NetWitness Community

During the last week of January 2016, Israel’s Electric Authority responded to what officials there are calling a “severe cyber attack.” RSA has indications that other organizations are already seeing this same attack inside the United States. Most of the security research community believes the attack is a ransomware variant but this could also easily have started out as a web shell type exploit in a vulnerable webserver.

Let’s take a look at the potential threat vectors used in this type of attack, and how RSA Security Analytics and ECAT can detect these threats.

Starting with ransomware, the predominant infection vector generally starts with taking advantage of employee behavior, such as clicking on a link in a phishing email. If the user is on the network during the initial infection, RSA Security Analytics can identify this attack as it is occurring.  If the impacted machine was off the corporate network during infection, then ECAT could be the first to identify the malware and exactly what it is trying to do.  ECAT can then block the execution of this malware companywide on any endpoint running ECAT.

The attack could also begin with an infection of an Internet facing webserver via unpatched vulnerabilities susceptible to known exploits or to zero day malware.  This can be detected with RSA Security Analytics by looking for POST’s to the webserver of .asp, .aspx, .js, .jsp files (to name the most common formats). Looking for connections with no referrer, or looking at URLs with a low hit count will also help identify the command and control activity.  ECAT can also quickly identify non-whitelisted web shells being uploaded and run on any webserver. In addition, given that the malicious actors will generally access the web shell script using only one or two client hosts per day, this call also be a tipoff. Most non-malicious URLs on a web server will be accessed by many client hosts. 

An additional indicator of compromise that can be found by analyzing network traffic with abnormal User-Agents.  Many of the User-Agents that are manually entered by the malicious actors tend to be short variations of the Mozilla theme, sometimes as simple as "Mozilla/5.0”.  Less accurate but valuable would be to look for out of date User-Agents, like browser version that are no longer supported by the organization.  Bad actors tend to reuse the same agent string for years so if your organization uses up-to-date browsers, the activity of these older User-Agents can be easily discovered.  Examples of these bad User-Agents are: Mozilla/5.0 (Windows NT 6.1; WOW64), AppleWebKit/537.36 (KHTML, like Gecko), Chrome/31.0.1623.0, and Safari/537.36" or earlier versions.

Below also are some queries to help you quickly identify the type of malicious activity that was seen by the Israel Electric Authority on your network.

Using RSA Security Analytics: 

Query/report/alert on unwanted country code and non-standard top-level domains. How many organizations need to go to any .ru, .su, .cn, .cc, etc... websites? Even if it’s not malicious, not allowing traffic to countries you don’t do business with can significantly reduce the threat landscape. 

tld=’ru’,’su’,’cn’,’cc’

Query/report/alert on large outbound encrypted sessions

risk.info=’large outbound encrypted session’

Query/report/alert on all RDP connection attempts from outside of the network except from the IT admin network. 

service=’3389’ 

Query/report/alert on downloads of all dll, pif, scr, com, js, vbs, bat, zip, rar, dbd, exe files from websites or in emails.  Also referrers should match where the link in the email says it’s going to.    

service=80,25 && filename exists || attachment exists && extension = dll,pif,scr,com,js,vbs,bat,zip,rar,dbd,exe 

Query/report/alert on unusually large URL ‘gets’ that come with a downloaded attachment 

extension=html && attachment exists && filename length 50-u 

Query/report/alert on email’s with links to websites that don’t match the visible link  

service=25 && risk.warning contains ‘href’ 

Query/report/alert on possible webshell activity  

Service=80 && action=’post’ && action!=’get’ && extension= js, jsp, asp, aspx, php 

If ECAT is used in tandem with Security Analytics simply look for machines with scores above what is expected 

ecat.score exists

In ECAT:

Application whitelisting via ECAT can help to identify unwanted program execution even if you choose not to block it.  Once identified ECAT can block other machines from writing the program to disk or executing it in memory.

This type of malware hooks into reserved windows system processes like explore.exe, and creates network connections to the internet as well as tries to open file shares laterally across the network. This will generally raise the ECAT machine suspect level from baseline to ~600+, so is easy to spot.

Message was edited by: Paul Meding