RSA Incident Response and Discovery Practice (RSA IR) analysts spend a significant amount of time engaged in the research, hunting, and effective response of advanced and persistent actors. A customer engagement early-to-mid-2017 is an excellent example of a unique case in which RSA IR successfully responded to an intrusion perpetrated by the threat actor groupCARBANAK, also known as FIN7. The CARBANAK actions illustrated in this post and associated paper were observed with other RSA clients as recently as November 2017, with the methods and intelligence supplied by these publications having been used successfully to detect and track attacker activities.
Several intrusions associated with theCARBANAKactors have been reported within the last year, describing compromises of organizations withinbanking,financial,hospitality, andrestaurantverticals. However, they all describe a relatively equivalent progression, with only slight deviation in specific attacker actions. The intelligence surrounding recentCARBANAKincidents indicate thatphishing attackshave been the group’s primary method of initial compromise. After gaining access to a user system, the attackers move laterally throughout the environment, conduct internal reconnaissance, establish staging points and internal network paths, harvest credentials, and move towards their intended target. However, this intrusion began with a significantly higher level of privilege due to the exploitation of the Apache Struts vulnerabilityCVE-2017-5638allowing the attackers to quickly gain administrative access within the client’s Linux environment. This intrusion presented substantial challenges due to:
The initial intrusion vector
Unique attacker toolset
The attacker dwell time
The large, heterogeneous environment
The speed with which the attackers gained administrative access
The forensic mindfulness of theCARBANAKattackers
The attackers’ toolset was a mix of custom tools, freely available code, and open source software utilities. RSA IR researched all 32 of the malicious files in theCARBANAKtoolset using various publicly available and open-source resources. Six of the tools used in this intrusion were found to have been uploaded to a publicly available anti-virus aggregation site. Of these six, five have little-to-no detection or indication of malice from antivirus vendors. This observation explains why the client’s signature-based host protection mechanisms were unable to identify or prevent the use of these tools.
Figure 1: Findings from Public and Open Source Research of Toolset Reference
While the attackers used more than 30 unique samples of malware and tools, they also demonstrated a normalization across Windows and Linux with respect to their toolset. The toolsets they deployed can be broken down into five basic functionalities:
The ingress, lateral movement, and internal reconnaissance mechanisms used by the attackers during this investigation were not that sophisticated in and of themselves. However, when viewed in aggregate, and from an operational view, RSA observed the actors normalized their choice in toolset across the Linux and Windows environments. The attackers in this engagement primarily used modified versions of legitimate administrative tools, commonly used penetration testing utilities, and common network file acquisition tools. Though specialty malware was observed during this intrusion, the attackers used basic XOR encoding just above Layer 4 to facilitate communication, communicated via SSH tunnel directly over TCP/443, or just transmitted and received data in clear text across the network. Of the observed actions during this intrusion, none of the attacker tools, techniques, or procedures were particularly advanced. However, they were still able to bypass a significant security stack, obtain initial access and lateral access effectively, deploy malware and toolsets with impunity, and traverse over 150 systems in the span of six weeks. While, at first glance, this attack was not sophisticated in its toolset, it was sophisticated in its operationalization and agility of attackers’ actions. The correlations between the Linux environment tools and the Windows environment tools are shown below:
Cross-Platform Toolsets and Purpose
Tinyp (PSEXEC Variant)
Auditunnel (Linux Version)
Auditunnel (Windows Version)
PScan (Linux Version)
PScan (Windows Version)
WGet (Linux Version)
WGet (Windows Version)
RSA IRreleased a white papercontaining an in-depth review of this engagement, including observed attacker operational patterns, TTPs, and the techniques used during this engagement to successfully track and respond to the threat. The observations illustrated in this paper identify that not only doCARBANAKactors have the capability to successfully compromise various operating system environments, they have standardized and operationalized this capability. This attribute indicates strategic operational thought and effort being invested in this group’s compromises, suggesting that theCARBANAKactors are working towards becoming a more organized, structured, resourceful, and mature threat group.
During an intrusion,timeis the single most critical resource to an organization’s security team and is the most significant indicator of determining if the security team will be successful in containing, eradicating, and remediating the extant threat. There are two specific sets of time related to an intrusion that may determine the difference between success and failure: the time that the attackers are in the environment prior to detection (dwell time), and the time it takes security teams to identify, investigate, understand, and contain the attacker’s actions (response time). In this specific incident, the attacker’s dwell time at intrusion declaration was 35 days, which is a significant amount of time given the level of access immediately available upon compromise. However, by utilizing themethodologyand visibility described in this paper, RSA IR was able to complete containment, eradication, and remediation inonly nine days. We also discuss themethodologyused by RSA IR to successfully detect, investigate, understand, and contain the attackers before the actors could achieve their intended goal.
TheCARBANAKactors not only showed the capability to successfully compromise both Linux and Windows systems, they chose a toolset that was either directly cross-platform or extremely similar in both function and command line usage. This indicates a level of tactical organization and operationalization not previously observed by this actor group. Additionally, they were significantly cognizant and aware of actions taken by the security team, switching to new methods of ingress after initial compromise, detected remediation actions, and environmental migration. They were methodical in their choice of staging systems, basing the system utilized on:
a critical function of lateral access
or responder detection and investigation
They chose key systems based on their needs rather than systems the organization would consider ‘key’ assets. They ensured the toolsets they would interact with most often contained very similar functions and commands across environments in order to limit mistakes made at the keyboard. They included a method, whether manually or automatically, to remove any record of their activities. They operated with purpose, patience, planning, and most significantly, persistence.
This intrusion was successfully discovered, investigated, contained, eradicated, and remediated only due to the following reasons:
The organization invested in thenecessary visibilityat a host and network level to allow analysts to rapidly and effectively hunt for and investigate these types of threats.
The organization had invested andempowered their personnelto creatively and proactively hunt for, understand, investigate, and learn from threats within their environment.
The organization had a solid top-down understanding of what role Threat Hunting and Incident Response held during daily operations and security incidents, and provided the necessary support and enablement to subordinate units and analysts.
While a first look at the tools used in this engagement may appear simplistic, upon review of the entire intrusion, it becomes quickly apparent that each of them was purpose-chosen with an overall operationalized capability in mind. CARBANAKhas shown themselves to be a coordinated and extremely persistent group of actors that are consistently moving towards more agile methods of intrusion and standardization of processes across heterogeneous environments. They have proven their capability to use that persistence and agility to defeat or bypass organizational security controls. Even with the least advanced of their capabilities, they can be a difficult adversary to track within an environment due to their speed, efficiency, adaptability, and care in leaving little trace of any activity. However, this difficulty compounds exponentially for organizations without the necessary visibility, practices, methodologies, or trusted partner relationships necessary to effectively detect and respond to these types of threats. This white paper shows that with the necessary visibility, planning, methodology, and analyst enablement, organizations can be successful against these types of threats.