against and which are we vulnerable to?

 

1: How many emails?

So if someone reports an email that turns out to be malicious, my first question is, is this the only one or is this email a part of a larger campaign that I am just about to discover? In order to find this out I will use my email security tool and typically search the following over a 7 day period (extending further if needed)…

  1. Are there any other emails sent from this exact sender or from the sending domain? Sometimes attackers get lazy and just send all the malicious emails from one address and this makes identifying the emails easy.
  2. Are there any other emails sent with either this exact subject line, or subject lines following the same pattern. For example if the subject line was “your brand new invoice 22334” I wouldn’t necessarily restrict my search to only emails with that exact subject but rather look for emails with subject lines containing “your brand new invoice” as the number at the end is likely to vary.
  3. If there is an attachment, this gives another angle to search on, as most email security tools allow you to search for attachment name or attachments sha256 (unique fingerprint).

Knowing how many emails we have received gives me a list of potentially infected users, a list of URL links that may have been clicked, and a list of attachments that may have been opened and executed.

2: How many links?

In my last post I mentioned my mental image of all the network users frantically opening emails and clicking as many links as they can. Well in this stage of mitigation I am checking for exactly that. Lets assume from our searches in step 1 we had 3 separate links to siteA.com , siteB.com and siteC.com included in a variety of emails. Remember above I mentioned I am looking for the shortest path to closing this incident. So I have to ask the following questions…

  1. Is it possible for our users to go to this site? Most secure networks will have a forward proxy, for those who don’t know what this is it’s kind of a middle man for when you want to access the internet, instead of going straight to the internet you go to the middle man and he tells you (hopefully) if a page is malicious or also if a page is just not allowed by your business (eg gambling sites). So I will check if these 3 pages are accessible through our forward proxy. For our scenario lets assume 3 things. First, siteA is blocked since a few weeks before the emails were received (note the time of the block is important here) and so nobody could have gone to this site. (shortest path to case closed right there). Second, siteB is blocked since 3 hours after the emails were received. And third, siteC is not blocked.                                      So our first question is answered, yes it is possible that users may have gone to siteB and siteC and our first mitigating action is to block access to siteB and siteC (usually by blocking access on the forward proxy, telling the middle man not to let anyone go there)
  2. Now we have blocked access to siteB and siteC, have any of the users gone to the site prior to this? This question can be answered in a variety of ways depending on the tools you have available, but I use a mix of logs generated from the forward proxy (Ask the middle man if he sent anyone to this page) and the email security tool (did anyone click that link? – some will tell you and some won’t)  Lets assume for our scenario, that nobody has gone to siteB (shortest path, siteB is now mitigated!) but some damn fool clicked the link and has successfully visited siteC.
  3. Had nobody clicked the links, this would be the end of the incident (assuming no attachments were included) however given the fact that someone clicked a link, the final question now is, what damage has been done. This question itself can spiral into a never ending cascade of possibilities, infections, spreading malware, the shutdown of the internet, cats and dogs living together… but for our purposes lets keep it nice and simple as we are focusing on emails and leave long winded malware investigations for another post. If someone has clicked a link I will generally do some analysis on the site. Can I identify any malware that is downloaded from this site? Does it just redirect the user to yet another malicious site in a chain of redirects? If so, does that site distribute malware? Let’s say to keep things simple that nothing is downloaded and when scanning the site in urlscan.io that I can see a fake gmail login page is displayed. Ok good now I know, the purpose of the attack is to try and steal usernames and passwords. A quick mitigation here would be to force password resets for the users that visited the site, and I also send them a courtesy email informing them that if they entered their details on that particular page, then their personal passwords may have been compromised (as lots of people use the same passwords for different things)

 

So before, I talked about the shortest path to mitigation, in the case of links in emails this means to me, can users go there? Have users gone there? What happened to users that went there? I know some analysts will begin researching what happens if a user clicks a link before they even look at whether or not it is possible for a user to navigate to that website, that is what I mean by the shortest path.

If, in our example above, there were no attachments included on these links, the incident would now be over (assuming all the mitigating actions were carried out). However, if attachments were included, this would take us to the next step which I will cover in the next post.

 

To be a Cyber Security Analyst – Intro

Welcome to part one of “To be a cyber security analyst”. There are a lot of courses available for people wanting to get into the cyber security industry but in my experience they all focus on the technical aspects without really looking at the big picture, or how those technical lessons fit into the day to day duties of a cyber security analyst.

I wanted this to be more of a guide on how you’ll implement the technical knowledge you’ve built up on courses, in your day to day job. What kind of security incidents you’re likely to look at (I’ll draw on real life incidents I’ve worked on) and the methods and tools I used (and you will use) to resolve these incidents. In this way, if you find yourself successful in landing a cyber security role (and the market is currently full of them by the way) you’ll already have a good understanding of what to expect.

When I first started as a cyber security analyst, I had already built up a foundation of knowledge by working as a network engineer. So I had a good grasp of how the networks worked, and I had spent around a year studying some security courses. However when I first walked into the SOC (Security Operations Center), I had no idea what I was supposed to be doing day to day.

The first thing I quickly realized was that it is all based around the tools. Years of watching movies and shows around hacking and even a lot of the technical courses gave the impression I’d be sitting at the computer running obscure commands with lines of code running down the screen. In my experience it is not like that at all, you have security tools, and the main part of the job is using these tools. And for this reason I believe the most valuable things you can learn is some foundation knowledge of networks and a knowledge of how to use the tools. Which, I will cover in the rest of the posts in this blog.

Please feel free to comment and ask any questions you would like answering in future posts, and follow the page to get the latest update to this series as they are released.

See part 2 – emails To be a Cyber Security Analyst – Emails