One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8305835 |
| Date de publication | 2023-01-31 11:00:00 (vue: 2023-01-31 11:08:40) |
| Titre | Stories from the SOC - RapperBot, Mirai Botnet - C2, CDIR Drop over SSH |
| Texte | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
Since mid-June 2022, AT&T Managed Extended Detection and Response (MXDR) Security Operations Center (SOC) observed an enormous number of attacks from Mirai botnet-C2 attempting to gain access to SSH servers instead of Telnet.
Due to the various tactics, techniques, and procedures (TTP) observed, this attack has been associated with RapperBot botnet (Mirai variants.) RapperBot’s goal is still undefined.
According to the analysis that was published by FortiGuard Labs, while the majority of Mirai variants can naturally brute force Telnet servers that use default or weak passwords, RapperBot in particular scans and attempts to brute force SSH servers that are designed to require password authentication.
A large part of the malware is executing an SSH 2.0 client which is able to connect and brute force any SSH server using Diffie-Hellman key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. A unique characteristic of brute forcing in RapperBot is the use of SSH-2.0-HELLOWORLD in order to identify itself to the targeted SSH server during the SSH Protocol Exchange phase.
One of the malicious Mirai botnet IP addresses had allowed network traffic with an asset in an organization over SSH port 22. After some data transferring, the session closed with the client-reset action. The MXDR SOC team quickly identified and recommended mitigation steps to prevent lateral movement and the attacker going further.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The alarm initiated with the multiple Open Threat Exchange (OTX) pulses (Miraibotnet-C2- CDIR Drop List) and an OTX indicator of a known malicious IP. There was network traffic between the known malicious IP and a public IP of an internal asset in an organization. The network traffic was over SSH port 22, and the security system (firewall) action was a deny. The security system (firewall) deny action was evidence of the auto-mitigation. In this case, auto-mitigation means the attack is prevented by firewall rules and threat intelligence by denying the connection from malicious IP.
However, further analysis of the events showed that the traffic was allowed from the malicious IP to another internal asset. In addition to this, there were signs of data transfer from source IP with “sentbyte=1560, rcvdbyte=2773, sentpkt=15, rcvdpkt=13”
** Risk mitigation in Cybersecurity is the reduction of the overall risk/impact of cyber-attacks. Detection, prevention, and remediation are three components of risk mitigation in cybersecurity.
Expanded investigation
Events search
After checking events associated with the alarm, the team always checks the environmental security to see if the malware had further penetrated the environment or attempted any lateral movement.
The team searched events by pivoting on the indicator IP, filtering the past 90 days of e |
| Envoyé | Oui |
| Condensat | “exploit “initial “sentbyte=1560 pulses the 128 136 2022 2048 768 able about access according action actions activity addition additional addresses advantage adversaries adversary aes128 after alarm allowed always amount analysis analyst another any application application” approximately architecture are asset assets associated at&t att&ck attack attacker attacks attempted attempting attempts authentication auto based because been before being believed between bigger binary bit blocking blog botnet breaches/incidents brute building bytes campaign can case cause cdir center changing characteristic checking checks client closed code communicated components compromise compromised computer conducted connect connection connection: connections continues continuously control cost could created credentials ctr curl customer customers cyber cyberattacks cybersecurity damage data data days deep default deny denying depending describes designed detection determined developers device device’s different differentiates diffie disabling dive does done downloader drop due during easily encryption end enormous ensure environment environmental eradicating establish establishing even event events evidence examination exchange executed executing executive expanded exploit extended facing filtering finding firewall first flows following force forcing fortiguard found framework from ftpget further gain gained get goal going had handshake handshakes has header hellman helloworld however identified identify identifying improved incident incident/attack include included includes indication indicator indicators infected informed initial initiated inside installed instead intelligence interaction internal internet intruders investigation investigations ioc is brute its itself to june just kept key keys known labs lack large lateral learning lessons like limitations limited list load logs loop made main maintain majority malicious malware manage managed mean means mid might minimizing mirai miraibotnet mitigation mitigation/remediation mitre movement multiple mxdr naturally necessary needs network normal not number observation observed one open operations opportunities option order organization organizationed approach other otx over overall packet packets part particular scans password passwords past payload penetrated permanent persistence phase pivoting point port possible prevent preventative prevented prevention primary procedures process program protocol public published quickly rapperbot rapperbot’s rapperbots rcvdbyte=2773 rcvdpkt=13” real reasons rebooting received recent recommendations recommended recovery reduction reliable remediation removing reported require reset response result results review reviewing risk risk/impact root rst rules search searched security see see if seen sending sends sent sentpkt=15 series server servers session show showed side signs since size soc software some source ssh started steps steps: stories stronger summary suspected system tactic tactics take taking targeted tcp team technique techniques telnet terminated terminates tftp than then therefore these though threat three time timeout traffic transfer transferring transmission transmissions transmitted tried tries ttp two types unable undefined unique use used uses using usually variants various visibility vulnerabilities/weaknesses wanted way weak were: wget which who work world |
| Tags | Malware Threat |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.