It is important to note that there were a number of significant security controls these sophisticated, stealthy attack tools managed to circumvent: See which MITRE ATT&CK techniques ExtraHop Reveal(x) detects MITRE ATT&CK Tactics and Techniques Used in This Attack In this case, Qakbot led to the delivery of Cobalt Strike, which then established a link to a C2 server the very next day, signaling an attack that was likely to progress rapidly and likely to conclude with ransomware. Qakbot (also known as Quakbot and QBot) allows attackers to conduct network reconnaissance, move laterally, and deliver payloads such as Cobalt Strike and Conti, ProLock and Egregor Ransomware. The end user clicked on the file, which triggered a malicious executable–several strong signals indicated it was likely Qakbot–to immediately download on the user’s machine. The Attack ChainĮxtraHop contacted the organization about the detection, and the organization was then able to identify how the threat actor gained initial access: an end user who was logged into the organization’s network via a VPN received a phishing email with an HTML file. The automated detection from Reveal(x), combined with our own active probing as well as internal and external threat intelligence sources, indicated the IP address belonged to an external device hosting a Cobalt Strike C2 server, and therefore, signaled a high-fidelity alert about a potentially very serious and fast-moving attack. Had the beacons come from a legitimate copy of the software, it would have been a stronger indication of red team usage, but in this case, because the beacons appeared to come from an unlicensed copy, it increased the likelihood that a malicious actor was using these tools rather than a red team. Our beacon analysis suggested the downloads did not come from a legitimate, licensed copy of Cobalt Strike. Furthermore, we knew the external IP address was hosting a Cobalt Strike C2 server because one of our researchers was able to download a beacon from it. Our fingerprinting method for detecting Cobalt Strike C2 servers probed ports 80, 443, 8080, and 8888, and all came back with a positive result. The most convincing evidence came from our proprietary fingerprinting method, which the ExtraHop Threat Research team runs constantly against the internet and which flagged the external IP address as suspicious. We noted that ports, which usually communicate over plain text HTTP, were in this case using HTTPS to communicate with the internal device on the organization’s network, which was unusual. On November 9, 2022, an ExtraHop Reveal(x) sensor monitoring an organization’s network picked up on unusual traffic patterns coming from an internal device (later identified as an employee laptop) that was making suspicious outbound connections to an external device with the IP address 194.165.16.90.Īccording to Censys, the external device had ports 22 (SSH), 53 (DNS), and 80, 443, 8080, and 8888 (all plain text HTTP) open. We also describe how we discovered the malicious activity using ExtraHop Reveal(x), and we explain the benefits and impact of detecting this attack in its early stages. In this threat analysis report, we share our findings and detection methodology to help cybersecurity practitioners identify Cobalt Strike in their environments. The C2 communications that we detected in early November using the ExtraHop Reveal(x) network detection and response (NDR) platform, combined with other data and threat intelligence sources, strongly suggested that a malicious actor had breached the organization’s perimeter defenses and was potentially looking to take a number of actions, including network reconnaissance, lateral movement, and credential theft–with the possible intent to deploy ransomware and/or exfiltrate data. Attacks leveraging Cobalt Strike frequently foreshadow ransomware. Specifically, they deploy Cobalt Strike to establish communications with a C2 server once they’ve gained access to an organization’s environment. In November 2022, members of the ExtraHop Detections Research and Data Science teams picked up on a device in an organization’s network environment that was making suspicious outbound connections to a confirmed Cobalt Strike command and control (C2) server.Ĭobalt Strike is a legitimate penetration testing and attack simulation platform used by red teams, but over the past three to four years threat actors including Cozy Bear and the Conti, Black Basta, and Royal ransomware gangs have used it as a tool in their arsenal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |