Um “espaço” nas respostas HTTP executados por vários agentes maliciosos (atacantes) permitiu que os investigadores da Fox-IT os identificassem com facilidade no último ano e meio.
Foi possível chegar a este resultado porque os atacantes usaram o Cobalt Strike; uma ferramenta para pentesting comercial e projetada para executar ataques direcionados e emular ações de post-explotation.
A versão que eles usaram adicionava um espaço em branco estranho nas respostas HTTP.
“Though Cobalt Strike is designed for adversary simulation, somewhat ironically the framework has been adopted by an ever increasing number of malicious threat actors: from financially motivated criminals such as Navigator/FIN7, to state-affiliated groups motivated by political espionage such as APT29,” Fox-IT researchers noted.
A ferramenta tem um componente de implante (beacon) e um componente de servidor (team server), e os operadores podem ligar-se a este último para gerir e interagir com os beacons do Cobalt Strike utilizando uma GUI.
“On top of collaboration, the team server also acts as a webserver where the beacons connect to for Command & Control, but it can also be configured to serve the beacon payload, landing pages and arbitrary files,” they explained.
“Communication to these servers can be fingerprinted with the use of Intrusion Detection System (IDS) signatures such as Snort, but with enough customization of the beacon, and/or usage of a custom TLS certificate, this becomes troublesome. However, by applying other fingerprinting techniques a more accurate picture of the Cobalt Strike team servers that are publicly reachable can be painted.”
A anomalia do cabeçalho HTTP permitiu que os investigadores da Fox-IT descobrissem os servidores usados pelo grupo APT 10, o Cobalt Group; aqueles que estavam a utilizar o Trojan Bokbot para seu usufruto.
Os investigadores compilaram uma lista de endereços IP dos servidores da equipa do Cobalt Strike que estão em operação entre 2015 até ao momento para que as organizações possam verificar se foram atingidas.
“The IP addresses can be checked with e.g. firewall and proxy logs, or on aggregate against SIEM data,” they explained, but made sure to note that the list might contain IP addresses of legitimate NanoHTTPD servers (Cobalt Strike team servers are based on the open-source NanoHTTPD server).
“Fox-IT recognizes the merit of building and distributing offensive tooling, particularly for security testing purposes. In our opinion the benefits of publishing this list (allowing everyone to detect unwanted attacks retroactively) outweigh the downsides, which could include potentially affecting ongoing red team operations. We believe that we all have an interest in raising the bar of security operations, and therefore increasing visibility across the board will inform a higher level of operational security and awareness on all sides,” they noted.
Os investigadores aconselham os especialistas de segurança a implementar estas mitigações de forma a dificultar a identificação (fingerprint) do Cobalt Strike nos pedidos.
Desde janeiro de 2019, o bug “espaço estranho” se tornou menos útil para descobrir servidores de ataque porque uma nova versão do Cobalt Strike (v3.1.3) foi lançada e o bug foi removido das respostas de status HTTP.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.