# Compromising the Keys to the Kingdom: Exfiltrating Data to Own and Operate the Exploited Systems ###### Aditya K Sood Sr. Director of Threat Research and Security Strategy Office of the CTO, F5 ----- ##### ▪ Dr. Aditya K Sood #### • Security Practitioner and Researcher • Working in the security field for more than 15 years à At present, Sr. Director of Threat Research and Security Strategy, Office of the CTO, F5 #### • Regular speaker at industry leading security conferences • Author of “Targeted Cyber Attacks” and “Empirical Cloud Security” Books • W: https://www.adityaksood.com • T: @adityaksood • LinkedIn: https://www.linkedin.com/adityaks ----- ###### Research presented in this talk is for sharing intelligence with security community to strengthen the efforts for enhancing the security of critical infrastructure and protecting users on the Internet. ----- ----- ----- ##### ▪ Advanced malicious code running inside the systems and capable of: #### • subverting the integrity and confidentiality of system including data. • launching network attacks and exploit additional systems • exfiltrating sensitive data from compromised cloud workloads • transforming organizational cloud assets to launchpads for conducting cybercrime • abusing the internal cloud environment controls for unauthorized operations • impacting the organizational operations, customers and brand value ##### ▪ Advanced threats characteristics: actions ? #### • masquerading, tampering, hijacking, subverting, persistence, modification, evasion, etc. ##### ▪ Threat actors - that own and operate advanced threats ! #### • attackers, malicious insiders, nation-state actor, cybercriminals and others ----- Information Remote Payload Ransomware Stealers Administration Downloaders Toolkits (RATs) Malicious code Stealing credentials, Wrapper targeting users for sensitive data from Used for privilege packages used for monetary gains compromised escalation, lateral downloading exploit systems to conduct movement and payloads – (Drive-by fraud maintaining Download Attacks) persistence Service Booters Scanners and Communication Cryptominers Exploit Hijackers Abusing network Frameworks Utilizing the protocols for Malicious code used compromised subverting service to hijack systems to mine Scanning, Phishing availability by communication crypto currency via and exploiting launching DDoS channels to conduct Cryptojacking vulnerable systems MitM, MitC and MitB attacks ----- #### Advanced Attacks and Malicious Code Case Studies ----- Attacker / TeamTNT Infected Pod (1) Kubernetes (2) Cluster Node Compromised Kubelet (5) (3) 1. The attacker exploits exposed and vulnerable Kubelet. 2. The attacker compromises the pods (installing utilities to trigger privilege escalation and launch reverse shell) running in a specific node in targeted Kubernetes cluster (4) 3. Malicious payloads are downloaded from the remote location from the Internet 4. The compromised pod environment is enhanced by installing Malicious Payload Server new packages such as Nvidia drivers to enhance the GPU Command and Control capabilities (C&C) Server 5. Compromised nod is then used to install crypt miners to start crypto mining operations ----- ###### Kubernetes root payloads (scripts ) are fetched from the NVIDIA drivers were fetched and installed on the compromised node which install XMLRig crypto miner compromised pod (running in nodes) to conduct robust crypto mining operations ----- ###### MongoDB database infected with ransomware Elasticsearch database infected with ransomware ----- ###### Enfilade Tool: Detecting ransomware infection in MongoDB databases Strafer Tool: Detecting ransomware infection in Elasticsearch databases ----- ###### Loki: bot management commands Loki Botnet: data exfiltration techniques used to own, operate and exfiltrate data from compromised systems ----- ###### Loki RAT: toolkit used to successfully infiltrate into government systems and exfiltrate data ----- |Loki RAT: Data Exfiltration Case|Col2|Col3|Col4| |---|---|---|---| |Loki RAT: exfiltrating me|||eting recordings| ||||| ||||| ###### Loki RAT: exfiltrating meeting recordings Loki RAT: examples of exfiltrated data using known techniques. Loki RAT: exfiltrating email client screenshots ----- |Col1|Col2|Col3|Col4| |---|---|---|---| ||||| |Nexus Stealer|||| ||||| ###### Aurora Stealer Titan Stealer Nexus Stealer ----- #### Need of the Hour - Exploiting Command ###### and Control (C&C) panels (crimeware) to extract and analyze exfiltrated data related to compromised systems to generate threat intelligence and design proactive strategies to combat future threats ----- ##### ▪ restrict the infections by jamming ###### the communication between the compromised systems and the C&C panel ##### ▪ generate threat intelligence by ###### analyzing the inherent functionalities of the bot ##### ▪ analyze the exfiltrated data from the ###### compromised systems to determine potential security breaches ----- ###### Nexus Android C&C Panel Successful Exploitation of SQL Injection Vulnerability in C&C Panel ----- ###### Successful compromise of Nexus Android botnet C&C panel resulting significant information disclosure and internal design ----- ----- ###### Scanning the SystemBC C&C host resulted in number of TCP ports being opened. On further analysis, it was Let’s see if we can connect to this TCP port via discovered remote host was running proxy services. browser. Check for TCP port 4011. ----- ###### Testing client should be seen as an infected system in the list of compromised systems in the C&C After specifying the SOCKS5 proxy address “93.115.29.50” on TCP port 4011, HTTP proxy was Test browser was used to configure SOCKS5 proxy configured using the IP address of the testing client. with IP address and TCP port 4011 obtained earlier while scanning the C&C host. ----- ###### On accessing the C&C panel. The testing client IP address was added to the list of compromised system in the SystemBC C&C panel. This shows how scanning the remote C&C host and analyzing SOCKS5 proxy ports, once can enumerate the list of infected systems on the Internet. ----- ## Demo ----- ###### Data Dumped as zip files on the C&C host Crash Loader C&C Panel – Exposed “statistics.php” Webpage ----- ###### BlackGuard stores stolen data from the compromised machines in zipped files on the C&C server ----- ###### Mars stealer: At first, guest access was not obtained to the C&C host. Guest access was obtained if default key is known. ----- #### Cyber Wars and Data Abuse Paradigm ----- ###### Data Destruction Malicious Code: System Wipers, ###### • System sabotage Ransomware, etc. • Render data useless and ineffective System Compromise Data Exfiltration Malicious Code: Advanced ###### • Steal Intellectual Property (IP) information stealers, RATs, etc. • Exfiltrate critical data Network Breach Threat Actor: Nation- Denial of Service state adversaries, Cybercriminals, etc. Malicious Code: Bots, Booters, etc. ###### • Denying access to critical network services • Exfiltrate Critical Data ----- ###### Stage 1 Infection Stage 2 Infection Overwrite the Master Boot Record File Wiping Code Display a Fake Ransom Note Targeted File Types for Corrupting Records ----- ###### Targeted File Types for Corrupting Records ----- ----- ----- ##### ▪ Data is new currency ▪ Using an offensive approach to threat research help to generate threat intelligence ▪ Vulnerabilities in C&C panels reveal the weaknesses that exist in the server-side software ###### used by the botnet (malware) operators to command and control the malicious code running on compromised systems ##### ▪ Information from C&C panels can help to build indicators of compromise (IoCs) ▪ Understanding the design of C&C internals helps us to gain intelligence ▪ Intelligence gained from the C&C panels can be used to harden security solutions ▪ Threat intelligence allows building threat profiles to understand the threat landscape ###### better ----- ##### Questions or Queries? Thank you! -----