Encrypted Client Hello

Sometimes supposedly small things make a huge difference. This can also be true in cyber security configurations. In recent weeks, multiple partners described very similar cyber attacks their customers faced, and in some cases, the criminals were unfortunately even successful in compromising customer networks. Specifically speaking, cyber criminals first exfiltrated and then encrypted data with Akira ransomware. Akira ransomware is already out in the wild since march 2023 and many companies fell victim (Cisa has published a very detailled description and also many helpful recommendations in this advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a )

Let me share a real example of a WatchGuard customer with Firebox, AuthPoint and EPDR in place that was hit by this type of attack. From a technology perspective, this seems to be the combination of solutions that makes it really tough for cyber criminals. Nevertheless, they became a victim, data was stolen, and Akira ransomware was used to encrypt data.

So what did happen?

Criminals gained access to their network using stolen or brute-forced credentials for a single user to log in via VPN. Wait a second…don’t they use WatchGuard AuthPoint? They do, but unfortunately, a legacy configuration on their Firebox was in place that allowed logins with the local Firebox-DB users as well. Even though AuthPoint was configured and used since a while already, the option to use Firebox-DB users was still enabled in Firebox configuration. Attackers used stolen or compromised credentials and logged in using Firebox-DB, bypassing MFA that would have protected the WatchGuard AuthPoint users. 

As soon as the criminals had VPN access, they started scanning the network and initiated brute-force attempts, trying to remotely log in to servers and clients discovered in the scans. After about 4 days, they were successful and logged in on 2 different server systems reachable from the VPN.  On these servers, they could steal credentials for a few AD Domain accounts (some even with administrative privileges) and use these accounts to carry on living off the land attacks. Tools like Advanced Port Scanner and netstat were used to scan the network for possible additional target servers and clients. By using these legitimate tools to learn more about the network they tried to hide their activities to remain undetected. 

Most of the endpoints were well protected by WatchGuard EPDR. Even though the attackers could access and log in on some of them they could not install or run ransomware and steal data immediately. Unfortunately one of the systems the criminals compromised was not protected by WatchGuard EPDR so that they could easily use this server to start harmful actions.

•  They collected files remotely from other systems via Windows network file sharing over SMB.
• They compressed the files with the legitimate tool WinRAR
• They uploaded the archives to fastupload.io, a free and legitimate file-sharing service that can be used without account creation.
• They ran the ransomware akira.exe on the unprotected system and encrypt files remotely via windows file sharing. As one of the stolen accounts in first phase of the attack was an administrator this was an easy task. 

The customer discovered the attack when the encryption was already finished and the ransom payment demanded. So it was already too late to stop the attack. Fortunately the customer had a clean and consistent backup of all critical files and data. So they decided to start with a clean implementation and to restore backups. For sure they validated by forensic analysis and deeper investigation that the backup is actually clean. 

 

What lessons can we learn from this example? 

Even a single parameter in a perimeter firewall solution that is not configured idealy can open an attack vector for cyber criminals. In the specific example the option Firebox-DB was not disabled even though AuthPoint was configured and used already. This allowed attackers to bypass MFA with stolen or compromised credentials. I highly recommend to enable MFA (e.g. with WatchGuard AuthPoint) wherever possible and to double check that no legacy options to log in (especially remotely) without MFA are still enabled. 

As brute-forcing was supposedly used in the attack of my example as well, I also recommend enabling features for brute-force prevention as well. Such features can stop brute-force attempts and disable a user account before the password is known or even block the source ip of an attacker. A good overview about WatchGuard’s features for this and configuration tipps and tricks is documented here: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US

Another lesson learned is that strong Endpoint Security solutions like WatchGuard EPDR should be in place on all clients and servers to avoid blind spots that could lead to compromise and lateral movement. Akira.exe was blocked and quarantined on EPDR protected systems during the attack in the example, but a single unprotected server could be used to remotely steal and encrypt data from other systems. Akira has even compromised IoT cameras with network access to critical systems to launch their ransomware before.

It is also important to keep operating systems and applications up to date. Having a patch management solution in place is very important to do this in an efficient way.

Secure network segmentation, limiting access between systems and enabling security services to scan internal traffic, can also help to stop attacks or limit the scope of attacks. The Intrusion Prevention System of Firebox, for example, is capable of detecting and blocking network scanning, usage of vulnerabilities, and other harmful activities. I read an article about an Akira infection that used a compromised webcam as servers and clients could not be compromised (https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam ) - this underlines the importance of network segmentation, especially for IoT devices.

You should also consider limiting outbound communication by limiting ports and protocols as much as possible and by using Webblocker and other technologies. The site fastupload.io that was used to upload stolen data is categorized as “personal network storage and backup” by Webblocker service. Is it really required to allow such websites for all users and all devices? 

I also recommend to be serious about HTTPS Content Inspection to make sure malicious or unwanted content can be identified in encrypted Web traffic.

What else is important?

But it is not only about strong protective measures. It becomes more and more important nowadays to continuously monitor network and endpoint activities to uncover hidden threats and risks. Cyber criminals use sophisticated tools to prepare and launch their attacks making it more challenging to detect and stop them. Network Detection and Response solutions (e.g. WatchGuard ThreatSync+ NDR) can be of huge help to discover anomalies and react before it is too late. In the example shared network scanning activities and file extractions were identfied in the post-breach investigation – a NDR solution could have discovered this while the cyber criminals were still extending their attack and planning the next steps. With alerting and even reaction or remediation capabilities as part of the NDR solution or based on an integration into XDR solution attacks can often be stopped before exfiltration and encryption of data is happening. WatchGuard ThreatSync+ NDR forwards alarms to ThreatSync Core so that remediation can easily happen – e.g. by isolating a host or blocking network communication.

In many cases an investigation of all suspicious activities will be needed to reveal the full scope of a cyber attack. To make sure this happens immediately on first indication of an attack and in a proactive way Managed Detection and Response services should be considered as well. In the example described our team and other specialists where involved after the breach and encryption happened – too late to protect the customer. With MDR services trained cyber security experts get involved before it is too late and investigate and remmediate threats proactively. WatchGuard recently launched Total MDR as a service that covers WatchGuard Endpoint, Fireboxes, AuthPoint and also ThreatSync+ NDR to identify and stop harmful activities regardless of the attack vector – I am very confident that this service (in case protective measures did not catch the attack earlier) would have caught the attacker before any serious impact.

The combination of well configured protections for networks, endpoints and identities with 24/7 monitoring for anomalies and threats is the level of protection needed today to stay ahead. This is real Security for the real World!

At the beginning of April, WatchGuard received a report from a customer in the hospitality business describing a new phishing campaign targeting their staff. The attack starts with the threat actor opening a reservation request with the hotel, which they then cancel by email, citing a bad review for the hotel. In the cancellation email, the attackers include a link to what they claim is the bad review, but which is actually the start of a carefully crafted malware attack that leverages living-off-the-land techniques to evade detection to install the AsyncRAT remote access trojan.

The link in the cancellation email sends the victim to a page hosted on booking[.]badrewiesguest[.]com, a domain registered the same day that the phishing emails first went out. The attacker uses CloudFlare’s bot protection services to prevent connections from automated tools and known virtual environments and mask the phishing page's actual hosting location.

The phishing page loads after the victim passes CloudFlares bot detection feature (either automatically or by manually interacting with the “Verify you are a human” dialog. The attacker’s server checks the victim’s browser User Agent header and only displays the malicious content if the victim connects from a Windows-based system. The server redirects all other connections from non-Windows systems to booking[.]badrewiesguest[.]com/win which displays a message that the page is only available for Windows users.

For Windows-based victims, the page loads what looks like a Booking.com website with a burred overlay prompting them to verify that they are a human.
 

If you disable HTML element that contains the blur and the fake CAPTCHA, you can see the actual page content. Funny enough, the actual page content behind the behind the blur is a phishing awareness article copied from Booking.com’s partner hub.

If the victim interacts with the fake CAPTCHA, the dialog updates to display instructions to the victim to use a series of Windows keyboard shortcuts. The shortcuts, if used, launch the Windows Run utility, pastes in the contents of the victim’s clipboard, and and then executes the pasted command.

Behind the scenes, the page uses a simple JavaScript function to request content from a different endpoint on the server. The function retrieves a command that it de-obfuscates and adds to a new hidden textarea element on the page before silently copying it into the victim’s clipboard.

The response from the server is a Base64-encoded command with a random obfuscation string pasted every 3 characters and appended to the end after a pipe character (“|”).
 

The JavaScript function splits the response on the pipe character to identify the random  obfuscation string and then removes all occurrences of the obfuscation string from the Base64-encoded command. The encoded command uses the Windows mshta utility to load an HTML application (HTA) that the threat actor hosts on another attacker-controlled domain.

The HTA application uses a service called ProtWare to obfuscate its HTML code, but the important piece is a bit of VisualBasic script(VBScript) code inside a script element buried in the page. The VBScript downloads two PowerShell payloads from another attacker-controlled server and executes them. Both payloads use the .mp4 file extension to hide as video files despite containing PowerShell scripts.

The first file, “a.mp4” uses a similar obfuscation technique from the very fist command in the attack chain and random-looking variable names to impede analysis. After de-obfuscating the script, the actions become clear. The script downloads a .NET compiled copy of AsyncRAT and executes it through the .NET Reflection Assembly library in PowerShell.

The second file, “b.mp4” sets up persistence on the system by downloading a Windows Batch script from the same server and saving it as “DeleteApp.url” in the windows Startup directory.

The Batch script is mildly obfuscated using string-splitting techniques. The de-obfuscated command uses PowerShell to re-download and re-execute the first “a.mp4” PowerShell script any time the Batch script runs. This means even if the victim identifies and removes the AsyncRAT trojan, the next time they restart their computer, the Batch script will re-download and execute the malware.

Most of the techniques used by the threat actor in this campaign were relatively trivial but still capable of succeeding on endpoints that lack modern Endpoint Detection and Response (EDR) protections. It can be difficult for legacy signature-based anti-malware services to identify and prevent threats that use Living off the Land techniques like PowerShell scripts and self-compiling malware like AsyncRAT. While organizations should educate their users about phishing threats to prevent their them from falling for campaigns like this one, technical controls like EDR can help fill in the gap and prevent malware like AsyncRAT from gaining a foothold.

IOCs

Phishing Domain - booking[.]badrewiesguest[.]com

a.mp4 - d208e1e874110983a74ca484f4b3e44fbfd0685215ad59b1ccc70da2a09b24c6

b.mp4 - 77dc32f3831f2634674bc8597485459dac56ab8e657363f80cb28d485efd4428

j.exe - 440c3df99e39d7adbbd231ab92b01c2e70e276703e8b5831822bba1facc7e1b9

cmd.bat - b8dfe557467bc1b3ef79065888ffff8d60088e4a4e648d80b29ffc0c1036af2f

While the world was captivated by the first Harry Potter movie, cybercriminals were busy launching one of the first major web server worms.

What Was Happening in the World:
The 9/11 attacks in the United States profoundly shifted global security policies, increasing focus on cybersecurity and national defense. In the meantime, the United States was preparing for military action in Afghanistan in response to terrorist threats.

Euro currency had been introduced in electronic form, changing the financial landscape in Europe.

In sports, Brazil won the Copa América 2001, and the world was preparing for the 2002 FIFA World Cup in Japan and South Korea. 

Alicia Keys’s Fallin’ was the top song in the US, while Kylie Minogue’s Can’t Get You Out of My Head dominated European lists.

The Attack:
Code Red spread autonomously, exploiting buffer overflow vulnerabilities in IIS web servers. It defaced thousands of websites, replacing content with the message: "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" It also launched denial-of-service (DDoS) attacks against various targets, including the White House.

The worm infected over 350,000 servers within hours, causing millions in financial losses and disrupting critical online services.

Just like the ILOVEYOU virus, the hackers’ goal was to be recognized as such. They were not seeking financial gain or state-sponsored objectives such as industrial or political espionage, as we will see in the upcoming chapters.

How WatchGuard Would Have Stopped It:
WatchGuard’s IPS for Fireboxes and Endpoint Security products would have detected and blocked the exploit before the worm could take control of vulnerable systems.