Category: #IT/CYBER/TECHNOLOGY

Posted on

DarkHydrus Uses Phishery to Harvest Credentials in the Middle East

Last week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying out a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. These attacks were targeting government entities and educational institutions in the Middle East.

The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials.

Based on Unit 42’s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens DarkHydrus’ use of the open source for their attack tools.

A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in 2017. What is noteworthy is DarkHydrus’ use of an open-source tool to carry out targeted attacks against these entities in the Middle East, which is fitting of their reliance of open source tools and these attacks are consistent in terms of targeting with what we reported last week. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future.

 

Credential Harvesting Attack

On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East. The attack involved a spear-phishing email with a subject of “Project Offer” and a malicious Word document (SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment. When opened, the malicious Word document displays a dialog box that asks the user for their credentials, as seen in Figure 1.

Figure 1 Authentication dialog box presented to the user when opening document

As you can see in Figure 1, the authentication prompt says “Connecting to <redacted>. 0utl00k[.]net”, which is a DarkHydrus C2 server. If the user enters their credentials in this dialog box and presses ‘Ok’, the credentials are sent to the C2 server via the URL https://<redacted&gt;.0utl00k[.]net/download/template.docx. With the authentication dialog box gone, Word displays the contents of the document, which in this specific case was an empty document. While this document was empty, the authentication prompt may have made the targeted user more likely to enter their credentials, thinking it’s necessary to view the contents of the document.

DarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their credentials. Firstly, the redacted subdomain was the domain of the targeted educational institution. Also, the 0utl00k[.]net domain resembles Microsoft’s legitimate “outlook.com” domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials. Some users may not even notice what domain the dialog states they are connecting to and habitually type their Windows credentials.

We found two additional Word documents using the 0utl00k[.]net domain to harvest credentials, seen in Table 1. We first saw these related Word documents in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.

First Seen SHA256 Filename Remote Template
11/12/2017 9eac37a5c6.. PasswordHandoverForm.docx https://0utl00k[.]net/docs
09/18/2017 0b1d5e1744.. استطلاع.docx https://0utl00k[.]net/docs

Table 1 Additional DarkHydrus Word documents used to steal credentials

Both of these related documents use the attachedTemplate technique to steal credentials by sending them to a URL https://0utl00k[.]net/docs. Unlike the June 2018 document that displayed no content after credential theft, both of these documents displayed content that appears pertinent to the targeted organization. The September 2017 document displays an employee survey, which can be seen in Figure 2.

Figure 2 Employee survey displayed after credential theft

The November 2017 document displays a password handover document after credential theft occurs, as seen in Figure 3. We were unable to find the displayed document via open source research, which may suggest that the actor gathered this password handover form from a prior operation.

 

Figure 3 Password handover form displayed after credential theft

The infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of the attacks resolved to 107.175.150[.]113 and 195.154.41[.]150. This same infrastructure was discussed in the Campaign Analysis of our previous blog.

 

Phishery Tool

While analyzing the three malicious Word documents, we determined that two of the documents were created using an open source tool called Phishery. The Phishery tool is capable of the following:

  1. Creating malicious Word documents by injecting a remote template URL
  2. Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template

We were able to confirm that DarkHydrus used Phishery to create these Word documents by using the open source tool to create a document and host a C2 ourselves. The DarkHydrus document used in the June 2018 attacks had a remote template URL added, as seen in Figure 4.

 

Figure 4 Remote template URL seen in the DarkHydrus document from June 2018

We were able to replicate the remote template path seen in Figure 4 by using Phishery to create a weaponized delivery document. Figure 5 shows Phishery’s output to the command that injects a URL into a file named “good_test.docx”, which it will save the resulting file to “bad_test.docx”.

 

Figure 5 Phishery command used to create a document that has same remote template URL as DarkHydrus

To confirm, we used Phishery’s C2 server and opened DarkHydrus’ Word document from the June 2018 attacks. When presented with the authentication dialog box, we entered “fakename” and “fakepass” as credentials, as seen in Figure 6 and pressed enter.

Figure 6 Authentication dialog box with fake credentials entered

On the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in Figure 7. The C2 server was able to obtain the “fakename” and “fakepass” credentials entered into the authentication dialog box displayed when opening DarkHydrus’ Word document.

 

Figure 7 Output of Phishery C2 showing captured credentials

Conclusion

DarkHydrus is a threat group carrying out attack campaigns targeting organizations in the Middle East. We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials. The use of Phishery further shows Dark Hydrus’ reliance on open source tools to conduct their operations.

Palo Alto Networks customers are protected by Dark Hydrus by:

  • The C2 server 0utl00k[.]net is classified as Malware
  • All Phishery documents created by DarkHydrus have malicious verdicts in WildFire
  • AutoFocus customers can monitor this threat group’s activity via the DarkHydrus tag

 

Indicators of Compromise

Samples

d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318

9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49

0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82

 

Infrastructure

0utl00k[.]net

107.175.150[.]113

195.154.41[.]150

[Palo Alto Networks Research Center]

Posted on

A First-Hand Experience with CISSP CAT

Patrick Strijkers is a 43-year-old information risk security officer at a pension funds firm in the Netherlands. He works in the IT security department in security incident management. Patrick’s employer runs a job rotation program, allowing him to gain experience in a variety of roles, with his next position coming invulnerability management this September. He holds the following security certifications:

  • CompTIA Security+
  • CompTIA Network+
  • EC-Council Certified Ethical Hacker v8
  • EC-Council Certified Security Analyst v8
  • EC-Council Computer Hacking Forensics Investigator v8
  • Rapid7 Nexpose
  • Rapid7 Metasploit Pro

Patrick’s goal last year was to earn his CISSP certification. He attended a five-day boot camp course and studied for two and a half months before sitting for his exam on August 11 of 2017. At that time, the format of the CISSP exam was only available in the linear format

“After fighting through 250 questions over the course of 320 minutes – including two brief breaks to clear my mind – it was devastating to read the ‘Sorry, you failed’ exam notice,” said Patrick. He decided to take some time away from studying and waited to prepare for his next attempt until February of 2018. With his exam scheduled for April 20, Patrick began to dive back into the material, although at first he was not aware of the new CAT exam format.

“After finding out about the new format in the beginning of April, it got me a bit frightened of what to expect of it,” said Patrick. He was unsure of the number of questions he would be answering, as well as how the difficulty of the exam might be affected by the format change. “In the end, it didn’t stop me from taking the shot.”

The night before the exam, Patrick checked into a hotel near his testing site and recalls being nervous before this attempt, whereas his nerves were calm back in August. The biggest challenge he felt with the CAT format was not being able to mark questions to review, but Patrick found that his time management was excellent this time around, as he completed the exam (at 150 questions) with time to spare.

Upon finding out he had passed, Patrick said “The second I was notified I asked to please see the paper, as I couldn’t believe it. But yes, I did pass my CISSP exam.”

Congratulations to Patrick for reaching his goal of becoming a CISSP! Welcome to the (ISC)family!

[(ISC)² Blog]

Posted on

Is it Time for a Cyber National Guard?

With more emerging risks and more data breaches, we continue to hear about the shortage of cybersecurity professionals with the necessary skills, knowledge and experience to protect our information technology infrastructure, especially in the government and public sector.

For instance, in the United States, we know that our federal, state, and local governments are communicating that our information technology infrastructure is outdated and vulnerable to cyberattacks. We also know they are currently trying to pass legislation that will modernize our information technology infrastructure to prevent future cyberattacks. Modernizing information technology infrastructure will help mitigate the risk for cyberattacks; however, you need skilled cybersecurity professionals to continuously identify and evaluate risks, design and implement controls, and assess and monitor the effectiveness of those controls. Just like our outdated technology, we have a shortage of skilled cybersecurity professionals across the government and public sector. How do we solve these problems in the most cost-effective way?

This is important to understand because it’s already difficult to find cybersecurity professionals with necessary credentials to protect information technology infrastructure in the private sector. It’s even more difficult to find these professionals in the government and public sector. Do we just continue to communicate the shortage? Or do we provide an opportunity for private sector cybersecurity professionals to serve their country?

Two members of the US House of Representatives, Ruben Gallego (D-Arizona) and William Hurd (R-Texas), have proposed a Cyber National Guard, which would be similar to the existing Army or Air National Guard. This reserve force would not complete boot camp or use guns in battle. Instead, this reserve force would be called to protect the country against cyber threats and strengthen our national security on the digital battlefield. These resources would identify and patch bugs, upgrade outdated systems to be compliant with policies, and audit and report on information technology infrastructure.

Just like the existing reserves of the National Guard, these cybersecurity professionals would commit to serve their country by volunteering their skills, knowledge, and experience to protect the country from malicious attacks or unintentional changes to the technology infrastructure that supports the government. In return, they would receive the same benefits that anyone serving in the National Guard would receive, including additional pay, tuition reimbursement and other financial benefits. The overarching reward for most of these individuals, though, would be the opportunity to serve their country.

It would be a time commitment both personally and professionally that potential participants would need to consider. However, it would be an opportunity to give back to the country. If former US President John F. Kennedy were around today, would he make the same call to action in the context of this current skills crisis: “Ask not what your country can do for you, but what you can do for your country”? I know that I would consider a Cyber National Guard to be my opportunity to give back to my country.

Michael Podemski, CISA, CISM, CRISC, CIPM, CIPT, Senior Manager, Risk Advisory Services at EY

[ISACA Now Blog]

Posted on

Clarifying What Zero Trust Is – and Is Not

Last fall, I wrote about how people were beginning to understand the essence of Zero Trust.  Since then, there seems to have been an inflection point in industry’s embrace of Zero Trust, and now, even more people are advocating it, more vendors are posturing it as a go-to-market message, and more enterprises are moving towards adopting it.

However, as the concept gains popularity, I find that more people are mistaken about what it really is.

The Concept of Trust

One way to see if someone understands Zero Trust is to analyze how they talk about the word “trust.” If a pundit is trying to get you to a “trusted” state, then they don’t understand Zero Trust. The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether. The “trust” level is zero, hence Zero Trust. Simple!

Trust is a human emotion that refers to the level of confidence someone has in something, but it’s a vulnerability and an exploit in a digital system. It has no purpose in digital systems, such as networks. There is no use for “trust” in these systems, except to be used by malicious actors, who exploit “trust” for their own nefarious gain. The only thing that can happen to trust in a digital system is for it be exploited, and the only outcome for trust is some type of betrayal.

What typically confuses people is the anthropomorphization of the network that has happened over time. People and trust in the physical world is not the same as packets and vulnerabilities in a digital system. People are not on the network; packets are. Most people confuse the trustworthiness of human beings with the trustworthiness of packets. By depersonalizing packets, we can do what we need to do, which is inspect that packet and apply access control methodologies. This way, the packet only gets access to approved resources at the approved time – and all of that is logged and analyzed – so we can assess if there was an appropriate digital behavior.

So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word “trust” from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term “confidence” instead. Confidence can exist on a continuum. It’s an important distinction.

The old model of trying to create “trusted” digital systems has never worked to prevent breaches. As people mature their thinking around Zero Trust, it is imperative that they understand the most fundamental principle of the concept: trust is not the desired state; trust is the failure point you want to avoid.

[Palo Alto Networks Research Center]

Posted on

Cultural Considerations of Adopting Application Container Technology

The benefits of application containers have been shared across a variety of forums and to a diverse audience. The ability to have more application instances without a corresponding increase in hardware is probably the primary benefit that is used to persuade enterprises to adopt application containers. But if that is the primary benefit, meeting the objectives of the rapid deployment associated with DevOps is a close second.

Application containers allow developers to easily modify and test because applications are siloed in their own containers. So, the benefits are appealing from a cost savings perspective as well as support of DevOps deployment. Is there a downside, though?

Perhaps it is not a downside as much as a consideration, but as organizations adopt application containerization, some cultural shifts are necessary. These shifts relate to operational processes that organizations may already have in place; however, containerization requires doing those familiar processes differently. Because the change is for an existing process rather than the implementation of something new, the change is more cultural than operational. For example, in a traditional application environment, generally, there is a structured process for code review, which the time to deployment accommodates. As deployment time is shortened (as in a scenario involving DevOps and application containers), organizations may be challenged in how they perform formal, structured code reviews. So, a cultural shift to identify (and accept) solutions that provide assurance around secure coding in the containerized environment despite the rapid speed of deployment may be required.

Another area where a cultural shift may be required relates to access. Unless an organization develops a strategy around administrator access, it is possible for administrators to have access to multiple hosts, containers and images rather than the specific hosts, containers and images to which the administrator needs access to perform job responsibilities. Ensuring that a least privilege strategy is implemented would addresses this. Also, beyond internal expectations, several compliance initiatives, such as the Health Insurance Portability Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) rely on strong access controls.

Lastly, an organization’s approach to authentication may require a cultural shift. In administering workloads, orchestrators potentially place workloads that have varying levels of sensitivity on the same host. To address this, an orchestrator may have its own authentication directory. This directory, however, may be separate from other non-orchestrator authentication directories in use. As a result, the orchestrator’s authentication directory may have different authentication practices. A concerted effort to ensure alignment of authentication practices for all directories (orchestrator-related or not) may be necessary. These efforts may include, but are not limited to, restricting administrator authentication access to specific repositories rather than multiple repositories.

The benefits of adopting application containers are appealing. More application instances may be possible without incurring the cost of additional hardware and deployment time may be reduced. Effective adoption, however, depends on how organizations can modify existing protocols to accommodate the containerized environment. Code review, access and authentication are examples of areas for which organizations routinely have controls but where a cultural shift is necessary. Once these shifts have been made, the benefits or application containers can be fully realized.

Robin Lyons, Technical Research Manager, ISACA

[ISACA Now Blog]

English
English
Exit mobile version