Social Engineering results in the disastrous attack on Cisco


Summary

Lately, one of the employees from networking giant Cisco became leverage for attackers for a successful social engineering attack after an attacker gained control of a personal google account of the victim where credentials were being synchronized from his browser, compromising the credentials of Cisco’s employee.

Under the guise of various trusted organizations, the attacker conducted a series of voice phishing attacks to convince the victim to accept the push notifications for multi-factor authentication (MFA). The attacker also conducted a series of actions where he tried to establish persistence and minimize forensic artifacts in the system by executing various commands and techniques.

This attack conducted by an adversary was identified previously as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. For particulars, keep reading the blog.

Attack Vectors

Cisco VPN was accessed initially through the compromise of a Cisco employee’s Google account. The user had enabled password syncing via Google Chrome and stored their Cisco credentials in their browser, which enabled information to synchronize to their Google account. Various attack methods such as Vishing (Voice Phishing) and MFA fatigue included sending several push requests to the victim’s devices in an attempt that the victim might accept to avoid notifications or silence them. An increasingly common social engineering technique, phishing, involves tricking employees into divulging sensitive information over the phone. Employees reported receiving multiple calls over several days in this case from the callers, who spoke in English with various international accents and dialects with the support organizations trusted by the user.

Post successful authentication, the attacker escalated administration privileges allowing login to multiple systems. Cisco Security Incident Response Team (CSIRT) subsequently responded to this incident. Various tools were dropped, including remote access tools such as LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and backdoor accounts and persistence mechanisms.



TTP’s

The attacker executed a series of commands for enumerating the system and escalating privileges The threat actor began enumerating the environment once it had obtained access to a system, using built-in Windows utilities to identify its user and group membership configuration, its hostname, and the account context. Attackers issued commands with typographical errors, indicating manual operator interaction within the system, and gained access to the VPN before using the compromised account to log on to several systems before pivoting into the environment. Further, they moved into the Citrix environment, compromised a series of Citrix servers, and eventually gained access to domain controllers.

The attacker began to dump NTDS from domain controllers using ntdsutil.exe. They tried to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control

powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\users\public’ q q

Having gained access to credential databases, the attacker leveraged machine accounts for privileged authentication and lateral movement. Following it, the attacker created an administrative user called “z” with the net.exe utility commands and added it to the local Administrator group. The attacker also changed the passwords of other members of the local group.

 C:\Windows\system32\net user z Lh199211* /add

C:\Windows\system32\net localgroup administrators z /add

This account was further used for executing various other utilities like  adfind or secretsdump in an attempt to enumerate the directory services environment and obtain additional credentials. Threat actor was observed in an attempt to extract registry information including SAM database on compromised hosts

reg save hklm\system system

reg save hklm\sam sam

reg save HKLM\security sec

 

The attacker was observed employing MiniDump from Mimikatz to dump LSASS on some systems,

tasklist | findstr lsass

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full

 

The attacker was also observed executing commands for clearing logs and deleting accounts to remove all the possible artifacts about his presence in the system using the “wevtutil.exe” utility.

wevtutil.exe el

wevtutil.exe cl [LOGNAME]

Several other actions were taken by attackers to move files within the environment with services such as RDP (Remote Desktop Protocol) and Citrix.

Attempts to exfiltrate the information from the environment were observed while investigating the attack. Following the eviction of the attacker, continuous attempts to re-establish access. In most cases, the attackers targeted weak password rotation hygiene following mandatory employee password resets. The targeted users who might have changed their passwords by just one character, attempting to re-authenticate using these credentials.

Also, attackers conducted several backdoor actions to establish a persistent presence in the environment. It included communication with Command and Control server, making http requests to C2 server, creation of malicious files by communication with C2 server.

/bot/gate.php?botid=%.8x

The aforementioned HTTP requests are sent using the following user-agent string:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36 Trailer/95.3.1132.33

Mapping TTP’s with the MITRE ATT&CK

Initial Access 

ATT&CK Technique: Phishing (T1566)

ATT&CK Technique: Valid Accounts (T1078)

 

Execution 

ATT&CK Technique: System Services: Service Execution (T1569.002)

 

Persistence 

ATT&CK Technique: Create Account: Local Account (T1136.001)

ATT&CK Technique: Account Manipulation: Device Registration (T1098.005)

 

Privilege Escalation 

ATT&CK Technique: Event-Triggered Execution: Image File Execution Options Injection (T1546.012)

 

Defense Evasion 

ATT&CK Technique: Indicator Removal on Host (T1070)

ATT&CK Technique: Indicator Removal on Host: Clear Windows Event Logs (T1070.001)

ATT&CK Technique : Masquerading: Match Legitimate Name or Location (T1036.005)

ATT&CK Technique: Impair Defenses: Disable or Modify System Firewall (T1562.004)

ATT&CK Technique: Modify Registry (T1112)

 

Credential Access

ATT&CK Technique: OS Credential Dumping: LSASS Memory (T1003.001)

ATT&CK Technique: OS Credential Dumping: Security Account Manager (T1003.002)

ATT&CK Technique: OS Credential Dumping: NTDS (T1003.003)

ATT&CK Technique: Multi-Factor Authentication Request Generation (T1621)

Lateral Movement 

ATT&CK Technique: Remote Services (T1021)

Discovery 

ATT&CK Technique: Query Registry (T1012)

Command and Control 

ATT&CK Technique: Application Layer Protocol: Web Protocols (T1071.001)

ATT&CK Technique: Remote Access Software (T1219)

ATT&CK Technique: Encrypted Channel: Asymmetric Cryptography (T1573.002)

ATT&CK Technique : Proxy: Multi-hop Proxy (T1090.003)

Exfiltration 

ATT&CK Technique: Exfiltration Over Alternative Protocol (T1048)


How does SharkStriker defend against such attacks?

SharkStriker provides various services for defending against such cyber-attacks. Services include MDR (Managed Detection and Response), SIEM as a Service, Incident Response, and 24×7 SOC (Security Operations Center) as a Service. SharkStriker follows the ORCA approach for managing and triaging incident workflow.

This approach includes everything from detecting an incident to triaging the incident to compliance capabilities to spreading awareness about the attacks to the user.

Managed Detection and Response (MDR)

SharkSriker’s MDR service comes with many services that include 24×7 monitoring, SIEM service, and Incident Response as well. Also, a dedicated team of our experts carries out tasks like the fine-tuning of rules, threat hunting on the SIEM platform for firewall, endpoints, office 365 logs, and all available logs sources for which alerts are triggered.



The above image shows one of the rules that is made when some suspicious powershell is executed as a process or as a child process as part of some other process. In Cisco’s attack scenario, the attacker executed various commands for establishing persistence, clearing tracks, and escalating privileges. In some cases, if powershell is executed as a part of it, then this rule can detect and generate alerts that will be responded to by our SOC team as well as EDR can also detect such adversary behavior.


The above rule is for such alerts when any system audit policy is changed. In Cisco’s attack scenario, he tries to escalate privileges and when he does so, he can change any audit policy for clearing tracks or planting a backdoor in the environment. So, this detection rule would be triggered at such time and generate an alert for the same.

The above rule is for such alerts when any system audit policy is changed. In Cisco’s attack scenario, he tries to escalate privileges and when he does so, he can change any audit policy for clearing tracks or planting a backdoor in the environment. So, this detection rule would be triggered at such time and generate an alert for the same.

The above image shows how in detail, each and every alert is generated and detected with every single piece of information associated with that alert triggered for the rule.

Also, SharkStriker provides rules for security baseline, that is the minimum set of configurations on the system so that any unwanted application or process does not perform any unusual activity on the system. Security Baseline standards become quite important in these kinds of scenarios where an attacker has taken advantage of human failure and not the system. SharkStriker also collects logs and generates alerts on the SIEM platform for following baselines and keeping the operations running smoothly.

Conclusion

For any attack to happen, human error is the weakest and most impacting factor because at last, machines are operated by humans only. In this scenario, attackers have focused more on Social Engineering methods for gaining credentials and access to the system. Also, the victim had synced his credentials in a personal google account which is not a good practice. Therefore, this indicates the failure of just basic security practices that should be followed by any organization for preventing such attacks.