PICUS LABS MONTHLY #June 2020

JUNE'S THREAT: MAZE

Customized Cobalt Strike Beacons

Although Cobalt Strike is a penetration testing product, it has become popular amongst targeted threat actors. A Cobalt Strike Beacon has various functions,  including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. 

You can test the effectiveness of your security controls against Cobalt Strike Beacons with '748618 Cobalt Strike Beacon used in Military Themed Campaign' in Picus Threat Library.

JUNE'S THREAT ACTORS

Ke3chang

• Picus Threat ID: 217342, 614917, 550271
• Aliases: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT
• Target Regions: Europe, US, South America, Central America
• Target Industries: Oil, Government, Military
• Malware: Vilsel Trojan

Cycldek

• Picus Threat ID: 349362, 663135, 241620, 747334
• Aliases: Goblin Panda, Conimes
• Target Regions: Southeast Asia
• Target Industries: Government
• Malware: USBCulprit Infostealer
  

Tor2Mine

• Picus Threat ID: 490086, 614483, 385054
• Target Regions: Europe, Asia
• Target Industries: All
• Malware: Cryptocurrency Miner Malware
  

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

APT39 Threat Group

Picus Threat ID: 840562

ACTIONS

1. Create a scheduled task using schtasks

Technique: T1053 Scheduled Task

Tactic: Execution, Persistence, Privilege Escalation

2. Display list of applications and services using "tasklist /v"

Technique: T1049 Process Discovery

Tactic: Discovery

3. Pass the Hash via PsExec Tool

Technique: T1075 Pass the Hash

Tactic: Lateral Movement

...

8. File Exfiltration Over DNS

Technique: T1048 Exfiltration over Alternate Protocol

Tactic: Exfiltration

Netwire RAT

Picus Threat ID: 506809

ACTIONS

1. Create a new Registry Key for Autorun

Technique: T1060 Registry Run Keys / Startup Folder

Tactic: Persistence

2. Process Injection into Notepad via Process Hollowing

Technique: T1093 Process Hollowing

Tactic: Defense Evasion

3. Collect User Keystrokes into a File

Technique: T1056 Iput Capture

Tactic: Credential Access

...

17. File Exfiltration Over HTTP Port 80

Technique: T1048 Exfiltration over Alternate Protocol

Tactic: Exfiltration

Atomic Attacks

Process Injection by using NtMapViewOfSection Function

• Picus Threat ID: 741095
• Technique: T1055 Process Injection
• Tactics: Defense Evasion, Privilege Escalation

ETW Logging Bypass with Environment Variable Spoofing

• Picus Threat ID: 287758
• Technique: T1089 Disabling Security Tools
• Tactic: Defense Evasion

Mimikatz Execution with Evasion by using BetterSafetyKatz

• Picus Threat ID: 764801
• Technique: T1003 Credential Dumping
• Tactic: Credential Access

MALICIOUS CODE

Copperhedge Backdoor

• Picus Threat ID: 462340
• Signature Technique: T1071 Standart Application Layer Protocol
• Target Regions: Europe, Middle East, Southern Asia, Eastern Asia, US
• Target Industries: Finance, Media, Technology

Gh0st RAT 

• Picus Threat ID: 378154, 572955, 615400
• Signature Technique:T1008 Fallback Channels 
• Target Regions: Europe, US
• Target Industries: All

Kingminer Botnet

• Picus Threat ID: 563592
• Signature Technique: T1008 Fallback Channels 
• Target Regions: All
• Target Industries: All

WEB APPLICATION ATTACKS

Cisco UCS Director Cloupia Script Directory Traversal

• Picus Threat ID: 269922
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2020-3243
• Affected Product: Cisco UCS Director

Node JS Server Side Template Injection (SSTI)

• Picus Threat ID: 757576
• OWASP Top 10: A1 - Injection
• Affected Product: Node JS

LimeSurvey Stored XSS

• Picus Threat ID: 250932
• OWASP Top 10: A7 - Cross-Site Scripting (XSS)
• CVSS 3 Base Score: 6.1 Medium
• CVE: CVE-2020-11456
• Affected Product: LimeSurvey before 4.1.12+200324

VULNERABILITY EXPLOITATIONS

Firefox DACL Sandbox Escape

• Picus Threat ID: 513625
• CVE: CVE-2020-12388
• CVSS 3 Base Score: 10.0 Critical
• Affected Product: Firefox ESR < 68.8 and Firefox < 76

SMBleed Microsoft SMB Server Denial of Service

• Picus Threat ID: 859715
• CVE: CVE-2019-10149
• CVSS 3 Base Score: 8.8 High
• Affected Product: Microsoft Server Message Block 1.0 (SMBv1)

Microsoft Windows OLE RPC Marshalling Buffer Overflow

• Picus Threat ID: 747416
• CVE: CVE-2020-1281
• CVSS 3 Base Score: 8.8 High
• Affected Product: Microsoft Windows OS

SIGMA RULES

WiFi Credential Dumping via Network Shell

• Picus Sigma ID: 6760
• Detected Method: WiFi Credential Dumping via Netsh
• Technique: T1003 Credential Dumping
• Tactic: Credential Access

Process Injection via Frida Framework

• Picus Sigma ID: 7356
• Detected Method: Process Injection with Frida Framework
• Technique: T1055 Process Injection
• Tactics: Defense Evasion, Privilege Escalation

Suspicious Conhost.exe Process Execution

• Picus Sigma ID: 4184
• Detected Method: Signed Binary Proxy Execution via Conhost.exe
• Detected Technique: T1218 Signed Binary Proxy Execution
• Tactic: Defense Evasion, Execution