This post will be brief and to the point, but I wanted to share some resources that I found helpful when learning how to respond to this incident.
Table of Contents:
- FireEye’s Blog
- FireEye’s Detection Opportunities
- FireEye’s Github Resources
- Sophos Github Resources
- Implementing Detection and Firewall Rules
Reviewing FireEye’s blog post on this topic is critical to understanding the behavior of the threat actors.
Key Takeaways for Response:
“The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders — querying internet-wide scan data sources for an organization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note: IP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment. There is likely to be a single account per IP address.”
“This also presents some detection opportunities, as geolocating IP addresses used for remote access may show an impossible rate of travel if a compromised account is being used by the legitimate user and the attacker from disparate IP addresses. The attacker used multiple IP addresses per VPS provider, so once a malicious login from an unusual ASN is identified, looking at all logins from that ASN can help detect additional malicious activity. This can be done alongside baselining and normalization of ASN’s used for legitimate remote access to help identify suspicious activity.”
“Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. This will uncover any single system authenticating to multiple systems with multiple accounts, a relatively uncommon occurrence during normal business operations.”
“Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time. Additionally, defenders can monitor existing scheduled tasks for temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be monitored to watch for legitimate Windows tasks executing new or unknown binaries.”
Leverage their GitHub Page
FireEye has released some awesome SIEM rules that you can implement to detect IoC’s.
Sophos Indicators of Compromise
Sophos has also compiled a Github repo that contains a list of known bad hashes, IP addresses, and domains.
Using the information above, I would recommend implementing the following:
- Reference the following article to create a PowerShell script that monitors for these known bad hashes in your environment.
- Configure firewall egress rules that block outbound connections to the known bad IP addresses and domain names.