By Augusto Barros, VP, Cyber Security Evangelist
Threat advisories and reports are always fun to read. These reports provide the latest information about threat behavior, what real world threat actors have been doing to breach into organizations around the world. As much fun and exciting these reports are, most of the readers have, at the end of the day, the inglorious task of ensuring these threats cannot succeed in their environments. When we see the level of complexity of the latest threats it is easy to realize that winning against them is no easy task. That’s why we decided to start this series of blog posts, “Blue Team Debriefings” These posts are intended to provide insights for defenders on what could and should be done to protect against the threats our team describes in our Securonix Threat Labs Security Advisories. Although it’s not necessary to read the threat advisories in order to understand and benefit from the guidance provided in the Blue Team Debriefings, these posts are written as a complement to the advisories and we recommend blue teams to read them together.
Our first Blue Team Debriefing is about STEEP#MAVERICK. Enjoy!
STEEP#MAVERICK, the TL;DR edition
This campaign seems to target multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. Although we would usually expect highly advanced attacks from that type of target, the attack chain seems quite simple: Spearphishing containing an attachment, with the execution going through multiple steps of obfuscation and counter-forensics, in addition to the usual download of a second stage payload. There is an interesting addition of a CDN (Cloudflare) to the remote infrastructure that also adds challenges to network-based prevention and detection measures.
What is this malware being used for? It is too early to tell at this point, as we had not been able to decode the last payload we obtained (we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis).
Defending against STEEP#MAVERICK
The most obvious defensive measure against this campaign is against the initial infection vector, phishing. Any blue team knows how hard it is to prevent users from clicking on links or opening attachments from a phishing email. Even without expectations of complete success, user awareness and training have a direct impact on the likelihood of the malware in these messages being executed in the first place. It may sound boring or simplistic, but reinforcing training and awareness is one of the defensive steps to be taken here.
But user awareness is not the only chance we have to avoid the execution of this malware. This is a case where ZIP attachments containing files with .lnk extensions are being used. Technology is also not a silver bullet, but any average email security solution includes controls that can be used to filter messages like this. Setting up these solutions with more aggressive filtering settings can be an uphill battle to fight, but a worthy one. Some suggestions on how an organization can tighten its email filtering settings include:
- Incident response post-mortem metrics: IR can provide a wealth of information regarding successful initial vectors in your organization. Coming to a meeting to discuss the application of filters with data illustrating how the current settings are affecting the organization in real incidents is probably the best way of getting the approval to tighten them up.
- Breach and attack simulation (BAS) tools: Real world testing where simulated campaigns are triggered, with and without the proposed controls, will provide direct evidence of the effectiveness of the controls.
- Piloting settings: Some email filtering solutions allow different settings for different groups of users. Using a select group to test the tighter controls can not only provide evidence of their effectiveness, but also confirm the negative effects are not enough to prevent them from being applied to the broader user base.
The major pain point from this threat is the heavy use of evasive techniques. There are eight stages with the intent of obfuscating, avoiding sandboxes and forensics analysis, and disabling prevention and detection controls. Many recommended security measures (those you have in place already…right?), such as logging PowerShell usage (including script block logging) and running antimalware software are targeted by the evasive steps.
Disabled security controls can be detected with the use of security configuration assessment (SCA) solutions, and in many cases the steps to disable security controls generate events that are sent to SIEMs like Securonix. Rules to immediately alert on, or considerably modulate the risk score of the users and endpoints affected should be part of the content deployed on the SIEM. Scenarios when these rules are triggered should be tested regularly. This is a great example of how BAS can support your threat detection capability. They can not only provide evidence that controls are currently disabled, but also directly disable controls as part of testing to check if that activity is currently being logged and detected as shown in this example from Atomic Red Team.
Although STEEP#MAVERICK includes some advanced techniques, it does not leverage zero days. The best practices associated with most of what it does are well known, but not necessarily easy to implement (after all, the CFO really MUST be able to receive ZIP files with .lnk inside them!). Leveraging compliance and regulatory initiatives may be helpful to push these controls into production. Some of the CIS Critical Security Controls safeguards that could help against this threat include:
- 8.8. Collect command-line audit logs
- 8.9. Centralize audit logs
- 8.10 Retain audit logs
- 9.6 Block unnecessary file types
- 9.7 Deploy and maintain email server anti-malware protections
- 10.7 Use behavior-based anti-malware software
- 14.1 Establish and maintain a security awareness program
- 14.2 Train workforce members to recognize social engineering attacks
- 18.4 Validate security measures
Even if proactive measures such as blocking certain types of attachments are not viable, there are many opportunities to detect many of the steps taken in this campaign. Applying security monitoring to a broad set of attack techniques is a great way to detect not only this campaign, but any attack.
Attackers use so many ways to apply obfuscation and evade security controls that the need to continuously test your defenses becomes clear. Blue teams should incorporate that practice in their processes, either supported by BAS, open source tools, or by partnering with an existing red team.
Finally, although not mentioned here, blue teams should always leverage the IOCs and search queries included in the threat advisories to ensure they haven’t been affected by the campaign described. And if you want to know more about how to run those queries in the most efficient manner, saving time and resources, check Autonomous Threat Sweeper.