CyberWire Daily - The uncanny HEX men. [Research Saturday]
Episode Date: February 17, 2018The research we’re discussing today is called, “Beware the Hex Men”, and it tracks multiple attack campaigns conducted by a Chinese threat actor. The GuardiCore Labs team identified three attack... variants that they named Hex, Hanako and Taylor, targeting SQL servers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
We're constantly looking at different sensors spread all over the internet. We still constantly
take a look and we have different like statistics modules and filters that look at and try to find
something interesting. And the Hexman popped up as this really descriptive attack
that was dropping something that was completely unknown.
That's Daniel Goldberg, a security researcher at Guardacore Labs.
The research we're discussing today is called Beware the Hexmen,
and it tracks multiple attack campaigns conducted by a Chinese threat actor.
The Guardacore team identified three
attack variants that they named Hex, Hanako, and Taylor that target SQL servers.
So it goes into our queue to take a look, and we take it open and we realize that the attack is
kind of interesting, kind of different from what we've seen before, attacking SQL servers. Okay,
so it's like, okay, let's start taking it. Let's start taking it apart, figuring out what's going on.
And we're like, okay, one attack, one binary,
second attack, second binary, and so forth.
At some point after like 30 different malware samples,
we're like, okay, we got something serious on our hands.
From that point on, then it starts like,
you start unraveling the thread of like,
trying to find different things, putting it together.
And then we found like three different attack campaigns all connected through the same infrastructure.
We have the three different attack campaigns that are part of what you're calling the Hexmen Trio.
You've got Hex, Taylor, and Hanako.
Shall we walk through each of those individually?
Just before Daniel starts to walk through the three scenarios,
one more word about the way that we first discovered the Hexman.
That's Afri Ziv.
He's the vice president of research and head of Guardicore Labs.
We have a system based on the Guardicore technology.
Basically, this network of sensors, of Guardicore sensors,
is based on the Guardicore deception technology,
which we just exposed to the internet.
This allows us to see lots of malicious internet activity
together with a lot of knowns like configure warms
and wanna cry attacks.
Next to those guys guys you have the new
and maybe sometimes more interesting campaigns.
And Hexman is exactly this example,
where this internet-facing system allows us to detect this new thing,
a new type of malware.
And after the system tracks those attackers and generates
this malicious incident for us, then we take a deeper look into it and try to do the further
investigation to do something like connect the three campaigns into a single, under one
roof. This is something that needs the extra expertise,
and this is something that Daniel can elaborate on.
All right, Daniel, why don't you take us through?
We've got these three components here.
What did you discover?
Yeah, so I'm actually going to go reverse chronologically,
and I'm going to start with talking about Taylor and Hanako
and then work back to Hex.
Okay.
This is not the order we discovered them.
So Taylor is, at some point, the interesting widespread botnet campaign you could read about.
And in fact, Taylor was partially discovered previously, not by us, as a worm spreading through SQL servers with attacks based from Linux and Windows machines that seems to have a keylogger and backdoor component.
And the reason for the name Taylor is very simple.
As it downloads the backdoor
by hiding the data inside an image of Taylor Swift.
This is simple and it works perfectly well
because most centers see,
okay, you're downloading a JPG, it's all fine.
And only when you open it up,
the image you're like, okay, this is full of junk.
And there's this, a lot of binary code here
that contains the key logger.
The other one is Hanako.
Hanako is a pretty like big DDoS,
I'm going to say, campaign
that attacks different machines.
This is probably like,
if you had to think of the archetypical botnet,
this would probably be it
attacks windows and linux machines it tries to brute force them mysql and and mssql servers
and the interesting part there is mostly that it's very similar and yet it's unique but these
are less interesting now i'm going to reach the hex variant where we started from. And the interesting part there is that it seems to focus on Windows MS SQL servers,
which are really widespread,
a lot more than you would think for not a free offering.
And they are incredibly varied.
We've counted over 300 different sub variants in this attack,
which means the attackers are pretty much going,
okay, we're probably going to get caught somewhere. So we're going to make sure every attack looks slightly different.
So if you were, if you were going to be like this analyst, looking at the list of indicators of
compromises, IOCs, you're going to be like, okay, another small one, another small one.
But if you look at the attack flow, which was what we were looking at, because we were starting as
hopefully said from the
deception service, then we're seeing, okay, these are all identical. They're just dropping
slightly different binaries. We'll take us through that attack flow. The attack flow is really long.
It's one of the longest brute force attacks I've seen. It tries out by starting to connect to an
SQL server. And once it's in, what it does is make sure that it can hide from auditing
by turning off every possible audit method.
And then it's going to try to actually attack using a variety of different methods.
So the thing is, there's usually like three well-known attack methods for SQL servers.
The most famous one is just loading a plugin
that lets you execute shell commands.
Our attackers don't necessarily avoid one or the other.
They just use each of them in a way that tries to go under the radar
and uses each attack for the best it can.
For example, they write files to disk,
not by outputting to shell commands long strings,
but they use a sub-database, access database, classic ones,
that are also installed with the SQL Server to write files to disk.
And this looks very legitimate.
This is not a shell command piping data around the system
that some monitoring tool could see.
It's more like, okay, SQL Server wrote a file to disk.
Who the hell knows what SQL Server is doing?
And the same thing is to change registry settings and security settings,
instead of, again, okay, let's turn off everything in a noisy manner,
we're going to use WMI, Windows Management Instrumentation classes,
and we're going to configure them so everything is turned off.
We're going to make sure that the security
settings allow us to change everything. And we're going to do, again, everything through the SQL
server process. It's only the really last moment when everything is ready that they use shell
commands to actually run their tools. At that point, from a standard security software perspective,
all SQL server is doing is executing a file that's already installed properly on disk,
that is configured properly to be permissible to SQL Server to execute, and everything looks okay.
And part of what it's doing, it's disabling antivirus software, yes?
Yeah, that's in the second stage, after it's starting to execute its own code and not through
the SQL Server, is to methodically kill antivirus software.
And it's very methodical about this by trying like, I think it was around 20 different products,
both known antiviruses that you might even have tried at some point and really unique ones.
It explicitly tries to kill an antivirus called Bullguard, which is aimed at the gamer
crowd, which I didn't know was a real antivirus market segment, but it knows about it and it
also tries to kill it. Now, it's interesting in your research here that you've broken the
attack infrastructure into three different classes of steps, basically. You've got the
scanning, the attacking, and the initial implant. Yeah. So you're right the scanning the attacking in the initial implant yeah so you're
right and the split is something we've started to see a lot more in botnets the last few years
we've also seen it last year when we saw a botnet we called bondnet that was also attacking servers
the idea is you don't see as a defender a lot of traffic to any particular server. You're breached,
you're scanned by a specific server, but you're breached by a completely different server.
It's harder for you as a defender to connect it to events. And after the breach, the communication
to download the further Trojan stages happen towards a third server. As a defender, it's
very hard for you to piece together what's going on. I see. That's one strong advantage.
The second is, all this infrastructure is hosted on previously compromised machines,
meaning from the attacker's perspective, he's not risking anything.
And in fact, it's easier for him by spreading out his infrastructure to all different machines.
So if some administrator notices, oh, wait, I'm serving malware, I should probably not be doing that.
It wasn't a horrible blow to these cyber criminals.
They're like, OK, next server, next.
So they've got a widespread distributed network of compromised machines that they can implement to do their business here.
Yeah.
We're talking at least 300 attacking IPs just in a one month period.
And we saw a similar number of file servers spread around the world.
Yeah, I think that this infrastructure, it makes lots of sense for an attacker
because stopping him becomes much tougher.
It is basically very hard for us as a security community to stop this attack at once. So what we can do basically
is we can try to block it in different places. But overall, the fact that it is using so many
servers across continents, across countries, makes the blocking procedure very, very complicated.
And another thing, and this is maybe something that you can look at to distinguish between maybe criminals which might be more advanced because they are using this distributed infrastructure.
Those guys are more advanced than maybe like a script kitty or someone that just tried to run something from one single host that he owns. I think the second step that we didn't see here,
and this is maybe what will distinguish those guys
from the larger APTs and maybe nation cyber operations,
is the fact that eventually those guys
are attacking from compromised machines,
but they are uploading all their capabilities on them.
And I think that the next
step, what maybe makes the larger APT operations is that they are attacking through compromised
machines, but they will never host their, I don't know, exploits and their tools on them. Because
if one of those machines will get hacked back or if someone will try to look
deeper into it, they wouldn't want their tools to be captured by someone else.
So, Afri, in terms of prevention and mitigation, what are your recommendations there?
So, I think that there are several different things that need to be taken care of. First of all, people should, as always,
need to make sure that they are using strong credentials.
If they can use two-factor authentication,
those are like the obvious things.
But as we saw in the past,
and we keep seeing it over and over again,
people have a hard time to be able to actually
manage their credentials properly and even their
servers that are exposed to the internet. So I think that in order to actually be able to
prevent such incidents to happen in your network, what you need to do is you need to be able to
actually be aware of all your internet-facing services as a first thing.
Many of those servers that we saw that got compromised in this campaign are servers that,
I would say, people, I'm not sure that people are actually aware of them. Some of them weren't
patched for a long time. Some of them were with very very their credentials was i
i know they used default passwords or or other and methodological methodological from the defensive
side being on top of what you have what is facing the internet is a very very important first stage
and then when you once you know this it will be much easier for the IT manager or the security officer of such a network to make sure that those servers are patched all the time, that they are using the most advanced credentials and methods.
I think those are like the two key things as we see it in such a campaign like the Hacksmith.
And Daniel, in terms of attribution, who do you think is responsible here?
So attribution is always something scary to do because we don't have evident proof.
But in this case, it's really clear that we can tie this to Chinese and cyber criminals as the same thing. In this case, we're talking about dozens of examples of Chinese comments,
Chinese emails, using different code fragments, focusing on Chinese software. They have an example
where they mimic a very popular Chinese music streaming program as one of their Trojans. We
don't know the name of the developer, know where he lives, but we definitely know that his email address
is a popular Chinese service.
He writes comments to himself in Chinese.
The compile paths are Chinese.
Now this is a smoking gun,
but it really adds up really quickly.
And the second thing is,
this is a very much criminal oriented enterprise.
We're seeing both cryptocurrency mining there's a ddos component
it's not really about a let's stick around here for the next two years extracting information
it's more in the trend of okay we we got in let's get the maximum value we can out of this host
and while they leave themselves the option of to exfiltrate data or ransom data and stuff,
but they're really focused on let's get profit running out of this machine.
It was interesting to me in your research that you described how they'll get in and
use a machine for a certain amount of time, and then they'll get out and move on to another
machine.
Yeah, so this is very much depends on the variant, but they don't, for
example, as part of their compromised infrastructure, they don't stick with the same attacking server or
scanning server for more than a few days or max a week or two. We don't know their internal thought
process, but it could be like, okay, we have something we want before anybody gets suspicious.
okay, we have something, we go and want it before anybody gets suspicious.
So explain to me, to sort of take a step back at a high level here,
why are these three grouped together, Hex, Taylor, and Hanako?
What's the common thread between them?
They have multiple common threads, in a way.
One of the main things, they share attack techniques.
Up until a very late stage, they run the exact same commands, which is not very likely for an independent attacker to do.
This isn't some exploit to get you down from the internet.
This is something like they wrote, they debugged, they use, and we see them iterate over it.
We also see a lot of shared infrastructure, which is pretty much the smoking gun. The same IP can be used to attack and deploy both a hex malware binary and a Taylor binary in the next
attack, depending on the time of the attack. They have the same scripts and they're sending money to
the same cryptocurrency wallets. For all intents and purposes, we can't tell the different attackers
apart. Maybe there's some subgroup that's building this botnet and that botnet. We sometimes see
that, but in this case, they're really working together. I see. Yeah. And another thing that we
can add maybe about those attackers is the fact that they are evolving. So, I mean, we've been tracking them for several weeks and maybe a bit longer.
And we saw how those attacks are actually becoming more and more sophisticated. Those guys,
they learn. They learn fast and they make their tools better. They add more mechanisms to not
being caught by different security products. They're good and they're getting even better.
And I'm sure that once they will get over
with those three variants,
they will continue to do something else,
something even more advanced.
So I think that attackers, just as the defenders,
they are getting better and better.
Very interesting things are ahead of us.
A lot of hype for obvious reasons go to the flashy and
sophisticated attacks but in this case this is a botnet of the very minimum high thousands of
machines all of them servers and it's alive and it's going to stick around because as hopefully
said it's very it's going to be very hard to take down and this is going to cause a lot of real
damage we're talking thousands of database servers, let's be honest here, which are probably containing customer data, patient data.
We don't know what's going on behind there.
And that's what's compromised.
And we see this happening again and again, meaning we can't just focus on the big flashy stuff.
we can't just focus on the latest meltdown or the latest zero day when this is the second bottom we found just this year that's taking tens of thousands of machines uh for its own purposes
at some point we need to focus back on the basic stuff and the second is again we're seeing again
again patch yourself handle yourself and these guys are getting in by old vulnerabilities
or brute forcing passwords. To use the really cliche statement, it's 2018. Really?
Yeah. Yeah. And I think that maybe this specific, what they are using at the end,
maybe it's not like the most dangerous thing for us or even their victims, because,
OK, so maybe they will need to pay some more money to the on the power that their machines
are taking or they might be their network might be used by someone else.
I think that the more danger part is what will happen next.
So what we saw is we saw Adidas,
we saw cryptocurrency,
but we also saw Keylogger and the backdoor.
So this variant can, at a later stage,
I don't know, this machine can be sold to someone else
or be used by these attackers for another purpose.
They might take this,
maybe this is a single server
that someone forgot to patch or didn't notice about
him. And from this point, those attackers can move forward inside this network. As Daniel mentioned
before, we keep seeing people making mistakes. You know, everyone makes mistakes and it's natural
that I don't know any network that cannot be breached somehow using some attack vector.
And I think that it is very important to also not only invest in the perimeter and on the servers that are actually exposed to the Internet.
It is also very important to think about what will happen next.
So what will happen once one of my internet-facing servers will get hacked?
Will my defense be able to detect other lateral movements inside my network?
What will the attacker be able to fetch from this point?
And I think this is another very important lesson that we should take from this example.
Our thanks to Daniel Goldberg and Ofri Ziv from GardaCore Labs for joining us.
Their full report, Beware the Hex Men, is available on the GardaCore website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.