CyberWire Daily - It's raining credentials. [Research Saturday]
Episode Date: August 12, 2023Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from c...ompromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I had found a little bit of this activity with one of my virus total hunting rules,
but I didn't have quite the full picture.
And we were fortunate enough to have Ian and Daniel from Permiso Security reach out to
my team and see if we could collaborate and try to hunt on some of this stuff together.
So we ended up doing that and it was definitely a productive collaborative venture.
That's Alex Delamotte. She's a senior threat researcher with Sentinel Labs.
The research we're discussing today is titled Cloudy with a Chance of Credentials.
AWS targeted cred stealer expands to Azure and GCP.
Well, let's go through some of the details here.
What are we talking about?
What is it that you discovered?
So my rules are, when it comes to cloud threat hunting,
my rules are incredibly broad.
And some of these look for activities that might seem,
I would say, in the abstract, too noisy.
But when it comes to virus total hunting, there
actually is not quite as much noise as one would expect for certain things. So this rule is a
modified rule that looks for behavior where curl is initiated from a system that has been profiled as Kubernetes.
So I believe that the script had some of those magic keywords in it to show up on my rule.
So I found it that way.
And yeah, we went from there.
Well, help us understand what exactly goes into action here.
I mean, this pops up, it grabs your attention.
What do you do next?
So next, I would try to find, so these scripts are very modular. They all do, some of them are
larger and they do, you know, they have more functions that will do more things, but you're
never going to have the full picture with only one of these scripts. And the next step is to find what these actors are doing
after running the first script.
So I would say the primary script are the scripts named aws.shell or.sh
or one of those variants.
There were a couple that had like g-aws.sh.
So these are kind of the main scripts that I associate with this actor who we have described as Team TNT-like.
Yes, that's an interesting topic in itself.
Sure.
Yeah, so we find that initial AWS.sh script, and then there are other scripts that will tie into it.
dot sh script and then there are other scripts that will tie into it there's clean dot sh which is uh i believe kind of aptly named as a non-installer and then some of the scripts we
found through um there was a binary in this campaign that was a golang compiled binary
and that was one where um i actually did a little bit of reversing. And thanks to my colleague's work on Alpha Golang Project,
which is a reverse engineering fleet that aims to make analyzing Golang binaries a little bit less painful.
So I put that to use in IDA Pro, and I determined that it is dropping another script.
It was actually a very simple binary.
It basically dropped one more script
and kind of set up the environment to use it then.
Well, jumping back up to the higher level here,
I mean, these folks are after credentials?
They're after cloud credentials?
Yes, exactly.
So the main part of the AWS.sh script
is to collect credentials and to profile the environment.
And how are they going about this? They're targeting, is it web applications?
The propagation that we saw in this campaign was primarily looking for a response on Docker ports that contained the string version 1.16, which be related to a Golang container that runs in Docker sometimes.
Interesting. So they have expanded the areas that they're after here, right?
I mean, it's not just AWS. They're going after some other cloud environments now?
AWS, they're going after some other cloud environments now?
Exactly.
That was one of the biggest findings that we had was these campaigns were kind of,
they were going on from mid-June to the end of June.
I want to say like June 14th was the earliest sample
that I saw from this campaign.
And that one had some functionality
for Azure Cred Collection and GCP.
So the Azure credentials were not yet implemented.
And when we saw this follow-up activity
from these actors about a week later,
they were then using
the Azure Credential Collection modules.
So they were actively tuning it.
And it does look like they have their site set on more cloud providers.
So it's no longer just AWS in the crosshairs.
What did you all see in terms of anything related to command and control?
That's a good question.
I don't know if we had specific visibility there.
We did have, like the scripts have C2 URLs hardcoded in them.
And we can tell what they do because these are shell scripts.
It's effectively open source.
So we can just put together what they're doing through the functions of the code.
And these were pretty interesting C2 domains.
They used to use IP literal URLs for C2, and they're no longer doing that. So it seems like they're getting a little more secure
and they're using dynamic DNS for C2 domains now. We saw the silentbob.inondns. That was a popular
C2 domain that kind of named the campaign. There was also a really nefarious domain that looked
like an AWS region. It was ap-northeast-1.compute.internal.non-dns,
which I thought was really interesting
that they're mimicking the normal structure
of AWS subdomains.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, Eliminating lateral movement.
Connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
In terms of the information they're gathering here, what sort of insights did you have there?
So they're gathering credentials and they're also profiling what processes are running on the system. And I don't think that everything there would be automated afterward.
I believe that was for a follow-on activity when it was determined to be a high-value system.
for follow-on activity when it was determined to be a high-value system. So they would enumerate running processes and use Docker to inspect all of the Docker-associated processes. So my guess
would be they are using this to get either more credentials or move laterally, whatever it is that their goal is going to be, which
unfortunately with this actor, the goals are not clear. And I think that is part of their
MO, so to speak. And what are you seeing in terms of their ability to spread this around?
What are their propagation strategies? The most recent one that we noticed was in that Golang binary, there was an IP scanner where it would reach out to the C2 and get a range of IPs to scan.
And then it would look for that user agent response from the targeted systems that included V1.16.
six. I am unsure what the significance of that was again, but we thought potentially this was profiling honeypots because that was the only thing I could find on Shodan that was responding
with that user agent. So I'm not sure whether that was cause or effect though. Maybe another
researcher saw that they were doing this and decided to make their honeypot respond to that to try to get more activity. Is your sense that they're sort of opportunistic,
or does there seem to be any targeting in terms of different verticals that they might be after?
This seems opportunistic because it is scanning the open internet for systems responding with that user agent.
But I caveat that by saying the SysTig report on Scarlet Teal, I think, is one of the more
interesting cloud attacks that we've seen this year. And that actually tied back to this.
Abigail Mestinger reached out to me on Twitter and said that this overlapped with Scarlet Teal.
And I thought that was really interesting because those attacks are motivated by stealing source code from the targeted organization, which is very different from crypto mining.
They do deploy a crypto miner, but it's suspected to be a diversion while they actually go after code from the targeted organization.
a diversion while they actually go after code from the targeted organization.
So in terms of folks defending themselves against this, what are your recommendations?
Definitely keep everything patched and up to date. I know I sound like a broken record with that,
but really I think so many cloud attacks are opportunistic that really the basic security hygiene is going to take care of it most of the time.
It's also a matter of being aware of what is running in your environment.
So if you have people spinning up rogue containers, that could be a potential infection vector.
Good to keep an inventory on that in your organization.
Make sure that you know what's running, particularly internet-exposed services.
How would you rate the sophistication of this threat actor and what they put together here?
That's another interesting question because some of what they do is very obvious.
It's been done.
If it is Team TNT, maybe they are the ones who have primarily done it in real life.
But they have a pretty strong understanding of limitations.
It seems like they readily adapt their tools.
I think it's quite sophisticated that they added a functionality
to craft HTTP requests through Bash.
It's really neat. They actually put the headers into the code
and they manually create a request for containers that don't already have curl.
So it will then make this request to the C2 and download the curl binary, which expands its
functionality a lot. But I just thought that was incredibly interesting that the actor is overcoming more
minimal containers and finding a way to make them more useful. You mentioned that your work here
was in part a collaboration with some folks over at Permiso. Could you speak to that element of
this? I mean, the importance of researchers like yourself sharing your information and collaborating with folks even across companies.
Definitely. That is so welcome and it's so needed because I think everybody is somewhat on an island when it comes to cloud.
picture. And I'll caveat that by saying maybe the cloud service providers have a pretty good idea of what's happening in customer environments or just their own environments. I can't speak
exactly to that. But for other organizations who don't have that level of visibility,
it's really crucial to just form these relationships and collaborate with people,
share what you know.
You know, since we've been talking to them, I threw some samples over to Hermesa that were related to another thing they had written about.
So it's been a really nice exchange.
Thank you. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.