CyberWire Daily - Web host havoc: Unveiling the Manic Menagerie campaign. [Research Saturday]
Episode Date: February 24, 2024Assaf Dahan and Daniel Frank from Palo Alto Networks Cortex sit down with Dave to talk about their research "Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor." From late 2020 to l...ate 2022, Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union. The research states "They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites." The research can be found here: Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So our journey begins pretty much at late 2022.
So back at the time, we were conducting a really thorough hunting project.
We were looking into all sorts of web exploitation conducted by a myriad of threat actors,
where we stumbled upon this really interesting anomalous behavior.
And that kind of started this whole quest that we embarked on.
That's Asaf Dahan, Director of Threat Research at Palo Alto Networks.
Also joining us is Daniel Frank, Principal Threat Researcher at Palo Alto.
The research we're discussing today is titled Manic Menagerie 2.0,
the evolution of a highly motivated threat actor.
Let's go through it together here. Can you give us an overview of what exactly we're dealing with
here? So Manic Menagerie, first of all, it's a name of a cyber crime group that we've been following for over a year now. It's a really kind of
interesting story. It's a story that involves cyber archaeology, evolution of a threat actor
with some plot twists and a good comeback, you know, because you have to have a good comeback.
twists and a good comeback, you know, because you have to have a good comeback.
So the research is really about the reemergence of this cybercrime group that came back from the dead, so to speak.
It was discovered back in 2018.
And then like for four years, nobody heard anything about them.
And all of a sudden, they launched this massive global campaign that targeted web hosting and IT companies,
where they were able to compromise thousands of websites around the world that were hosted on these web hosting servers.
So the title of your research, which begins with Manic Menagerie 2.0, indicates that there was an original Manic Menagerie.
What do we know about them?
indicates that there was an original manic menagerie.
What do we know about them?
Well, yeah, so the original research in 2018 was published by the Australian Cyber Security Center.
And originally, this threat actor's motivation
was solely to monetize.
They were deploying cryptocurrency miners.
What we saw in our research was,
besides these cryptocurrency miners that we did witness as well,
was this really interesting shift into,
as Asaf mentioned before,
into deploying tons of web shells
into these legitimate websites
hosted on these web hosting companies' servers.
Yeah, so to expand a little bit on that,
when we first witnessed the activity at the end of 2022,
initially we thought we were looking at yet another cryptocurrency mining campaign.
But as time went by, we saw something that was pretty amazing.
As we started blocking them, they responded very quickly and tried to bypass our mitigations.
Again and again, it turned into this cat and mouse game of we are blocking them
and they trying to find smart bypasses. Eventually, it seems like they gave up on the
cryptocurrency scheme that they were trying to monetize. And it was then where we observed observed this attempt to backdoor a lot of legitimate websites in scale. So yeah, that was
pretty interesting to see. First of all, it was about the reemergence of a threat actor that has
not been seen for almost four years. And then it was this very quick and adaptive shift in their techniques and tactics, which was particularly interesting to us.
And to help us understand here, when we talk about that pivot, once they'd given up the crypto mining, what are they after in this second phase?
What are they after in this second phase?
So it's really interesting.
So what they did was they deployed web shells on the affected or legitimate websites that hosted on the web servers.
And to us, it was a real pickle.
We questioned ourselves, why are they doing what they're doing? And the theories that we came up with
have to do with when you run a cyber crime operations, there are multiple ways which
you can make money off, right? So one is you could be ransomware, it could be info stealers.
And another really popular way of making money today, if you're a cyber crook,
is to sell access. So imagine that if you just got a hold of a web server that hosts
thousands or even hundreds of websites that are all legitimate, you can potentially install a backdoor there and it will grant you access to that,
not only to the website's resource, but to the entire server, so to speak. And you can sell this
access, you can further, you can use it to deploy other malware, so you can collaborate with other
cyber gangs. So it's a really nice way for them to, or you can build, you can even build a botnet. So it's a really interesting way of monetizing access.
We'll be right back.
We'll be right back. attacks and a $75 million record payout in 2024, these traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's dig into some of the technical details here.
I mean, what sorts of tactics, techniques, and procedures are these folks using?
First of all, in order to infiltrate these environments,
what we saw was exploitation of various web-facing applications and IaaS servers.
This is kind of the first technique that we noticed.
And afterwards, what they did was deploying a lot of publicly available tools with some custom tools. Now, I believe that this vast usage of all sorts of publicly
available tools for local privilege escalation and for lateral movement, I think this is what
gave them the original name Manic Menagerie because I believe it's just like the title implies, like this, I don't know, crazy circus
or crazy amount of tools all over the place.
They were blocked and tried another one.
They blocked and tried another one.
And they were kind of also up to date
with the latest releases of local privilege escalation tools.
You could actually see the progress.
As Asaf said, this sort of cat and mouse game. And besides
these public tools, there was also the usage of several
custom tools, which also really helped us
in attributing this activity to the original
manic menagerie research.
So one of these custom tools was responsible
on writing this crazy amount of web shells.
And this was the main tool of interest,
you know, that like it sparked our curiosity in like,
you know, what is this custom tool
and why does it write so many web shells?
And I think this was like the main,
our main devote point
in actually understanding who this product is
and starting from there.
And then we discovered more and more tools.
And yeah, well, to sum it up,
just lots of public tools
and some really unique custom tools as well.
It also shows, if I may, it also shows the amount of effort that they invested in this campaign.
Because it's one thing to use off-the-shelf or, as Daniel mentioned, public tools.
off the shelf or like, you know, as Daniel mentioned, public tools.
But to write your own custom tools, it takes, you know, effort, it takes developers, and it also implies premeditated intention.
So it was not just like, you know, a fluke or like a random opportunistic,
I guess, type of attack.
It took some time for them to build this tool.
As far as we know, they're the only group that uses this tool,
which ultimately helped them to backdoor all of the legitimate websites.
And this is where the impact, I think, is really noteworthy to mention
because it could be pretty much any website
that you can think of.
It could be like the neighborhood yoga studio,
it could be an insurance company,
travel agency, e-commerce,
like a small e-commerce business.
So the fact that these attackers
gained access to these resources can potentially mean data
leakage, PII.
We live in a world of a lot of regulations and regulatory fine GDPR.
So there could be really, let's say, harsh, I guess, consequences for such attacks.
harsh, I guess, consequences for such attacks.
Not even to mention the legal liabilities,
reputational damage that can incur.
Because I think that the genius thing here about,
for instance, selling access of a legitimate website is that a legitimate website enjoys a really good reputation.
It's not going to be flagged by firewalls or antivirus software
or other security solutions.
So the attackers, if they want to sell them as access point
or turn them into C2 servers, for that matter,
so they can really use this type of access
to conduct nefarious or malicious activity under the guise of a legitimate website.
Yeah, so I just wanted to add a little something here.
So in addition to what Asaf said, the point of this public access, I think it's really crucial to emphasize.
I mean, imagine that someone hacks
your web hosting company. I mean, the web hosting company that Riverside.fm uses.
And then you have Riverside.fm slash, I don't know,
Webshell.aspx. Imagine that this secondary
threat actor could just browse to Riverside.fm
slash Webshell.asp and have access to
your website's resources just from the public internet. They don't
need any internal access to the web hosting company
anymore, potentially. This resource for
running commands or whatever is just publicly available for
them.
You mentioned how opportunistic they are.
How do you rate their sophistication?
I think they're not like an APT,
nation-state APT level in terms of sophistication. As Daniel mentioned before,
they use a lot of publicly available tools.
You can just download and compile from GitHub.
So that on its own doesn't show a lot of sophistication.
They did develop their own custom tool, which, you know, it's not the state-of-the-art custom tool, but it's sophisticated enough.
What can characterize this group better is their resilience
or and adaptiveness um uh we mentioned before the that ongoing cat and mouse game that we
we've been playing with them for for a couple of months and you could see how important for them
it was to maintain the access that they um initially gained. Because every time we would block them,
they would find or try to find a way
to bypass those mitigations.
So if I had to describe them with an adjective,
it would not necessarily be sophisticated more,
but I would definitely say resilient or adaptive.
Interesting.
So what are your recommendations then?
I mean, in terms of folks best protecting themselves against this sort of thing?
Well, I think the first thing would be just to maintain a good IT hygiene because, as we said,
the thing that started it all,
and not only now, but in 2018 as well,
it's the same vulnerable servers
and third-party software,
which is obviously no third-party software.
When unpatched, it poses a problem
for a lot of organizations.
So I think the first thing we do is to patch your
software, keep it up to date, and kind of, you know, have this patching system as kind of your
gatekeeper into at least trying to mitigate partially. Yeah, so definitely I would say it starts with a good IT hygiene, like Daniel mentioned, the root cause.
We did a root cause analysis of most of the intrusions that we attribute to this group.
And by the way, a lot of other groups as well has to do with poor IT hygiene.
So it's really important. It sounds very obvious, right?
But keep your software up to date.
Keep deploy patches.
And of course, security in layers.
That's another big thing.
You need to have multiple layers that will protect your data and resources.
It could be on the network side of the house. It could be on the network side of the house.
It could be on the endpoint side of the house and so on.
The cloud, there are so many ways.
But I think, yeah, keeping a good IT hygiene
and make sure that your data is well protected
using a multi-layered approach is the right way to go.
It will definitely reduce the attack surface.
It's not going to be like a 100% bulletproof.
What we've learned over the years is that when you have a very motivated,
well-funded or resourced threat actor, they'll eventually find a way.
So what we can do as, you know, as defenders or
security practitioners is what we, the only thing is we can do is to try to make their life harder
by keeping, you know, our doors shut and not opening windows that should not be opened.
opening windows that should not be opened.
And the last thing maybe is to conduct a proactive type of hunting.
If you're in an organization that has a good IT or security department, I think it's a really good or best practice to conduct a periodic proactive threat hunting tasks
in order to find those threats
even before you get an alert.
Because usually by the time you get an alert
from a product, it's almost too late.
Our thanks to Asaf Dahan and Daniel Frank from Palo Alto Networks for joining us. The research is titled Manic Menagerie 2.0, the evolution of a highly motivated threat actor.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.