CyberWire Daily - Exhibiting advanced APT-like behavior. [Research Saturday]
Episode Date: June 26, 2021Guest Yonatan Striem-Amit joins Dave to talk about Cybereason's research "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities." The Cybereason Nocturnus Team responded to several incident re...sponse (IR) cases involving infections of the Prometei Botnet against companies in North America, observing that the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware. Yonatan shares his team's findings of the investigation of the attacks, including the initial foothold sequence of the attackers, the functionality of the different components of the malware, the threat actors’ origin and the bot’s infrastructure. The research can be found here: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
They were deploying pretty advanced APT-like behavior to perform lateral movements,
to extract credentials, to move laterally across the endpoints and really behave as though they were know-how of the way advanced APT groups work.
That's Yonatan Stream Amit.
He's chief technology officer and co-founder at Cyber Reason.
The research we're discussing today is titled
Promete Botnet Exploiting Microsoft Exchange Vulnerabilities. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, It's time to rethink your security. request based on identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It's Prometheus. It's kind of the Russian word for Prometheus.
Okay.
Which is selected by the internal name found inside the malware.
So it's pretty clear the authors actually internally call the project Prometheus.
Gotcha. All right. Well, let's start off with some high-level stuff here.
I mean, what originally drew this to your attention? How did you get started down this path?
So naturally, when Hafnium broke out, you were constantly tracking what is going on,
who's exploiting this across the world. We've encountered that post the initial exploitation by the Hafnium group,
which is considered to be a Chinese group,
we've seen secondary attackers adopting very, very quickly and using either the same vulnerability and re-exploiting that
or just exploiting the actual backdoor deployed by the Hafnium group
to deploy their solutions.
As we're seeing this exploitation naturally in our commitment
to point out our customers, we at Cyber Reason are tracking constantly
to understand what is happening.
This led us to discover the Promete malware being used on these machines.
Interestingly, while Promete used the Microsoft Exchange, so the group behind Prometheus used the Microsoft Exchange server vulnerability to enter the company, once they were inside, they were deploying pretty advanced APT-like behavior to perform lateral movement, to extract credentials, to move laterally across the endpoints, really behave as though they were, you know,
know-how of the way advanced APT groups work.
Well, describe to us what they're up to here. What is the ultimate goal?
So the reason we think it's a financially motivated group is clearly we're seeing that
their activity is about deploying solutions that steal money, that are aimed to use the resources
of the victims to mine for Bitcoin, mine for Monero,
and use those stolen resources for financial gains. Unlike
espionage groups, who are often about stealth and
infiltration of data, the Prometheus group was using the resources to mine for
cryptocurrency, and
that was their way of monetizing it.
Now, I find it very, very interesting the way they choose their victims.
We at Cyber Reason have been tracking victim selection of that group, and we're seeing
it's really about a very wide net.
We're seeing victims across the US, across the UK, other European countries, even all the way through South America and
East Asia, with an explicit attempt to avoid the kind of Eastern Bloc and former Soviet
companies, sorry, countries, and definitely Russia.
That's what let us also think of that as the likely source of their operation.
We're not stating that they are, of course, Russian nation sponsor, but we are saying
they're likely active
from that area and within those countries
they again go very widely they go after finance
insurance, retail, manufacturing, utilities
travel, construction, really everything
would be a victim for them and I find it very curious
in the context of the colonial pipeline
attack how it really is a very wide
net with potential to cause dramatic damages.
While Prometheus' method of extracting financial gain is by mining
cryptocurrency, it will very easily be
sold off to the secondary markets, to other groups, or the same group
using that to deploy ransomware and hold
the victims for ransom.
Interesting.
It seemed to you that
as though it's more opportunistic
than precisely
targeted. For cryptocurrency
mining, processing
power is processing power.
Precisely. Their purpose
is... Cybercrime is always the story about how do you get money out of the story here.
And while most of the attention these days is going to extracting money by employing ransomware and using cryptocurrency to extract money,
hackers are clearly also using mining for cryptocurrencies as another way of extracting revenue from their ability to attack.
In the case of the Pratame group, they are really going as widely as possible.
And in order to avoid actually paying for the computing resources, they just go and steal them from the victims.
Now, naturally, the victims here what they're doing is post-entry really migrating
and trying to take over as big a parse as possible
from the environment in order to turn those into mining rigs
for the hackers behind Pardoning.
And these methods of lateral movement,
these methods of asset acquisition,
are really reminding us of the tricks and the technologies
deployed by nation-state level groups,
whether it's the groups behind SolarWinds or the actual group behind Hafnium,
or other similar such attacks.
Everything from using exploitation,
everything from those that are infamously leaked from the NSA a couple of years ago,
EternalBlue using BlueKey, harvesting credentials,
exploiting remote desktops, or totally SMB, and even
stealing SSH clients and spreading
via SQL server. Another
thing that we at CyberAsian saw that this group
are doing extensively
is using
a malware that can self-adjust
to run both on Windows
and Linux machines. So while they enter
on a Windows server, they can
easily move laterally
over into a Linux-based attack
when you have more Linux-based servers
in your environment,
again, with the purpose of stealing
compute power at this point
to mine for cryptocurrency.
Well, let's walk through it together.
I mean, how does one find themselves
falling victim to this?
How do they get in
and what do they do from there?
Excellent. We've observed the Proto-Me group entering through the Microsoft Exchange server
vulnerability. This vulnerability has been used a lot recently, being exploited with the Hafnium
group, which is considered to be a Chinese-oriented attack. But in the wake of the Hafnium attack,
many other cybercriminals went and adopted that same exploit
or actually even using the backdoors deployed by the Hafnium group
and used that to enter the organization.
Once they're inside and have that control over the Exchange server,
they perform tricks around lateral movement,
basically transitioning the access they have on one asset
to complete control of multiple assets
this is done by a very large array of weaponry
that they've brought together
it starts with exploitation
if you have unpatched systems
the Protome group will use that
to move and take over those machines
so they were using everything from SMB-based
attacks, EternalBlue to BlueKeep, and other similar ideas.
The second thing they were using is about credential harvesting. If anybody
ever logged on into that Exchange server, it will have left residue
behind on credentials of the person who was used to log in there.
For example, the admin is trying to manage that server.
So by using that credential, they can move to other machines that that same admin has
access to.
They further deploy, use things like remote desktop that we use to manage servers and
servers and machines and use that as a communication channel or SMB, which is a very commonly deployed file sharing protocol,
was also used in the environment.
And additionally, and this is pretty interesting,
they also used simply SSH.
So if you have a server that you can manage with those credentials,
they will actually SSH into that server to deploy their malware.
So they're very active in trying to get as many of the compute resources
that the victim has and subvert them for their crypto mining purposes.
To what degree are they trying to be stealthy?
Are they trying to hide their tracks?
Do they put any limits on the amount of compute power that they take?
Do they limit the time of day, for example?
Do they have those options built into their software?
While they have complete control over their software,
we haven't seen them try to be extremely evasive.
They really are trying to say,
how can we exploit the most resources
that you have right now before we end up getting caught?
A lot of time, these attacks, once they start seeing that their assets are being taken down,
would quickly transform the attack from a crypto mining to something else that is much
more, takes a shorter amount of time, for example, such as ransomware.
So we will end up seeing, in these similar cases, we would end up seeing once takedown
is starting, this is quickly turning into a ransomware case.
Another interesting thing they did for resilience,
they've actually built a pretty robust command and control channel over the internet.
By using servers all over the world and making servers that they can control the malware with,
it allows them to really be more resilient.
Even if some of those servers are discovered and they're taken down or blocked by network security providers, they still have a pretty resilient
control mechanism. Now, they go in and they
look for other crypto miners and remove them?
So that's something interesting they did. They actually, when they log in,
especially on the Hafnium servers, they actually remove existing
backdoors,
if any is found,
and also try to block the exploitation of the initial vulnerability.
Basically, they come in,
they kick out from that Exchange server
other adversaries that may have used a similar solution
to get in and get control of that device,
and then lock it so that only they have access to it.
That's a pretty interesting technique that they use here,
and effectively taking over that server
and making sure that nobody else can easily, from the outside,
share the resources with them.
Now, this was discovered in 2020,
but you all have some evidence that it's been running
for a good bit longer than that.
Indeed. We're seeing traces of some of the pieces of the malware
all the way back to 2016. And while they didn't seem
to be very, very active ahead of time, we do see evidence of development
of the malware. The work on this strategy
has been something they've been doing for a while, for at least four years.
And we are seeing rapid evolution.
There's definitely active R&D work in the Prado May group being driven into the network,
getting more capabilities, bringing more APT-like technologies and ideas into the network
to further drive revenue for them.
And what can you determine about the threat actors themselves?
So there's many reasons to believe that they are originated in Russia. Everything from the way
they choose targets, and they specifically avoid targets that are in the former Soviet bloc
countries, Russia and its kind of surrounding immediate neighbors. They also have a couple of words that use a Russian-based spelling. And even the word,
the name Potomay was found inside the malware. And this is, of course, the Russian pronunciation
for the Prometheus from Greek mythology. You know, one of the things that strikes me
reading through your research here is the sophistication in the way that there's a lot going on here.
This is a bit of a, I don't know, a Swiss army knife of tools.
Once they get inside, they have a lot of options to do the things they need to do.
Absolutely. Once they get inside, they really have complete control over that machine, and they very quickly use that complete control
to gain as wide as possible net of control around the
entire victim's network environment.
As many machines, as many servers, as many endpoints they can get their hands on,
they will take those for their purposes.
Tricks they're using definitely are reminiscent and demonstrate techniques and operation that are used by APT groups.
So it's clear to us that there is at least knowledge transfer and a lot of learning happening in the primary group
for what is being done in nation-state funded cybercrime.
So this is definitely interesting in the way they operate.
And they've shown sophistication in everything.
First, from the speed at which they adopted to the Microsoft Exchange vulnerability and
adapted that for the use for penetration, all the way through just the Swiss army knife
of technologies that they use to move laterally and get more assets.
This is one of the very first cases where we're seeing the group able to seamlessly traverse
and create malware for both Windows and Linux
to get control of these two very different operating systems
but still subvert them to their will.
And as many of those cases,
the technology they have themselves
really gives them flexibility to deploy any payload,
any malware they wish.
A lot of times, this is eventually being used to sell off the assets
post-exploitation for things like ransomware
delivery. It's very common that we would see these groups mining
for cryptocurrency for a while. This is the way they choose to monetize.
Eventually, when they realize that the value of the asset for them is diminished,
they would sell it off to other groups to deploy ransomware
or of course do it themselves to further extract revenue from those victims.
How successful do you sense that they are?
Do you have the ability to know to what degree they've been able to spread this around?
We've seen them attacking dozens at least of victims.
And that's a sign of how prolific they are right now.
I would say they're definitely active.
And I think the choice of doing that for extracting revenue from cryptocurrency mining
also shows off that the more active they are,
it's very, very clear how much more revenue they get.
So they have a clear incentive to go and be very active
in order to extract more and more financial gain.
And what are your recommendations for organizations
to best defend themselves against this group?
It's a great question.
The first and foremost answer is about vigilance.
Continuous patching is, of course, always a good idea.
And then really invest in a good, robust threat hunting program.
We at Cyber Reason, of course, do that for our customers
and really find threats wherever they're happening.
So the combination of cybersecurity hygiene and vigilance
and active threat hunting and response program
are the keys to solving death threats
as well as any other threats from nation states to the cyber criminals.
Yeah, I guess this really emphasizes that point that you really need to have, I guess, that defense in depth.
It's not enough to have those castle walls up around.
You have to be looking for what's going on within your network.
Absolutely.
There's a great observation here.
The entry into the Microsoft Exchange server did use a vulnerability,
but a lot of what they did afterwards was just exploiting legitimate credentials
left on those servers to move laterally across assets.
So just an anti-exploit solution without a threat hunting component
is really limited here.
The answer is really being that vigilance, a threat hunting program, an EDR solution that is solving you both against ransomware as well as more advanced threat of crimes and stopping
threats as early as possible before the damage is done, before they move laterally across your
environment.
Our thanks to Yonatan Stream Amit from Cyber Reason for joining us.
The research is titled Promete Botnet Exploiting Microsoft Exchange Vulnerabilities.
We'll have a link in the show notes. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and compliant. Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening.