In November 2022, a Linux server located in Poland (Europe) was exposed on the Internet. As it was holding sensitive information, this server was of interest to a group of cyberattackers. We assess this group wanted to access the server to exfiltrate data. For the purpose of gathering intelligence on cyber-espionage campaign targeting the organization, remediation was not implemented to learn a great amount on potential threats.
This server was protected by TEHTRIS XDR Platform and its complementary modules: TEHTRIS EDR, SIEM, DNSF and NTA. TEHTRIS CTI is natively integrated into the XDR Platform and benefits all of TEHTRIS technologies.
This usecase is a summary of our last TEHTRIS WarGames, which we organize to simulate cyberattacks. At TEHTRIS, we believe in learning while having fun: WarGames are a way to play with our technology, to perfect our usage and to drill the way we handle security incidents… and face the unpredictable!
As the attack unfolds, let’s have a closer look at what defenders saw using TEHTRIS XDR Platform.
Reconnaissance
During the reconnaissance phase, the adversary performed active scanning to gather information on the target that could be used later on to gain initial access. In this case, the attackers found out that two ports were opened on the machine: port 22 and port 80.
As specified in MITRE ATT&CK framework, active scans (T1595) are those where the adversary probes victim infrastructure via network traffic. TEHTRIS NTA is conceived to monitor incoming and outcoming network flows and automatically detects suspicious activities with a great deal of context. This first step of the attack chain is therefore detected and triggers an alert on the use of nmap, which is a free and open-source port scanner.
Initial access: Apache WebSVN vulnerability exploit
The Linux server hosts an Apache Web Server. The adversary leverages fuzzing on common web directories and files, and choses to focus on a specific WebSVN appliance (version 2.6.0) as an entry point on the target. Indeed, versions of WebSVN previous to 2.6.1 allow remote attackers to execute arbitrary commands via shell metacharacters in the shell parameter (vulnerability known as CVE-2021-32305 – CVSSv3 9.8).
Both TEHTRIS NTA and TEHTRIS EDR detects the exploit on CVE-2021-32305.
Execution: download of a post-exploitation tool
After gaining access to the target, the attacker then downloads pupy – a post-exploitation tool and multi-function RAT.
While TEHTRIS NTA detects the downloading of an executable, TEHTRIS EDR detects the use of pupy and all the commands that the attacker ran remotely through this RAT.
Discovery: use of linPEAS
Now that the attacker has a hold on the machine and can remotely execute commands, it’s time for the discovery phase. The adversary tries to gain knowledge about the system and internal network to prepare the next move. In this case, the adversary uses linPEAS (that stands for Linux local Privilege Escalation Awesome Script), a script that does automatic enumeration to find possible paths to escalate privileges. The attacker went through the trouble of encoding the script and running it in memory to be as stealth as possible.
However, TEHTRIS EDR did detect and raise an alert on rapid enumeration command lines that aim at getting information on the machine, such as usernames.
Date | Command Line | User |
---|---|---|
2022-11-10 08:40:27 | find /var/log/ /private/var/log -type f -exec grep -R -i pwd\|passw {} ; | www-data |
2022-11-10 08:40:25 | find / -perm -4000 -type f ! -path /dev/* | www-data |
2022-11-10 08:40:24 | ls -lahtr /opt/lampp/bin/suexec | www-data |
2022-11-10 08:40:24 | ls -ld /snap/core20/1778/etc/skel/.profile | www-data |
2022-11-10 08:40:22 | find /tmp /etc /home -type s -name agent.* -or -name *gpg-agent* ( ( -user www-data ) -or ( -perm -o=w ) -or ( -perm -g=w -and ( -group www-data -or -group adm -or -group cdrom -or -group sudo -or -group dip -or -group plugdev -or -group lpadmin -or -group lxd -or -group sambashare ) ) ) | www-data |
2022-11-10 08:40:22 | find /snap/snap-store/599/etc/ldap -name *.bdb | www-data |
2022-11-10 08:38:26 | grep -Eo ^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+ /etc/systemd/system/dbus-org.freedesktop.timesync1.service | www-data |
Privilege escalation: failed attempts
Through enumeration, the adversary found out that a user is part of the sudo group. An attempt at a SSH connection was detected by TEHTRIS EDR, but the attacker failed to gain access to the user and therefore to gain higher privileges.
Then, using bash to run a script named f (sha256 e0dae22e68fa74a0d61c7cca42cdc964f3e76fabcf01fcde66e6cb51a1f3cbca), the attacker attempted to exploit CVE-2022-2588 (CVSSv3 6,5), a fairly new Linux kernel vulnerability which allows privilege escalation. This attempt is detected by TEHTRIS EDR and triggers an Antivirus alert because the binary is known for being malicious from TEHTRIS antivirus database and external sources.
Finally, the adversary tried to connect to the website’s SQL database but failed. Those attempts were also detected by TEHTRIS EDR.
All of the privilege escalation attempts failed, since the server was not vulnerable to any Linux kernel exploits.
TEHTRIS protects you
Every step of the attack, TEHTRIS XDR Platform detects and alerts, providing context and allowing analysts to know exactly what is happening on the IT assets they are protecting. TEHTRIS NTA monitors network flows 24/7, both incoming and outgoing, and automatically detects any anomaly in the traffic based on behavioral and signature analysis. TEHTRIS EDR is a powerful tool that monitors all endpoints and automatically detects and kills known and unknown threats.
In this scenario, configuring the correct settings to detect CVE-2021-32305 on TEHTRIS EDR would alert on the attacker’s initial access on the server. After a period of testing to make sure that it does not trigger false positives, implementing automatic remediation would prevent this attack from unfolding without human action.
Shall we play a game?
You are one of our partners or clients and you would like to participate in a WarGames exercise this year? Please contact us.