External Remote Services

00:00

hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at external remote services. This is a particular attack vector in the initial access phase of the attack framework.

00:16

So today's objectives are as follows. We're going to define what external remote services are so that we're all on the same page there. We're going to review Lennix Rabbit.

00:28

We're going to review the Threat Group Oil rig mitigation techniques and detection best practices with respect to external remote services. So let's go ahead and jump right in.

00:41

So

00:43

external remote services are manners in which an organisation can remotely manage or access otherwise protected systems. And so in this case, it could be something like VPN access. It could be a remote desktop connection. Ssh. Tell Net

01:00

Any service that would allow a user to access a system and perform either business functions or administrative functions could be considered a remote service

01:12

with respect to this discussion. And so we've seen time and time again were things like remote desktop have been taken advantage of or

01:21

an administrator may accidentally leave something like ssh open with some weak credentials, these would all be particular vectors that an attacker would look for and would utilize in order to, you know, get that initial access and then start to work on compromising a system.

01:38

Now, one such tool that you know we're going to review would be Lennox, Rabbit and Robot. So in this particular case, this malware is installed for the purpose of mining crypto currency,

01:53

and it's got the ability to not carry out an attack in restricted geo locations, which is kind of smart. So

02:00

essentially what happens is is it's broken into four main functions. It establishes command and control servers using tour, and it starts to work to set up persistence. Now these faces air pretty quick in that we're saying it does some command and control activity,

02:16

sets up persistence using the RC local and Bashar see files,

02:22

does some ssh! Brute forcing and then installs a Cryptocurrency minor. Now, at the initial points of this, though, if the Geo location puts it in a restricted I p Ranger, a blacklist i p range, it will not do

02:38

any of the steps involved. It will simply move on to the next system, said there's some intelligence built into this thing

02:46

indefinitely. Targeted attacks taking place. And so I'm gonna move the screen over here for a moment and show you the actual entry for the software on the minor website. Now,

03:00

as you can see here, Lennox Rabbit is malware is We've already indicated it was a campaign that lasted from August to October of 2018 which is when it was primarily active

03:12

shares code with another malware strain known as RAB on so again,

03:16

working to install Cryptocurrency miners into the software. And then it breaks down the techniques used. So Aziz, we said the bash and bash R C. So it maintains persistence on infected machines. Do that r c not local and bash files.

03:31

It will do brute force ssh attempts in order to gain access to the systems. And so, if you've got Port 22 listening

03:39

ah, and available and it's got weak credentials than the primary thing that this particular malware was doing was it would scan i p ranges and identify that they were not blacklisted and that they weren't in a restricted geo location on the restricted list

03:58

and then it would work from that point to

04:01

find the listening Port 22

04:04

brute force that and then sin paid loads from the sea to server

04:11

to the system to work to then install the miners of the crypto miners. And so this was a very sophisticated piece of malware in the way that it was set up and that it didn't attack certain systems. And it also worked pretty much automatically across the Internet. So

04:30

we'll go ahead and move into AH particular threat Group Oil rig. And so oil rig is an Advanced Threat Group or an A. P T, that's been noted is having ties to Iran. They're also known as a P T 34 helix kitten.

04:46

Now they primarily target financial, energy, chemical and telecommunications agencies and businesses, and they're primarily known for DNS tunneling, using tools such as glimpse E poison frog and hyper shell. So it's important to know how these threat actors

05:05

attack individuals, what their common signatures on what their common tools are because then

05:11

use an organization. Can research glimpse he poison fog or hyper shell, and then kind of know what controls you can implement If DNS tunneling is being used, order some controls, we can implement for DNS tunneling and understanding how that looks and how we can detect that and protect against it.

05:29

And so

05:30

it makes sense when we're looking at each of these vectors to understand how these threat actors have gone through and commonly attacked into teas and attack systems. And so that's not to say that they will continue to use tools like Poison frogger hyper shell. But if that is kind of their signature,

05:48

and you could associate that with a check sum or some type of hash or some type of signature for that particular software that could slow them down and make it a little bit easier for you, Teoh work to remove them from the system, or at least identify that they're on a system.

06:04

Now. What are some mitigation techniques when it comes to remote services? Well,

06:11

disable or remove features is kind of the number one recommendation, and it's not disabled or remove features that you need for business purposes but disabled to remove features on systems that don't serve a function. That way, it makes the target harder to infiltrate

06:29

Andi. It may take a little more work from the threat actor and then it slows them down. It makes it harder to to

06:34

kind of moved throughout the network without being noticed.

06:38

Limit access to resource is over connections such as VP ends. And so

06:44

this particular area I've seen Tom in town again. We get access to a network via a VPN connection, but that VPN connection is not limited. Teoh like a VPN network where it's just the critical resource is that are necessary to accomplish one's tasks. It's essentially you get VP and access into the network,

07:03

and then you have access to the entire network. It's relatively flat,

07:08

so if you can limit the access that remote resource is have to the network and what they can paying, what they can get into and what they can use that can help to mitigate the ability of a threat actor to get in and just moved throughout the network.

07:23

Multi factor authentication is huge for any administrative account. Any service type account like an ssh account. If you can put

07:30

multi factor function into place, or at least require multi factor authentication before you can move any further into systems or software applications, that is great toe have now we've noted previously and recently that multi factor authentication does have its shortcomings. But

07:50

more times than not, organizations aren't utilizing multi factor when they could.

07:56

And again, this could help to reduce the ability of a threat actor to compromise an account or limit their capability of moving further into a network with the accounts of definitely thes functions are available. It would be great to do. And then, as we send with VP and access network segmentation is great. You know, we practice or should practice lease privilege When it comes to

08:15

administrative accounts, we should try to practice least privilege and what those accounts could do. Local user accounts,

08:22

domain user accounts. Same things should go for network access. If a system on Lee needs access to certain certain areas or certain servers,

08:31

certain software components, we want to try toe limit that network access to what is necessary for that system to achieve its desired functions.

08:43

And no more that way again. If a threat actor does get into an organization systems, it makes it harder to move through those systems undetected harder to move through those systems with malware and things that nature typically as you all know malware is,

08:58

um, typically tied to the permissions and capabilities of the systems and accounts that it takes.

09:03

So if that system and its accounts have full access to everything that that now where can usually move throughout the organization

09:11

now some detection, best practices within this area log collection and especially those for authentication logs are very important. So if you've got a component in your risk management process or in your security procedures and policies that involves long collection

09:30

authentication logs are important because we can focus on brute forcing attempts, unusual log and activity unusual log in attempts like,

09:39

you know, generic Count Logan attempts and things of that nature that malware or threat. Actors would normally use some type of dictionary or some type of common list, and they'll hit a system and then roll through that list. So if we've got a way to collect those logs and store them securely,

09:54

it can help us to detect when a threat actors attempting to access systems and then potentially allows to take action to block. Then then, of course, as we mentioned, unusual access attempts can be like focusing on business hours. So if the administrator for a system is active from 6 a.m. to 6 p.m.

10:13

In the afternoon. You know, six in the morning, six in the afternoon

10:18

and then suddenly, at two in the morning at night. You know there's some activity from that account that's unusual. Or that's not, you know, within the standard business, our range from that user. That could be something that would be abnormal, non business related activity that we can then focus on and try to address.

10:37

So let's go ahead and jump into a quick check on learning true or false oil. Rig is a piece of malware that founds and installs crypto monitors on vulnerable systems.

10:50

All right, well, if you need some additional time to look through this, please pause the video and go from there. So oil rig is a 80 p or ah, Threat group. An advanced, persistent threat. Sorry. And they might have used something like a rabbit or Lennox rabbit.

11:09

But that was not a piece of malware that we discussed Here. They are threat group.

11:13

The malware that we discussed it installs crypto miners on vulnerable systems is limits rabbit or robot. So In this case, this is a false statement. So let's go ahead and jump into our summary. So in summary today, we defined what external remote services are. We reviewed linens, rabbit and robot.

11:33

We talked about the Threat Group oil rig. We reviewed mitigation techniques and we reviewed some detection best practices.