Posts

MDR Service Provider Proficio Enables Rapid Threat Containment with Microsoft Defender ATP

CARLSBAD   May 4, 2021 – Proficio, a managed security services provider (MSSP) delivering managed detection and response (MDR) services, today announced that its proprietary automated response solution, Active Defense, now supports Microsoft Defender ATP. This feature allows Proficio to quickly quarantine or isolate hosts from the network that are determined to be an immediate threat to their clients.

Microsoft Defender ATP is a key tool helping enterprises detect, investigate, and respond to advanced attacks within their organization. As a Gartner leader in endpoint protection service, it provides a host of solutions including cloud security analytics, threat intelligence and endpoint behavioral sensors, for comprehensive built-in endpoint protection capabilities. Proficio continues to expand their Open XDR automated response and containment capabilities by adding this support and provide an extra layer of protection by enabling rapid actions to critical threats detected within their networks by Microsoft Defender ATP.

“In cybersecurity, every second matters, so it is essential to take both fast and effective actions to contain active attacks,” says Brad Taylor, Proficio’s CEO. “Proficio developed Active Defense to aid our clients when a high-fidelity threat is detected within their network. This new integration allows our clients to extend their cyber protection by taking advantage of Proficio’s cloud-based security service alongside Microsoft’s leading endpoint protection solution.”

Proficio’s Active Defense platform currently supports a large number of vendors, including on-premise and cloud-based firewalls and industry-leading endpoint security solutions. This service is part of Proficio’s managed security services offering that enables clients to reduce risk, meet their security and compliance goals, and maximize their investments in security technology. Alongside 24/7 MDR services, Proficio offers clients a full suite of cybersecurity services, including management for security devices and Risk-Based Vulnerability Management, to ensure comprehensive protection against threats.

About Proficio

Founded in 2010, Proficio is an award-winning managed detection and response service provider. We help prevent cybersecurity breaches by performing and enabling responses to attacks, compromises, and policy violations. Our team of experts provides 24/7 security monitoring and alerting from global security operations centers (SOCs) in San Diego, Barcelona, and Singapore. Proficio’s cloud-native Threat Management Platform uses a combination of industry leading commercial software and proprietary technology to provide clients with advanced analytics, threat intelligence, Security Orchestration, Automation, and Response (SOAR), patented risk scoring, AI-based threat hunting, Open XDR, and Risk-Based Vulnerability Management. www.proficio.com.

Contacts:
Kim Maibaum
KMaibaum@Proficio.com

Hafnium – Microsoft Exchange Server 0-Day Vulnerability

OVERVIEW | 0-day

As early as January 6, 2021, multiple Microsoft Exchange 0-day vulnerabilities had been publicly disclosed. These 0-day vulnerabilities were found to be actively exploited by the threat group Hafnium. This appears to be a nation-state attack that is currently targeting as many as 30,000 organizations in the United States and hundreds of thousands worldwide. Based on the current pool of targeted victims, these attacks do not appear to be targeting any specific sectors or countries.

Per BleepingComputer, there are four 0-day vulnerabilities that were being exploited:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Microsoft released patches for the exploited vulnerabilities on March 2, 2021. A PowerShell script called “Test-ProxyLogon.ps1” was also published by Microsoft to run against the Microsoft Exchange Servers for indicators of compromise. At this time, multiple groups of threat actors (other than the Hafnium group) were also known to be exploiting these vulnerabilities to compromised Microsoft Exchange Servers.

Hafnium Attack Details

These attacks began with reconnaissance on vulnerabilities against the potential servers from the adversary. For Hafnium, following the reconnaissance to gain initial access, they dropped webshells onto the affected servers. Based on our research, webshells dropped onto the victim’s servers were mainly variants related to China Chopper-like Webshell scripts.

The adversary was observed to have deployed these webshell scripts within web directory folders to establish persistence within the systems. The team also observed unusual HTTP POST requests of single letter or generically named Javascript files being used as part of the exploit attempt. CrowdStrike has decoded a sample of such scripts returning initial commands being passed to a dropped webshell. SetObject for OABVirtualDirectory commands were being used to point to the malicious JavaScripts. These webshells potentially allow attackers to perform malicious actions or steal data from the compromise servers.

Post exploitation activity such downloading PowerCat from GitHub was observed from this attack. PowerCat is used to connect to a remote server and open connections to the remote server. Activities such as utilization of exchange PowerShell snap-ins were observed to export mailbox data and stolen files were also observed to be compressed prior to exfiltration.

Stronger Together

Proficio’s Threat Intelligence team is continually researching and collecting IOCs with regards to these attacks. We continue to gather the latest IOCs available and many clients have also been providing additional Exchange logs and malicious artifacts, which we have used to find additional indicators to help in our threat hunting. With the indicators gathered, the team is able to quickly identify positive hits such as dropped files in client’s server.

Other than the public IOCs and additional indicators found by the team, we are also looking at other TTPs such as potential download traffic of PowerCat, large data transfers, access to file sharing sites and other unusual traffic that could help to identify the threat. This is an ongoing effort to help identify clients that may have been compromised and ensure our clients are not being targeted.

Precautionary Measures

Prevention is always better than cure. Given these exploits are still actively seen in the wild, we recommend organizations perform patching or upgrades to any on-premise Exchange environments to help mitigate the risk of successful exploit attempts; for those that have been exploited or are unsure of whether their servers have been compromised from these vulnerabilities prior to the patch, we strongly recommend investigating Microsoft Exchange Servers using Microsoft published PowerShell scripts that will scan for any indicators of compromise within the servers. Patch recommendation and PowerShell scripts provided by Microsoft team can be found here:

  • https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

For any concerned Proficio clients, please reach out to your assigned Client Success Manager or Security Advisors.

Reference links

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations

https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

“Voicemail” Phishing Campaign

OVERVIEW
On February 28th, the Proficio Threat Intelligence Team identified a new spear-phishing campaign that pretends to be sending a voicemail to targeted recipients.

In this blog, we share some of the findings from our deep-dive investigations into the attack activities that we have observed for this campaign.

PHISHING DETAILS
The attack starts with a phishing email pretending to send the recipient a voicemail. The email has a sender address starting with “voice@” and a subject containing text such as “New VM was sent” or “Voice Receiver”. The email contains a URL link which when clicked, redirects the recipient to a phishing page that resembles a Microsoft login page. The victim’s credentials are then stolen when entered and submitted on the fake login page.

An example of a fake Microsoft login page

Figure 1a and 1b

Figure 1 – An example of the fake login page (a) and real (b)

The initial phishing attempt is merely the first step of the adversary’s intrusion attempt. After successfully gaining user login, the threat actor responsible uses the credentials obtained to conduct a targeted spear phishing campaign against other employees within the victim’s organization.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team gathered and researched a number of different IOCs to identify potential access to the phishing sites. The IOCs included email subject strings, known domains, URL parameters and IP addresses. These IOCs were used to kickstart the detection and discovery phase of our threat hunting campaign. We identified several potential victims and performed deep-dive investigations on each potential victims identified.

The most notable and useful indicator we generated was the sequence of redirections that occurred after clicking the initial phishing link. Such activity strongly indicated a successful access attempt to the phishing page by the victim(s), and we were thus able to identify potentially successful phishing attempts with a high level of confidence despite the limited visibility of the dataset at our disposal.

Our investigations indicate that this campaign appears to focus on targeting organizations rather than random individuals, as we observed that the phishing emails were being sent to multiple employees within an organization together in a single wave. The adversary does not appear to be targeting any specific organization as there were no repeated attempts to send the emails to the targets even if the emails were blocked or did not result in a successful click-through.

No specific industry sector was targeted; we identified several victims of this campaign, all from different sectors:

  • Banking and Financial
  • Technology
  • Commercial Services
  • Real Estate
  • Healthcare

All clients that we identified had a successful clickthrough activity of this phishing campaign have been notified. If you would like to know more about this campaign and what we have found, please reach out to your Client Success Manager or Security Advisor.

FUTURE PRECAUTIONARY MEASURES
Such phishing campaigns are not uncommon, and have been heightened in the past month where multiple phishing campaigns are using COVID-19 to lure victims. The use of COVID-19 as a phishing hook has been very effective in generating click-throughs for attackers’ phishing campaigns. To avoid being the next victim of credential theft, you can put into place safeguards to protect yourself and your organization from phishing attacks.

We would recommend the following measures:

  • To improve cybersecurity awareness, educate your employees and users.
  • To prevent malicious content from reaching users and reduce the chance of a possible compromise, apply content filters on email gateways and systems.
  • If any suspicious emails are received, report them to your security team so they can notify other employees in the organization of the threat.
  • Always verify such suspicious emails through a different channel.

Method: Windows Malware – ThreatKit

March 25th – Researchers at Proofpoint have discovered a new type of exploit kit, called ThreatKit, that allows attackers to craft malicious Office Documents and attempt to exploit CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The Word Document comes with an embedded executable that is decoded as a result of successful exploitation of the system. In some instances with successful exploitation, once the embedded executable is extracted, a separate decoy document is opened. The message of the decoy documents that were provided by Proofpoint contained the following text:

“Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience.”

The spam campaigns tracked by Proofpoint that use this exploit kit result in various forms of banking malware being installed on the system.

Technical analysis of campaign – https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

Proficio Threat Intelligence Recommendations:

  • Validate the proper Microsoft Office patches have been applied by checking the Microsoft Tech Center for advisories around CVE-2017-8570 , CVE-2017-11882 , and CVE-2018-0802.
  • EDR products such as CarbonBlack look for abuse of the various components used in this campaign such as abnormal use of MSHTA. Validate your endpoint solution can detect and prevent the activity in this article.