The German Intelligence service published information about sophisticated cyber attacks against both German media companies as well as organizations involved in chemical weapons research. There are indications that the attacks are linked to the APT group SAND-WORM and in the report Kaspersky references that there are technical overlaps to the cyber attack campaign, Olympic Destroyer, seen at the Olympic Winter Games in South Korea earlier this year. The German Intelligence Service states that the group is also known for Quedagh and BlackEnergy; has been active since 2013 conducting cyber espionage activities against NATO, western European government authorities, telco providers and academic institutions.
What do the attacks look like?
The attacks are German-written spear phishing attacks with malicious attachments. When the victim opens the attachment and allows the execution of makro’s, a visual basic script is executed. This script disables powershell logging, then executes powershell commands and downloads additional malicious code. By the end of this process, the attacker has access to execute any powershell command on the victim’s system. With access to execute powershell commands, and with the right user privileges such as ‘admin’, it’s like the attacker is sitting in front of the infected system with the ability to do anything and everything. The first attacks were seen back in August 2017 and may still be active, as organizations who were affected still may not know.
Where can I learn more?
This Cyber Brief from the German agency contains background information, recommendations of actions, indicators of compromise and contact details for organizations to reach out to if they have been affected.
The APT Report from Kaspersky with an update on the Olympic Destroyer includes details on what the mail attachments look like, details about the URL paths used on the command and control server, as well as payload analysis.
There are also details about the execution of the attachment ‘E-mail-Adressliste_2018.doc’ in Joe’s Sandbox Cloud.
How do I identify if I have been affected?
You will have to look back to August 2017. However, based on the report it seems this date has been specified as when it was first uploaded by someone to VirusTotal, rather than someone reporting it from their own environment. So, ideally we’d recommend going back as far as you can. You should review all the indicators of compromise highlighted by both Kaspersky Labs and the German Intelligence reports and validate.
Search back for any communication that took place with the malicious IP’s and put them into a Splunk lookup list for continuous monitoring and set up alerts for matches going forward. Your proxy and firewall - ideally even an endpoint firewall which many organizations do not have or log - gives you these answers.
The Kaspersky blog lists domains as well as file paths from a open source CMS system (Joomla). Depending on your business area, users shouldn’t regularly maintain and log into an open source backend CMS system, therefore searching for the URLs and paths of the Joomla backend may lead you to potentially infected clients. Note that this may show some false positives where employees might manage a private website from work. The logs from your proxy server or next-gen application firewall will be your friends here.
E-Mail attachments and file hashes:
For attackers it’s very easy to change attachment names and file hashes, however you should look for the published attachment file names. Good data sources for these are the e-mail message tracking logs, logs from spam filter systems, log data from endpoints if available - or from your backup systems. Ideally, if you have an endpoint cloud backup system deployed, this will certainly have an answer if those files have been seen. If you have sysmon deployed for endpoint monitoring or the Uber Agent, you can additionally search for file hashes which have been seen and executed.
Relying on the indicators of compromise for your detection capabilities going forward is no longer enough. Changing file names, file hashes, IP’s or domains is just too easy for attackers. However, it’s harder for attackers to change their tactics, so you might want to look into our Security Essentials and Splunk’s Enterprise Security Content Update for ways in which to force them to do so. These materials contain analytical concepts with explanations on what to look for in the early stages, what to baseline, and how to detect anomalies early. Many powershell examples are included as well as some nice sysmon examples.
What should I do if I have found an infected system?
If you have found a positive match, identify which machine it was. If you are using dynamic IPs you should look into your DHCP logs alongside your communication logs to identify which MAC-Address contained that source IP address, and historically where that communication was seen. From here, you can review your active directory logs to identify which users have logged on to those machines overtime. Reset their passwords and further identify the departments they work in to better understand what access was possible to sensitive data. Ideally for this you will have the log data of your business applications and file servers ready. Check for additional external communication to see if data was exfiltrated, and if so, how much. Once you have painted this bigger picture, you should inform your management as soon as possible for them to inform the German authorities about the incident and plan next steps.
If you have everything stored in text files, do not have Splunk, and the above process is looking painful to crawl through, then try Splunk Enterprise 60 days for free. Just install on your syslog server, point towards the directory, and wait until Splunk has indexed all your historical data.
All the best,