-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Perch IDS and SIEM
The CRU has been busy creating new detection content for our Perch IDS and SIEM platforms. The following is an overview of a few of the new detection signatures we have recently released.
Muddy Water
The U.S. Cyber Command recently released an advisory regarding a group of threat actors tied to the Iranian ministry of Intelligence and Security (MOIS) known as MuddyWater. MuddyWater mainly focuses on telecommunications, government, and oil sectors and is most likely motivated by espionage. MuddyWater gains initial access using malicious documents and spreadsheets spread via spearphishing with embedded malicious VBA macros that use PowGoop to deploy additional tools. PowGoop consists of a DLL loader and a PowerShell downloader.
MuddyWater uses various living-off-the-land binaries (LoLBins) to deploy Visual Basic scripts for persistence. Their end game seems to be to deploy a tool known as Mori. Mori is a backdoor tool often used by threat actors for espionage that uses DNS tunneling to communicate with its Command and Control (C2) infrastructure.
One interesting aspect of the latest MuddyWater activity is that they have embedded canary tokens from canarytokens.com in recent samples. A canary token is a unique token that can be into any object, such as a document or a database, that can be used to track when that object is accessed. For example, when a victim opens a malicious MuddyWater Excel spreadsheet with an embedded canary token, their system will send an HTTP request back to canarytokens.com, which will alert the token’s owner that the object was opened. Canary tokens are often used by legitimate security teams to help identify a breach.
Below is an overview of the Tactics, Techniques, and Procedures (TTPs) used by MuddyWater tied to the MITRE ATT&CK framework.
The CRU created the following new IDS signatures, automatically deployed to all Perch IDS customers, that detect the most recently observed MuddyWater behavior described above:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] MuddyWater Maldoc Infection Chain Domain (snapfile.org)"; flow:established, to_server; http.method; content:"GET"; http.host; content:"snapfile.org"; http.uri; pcre:"/^\/(d\/)?[a-z0-9]{20}$/"; tag:session,5,packets; reference:url, blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html; classtype:trojan-activity; sid:900558; rev:1; metadata: created_at 2022_02_01, updated_at 2022_02_01, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1204, mitre_technique_name User_Execution;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] MuddyWater Infection CanaryTokens"; flow:established, to_server; http.method; content:"GET"; http.host; content:"canarytokens.com"; http.uri; pcre:"/(oy80la8r9iyub22nbhb7wvxrk|kbu1xo0s8ktfxrzsn9iuei3e9|azp6ai8pg5aq0c619ur0qzi6h|o1txrtd8gn7i9rt159k5baoys|smnszrsk7gqjplt0j1idwjrcr|agsbmym5re3whgnd5a8kzntai|60ld4guht70xby71u3io4w43n|lmbvetj0iif8dwjgutckpppq3|kc7snpabrp9z0wp1p1klqgkr9|04p62zz698bdzv2fdbgupdm4j|mpei7e608jb22i90z9x8g0gdu|qut1gl1r6ywzgs1ts922sxtqv|09xzzwe761avzxxmyzi85r7hv|nx4fiakqe1gc02hrnlv8fyis4|b90963gx06jykhz61kv534zcm|bruhtg2dtbzk7j1fsttxga85e|d3g23n4gdcrep20q3wzm153xn|xxe2sm2rddhxfto9gjx25fo9c|gikx04xwvf3uu4af8ekrvfeoj)/"; tag:session,5,packets; reference:url, blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html; classtype:trojan-activity; sid:900559; rev:1; metadata: created_at 2022_02_01, updated_at 2022_02_01, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] MuddyWater Powershell C2 Traffic (Googlebot/2.1)"; flow:established, to_server; http.uri; content:"/images?guid="; startswith; http.user_agent; content:"Googlebot/2.1"; startswith; http.header; content:"Accept-Encoding: identity"; tag:session,5,packets; reference:url, blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html; classtype:trojan-activity; sid:900560; rev:1; metadata: created_at 2022_02_01, updated_at 2022_02_01, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] MuddyWater Powershell Loader Suspicious User-Agent"; flow:established, to_server; http.method; content:"GET"; http.user_agent; content:"Safari/"; pcre:"/^\d{3}\.\d{2}\|[a-z0-9\-\_]+$/Ri"; http.host; content:!"qq.com"; endswith; content:!"huvle.com"; endswith; tag:session,5,packets; reference:url, blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html; classtype:trojan-activity; sid:900561; rev:1; metadata: created_at 2022_02_01, updated_at 2022_02_01, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
Moonbounce
The Unified Extensible Firmware Interface (UEFI) is a specification that allows an operating system to interact with firmware. UEFI replaces the BIOS in modern PCs. Moonbounce is a recently discovered malware that embeds itself into UEFI firmware. Moonbounce is used as a downloader to deploy additional malware.
Since the malware infects the firmware, it can survive a full reinstall of the operating system or even a complete disk replacement. It can also act completely fileless. Once infected, there are no traces of the malware left on the hard drive and it exists completely in memory, reloaded into memory from the firmware every time the system reboots.
The CRU has gather intel on the C2 network used by Moonbounce and created the following IDS signature, automatically deployed to all Perch IDS customers, that will alert you when the their C2 network is contacted:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Connectwise CRU] Moonbounce Domain Lookup"; http.method; content:"GET"; http.uri; content:"mboard.dll"; http.host; content:"mb.glbaitech.com"; tag:session,5,packets; reference:url, securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:trojan-activity; sid:900557; rev:1;)References
https://attack.mitre.org/groups/G0069/
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop
https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/