eSentire Managed Detection and Response (MDR) is an all-encompassing cybersecurity service that detects and responds to cyberattacks. Using signature, behavioral and anomaly detection capabilities, plus forensic investigation tools and threat intelligence, our Security Operations Center (SOC) analysts hunt, investigate and respond to known and unknown cyber threats in real time, 24x7x365.
This report provides a snapshot of all events investigated by the eSentire SOC in Q2 2018. It provides visual data analysis, written analytical analysis, practical recommendations and key assumptions for readers seeking to understand and better respond to the cybersecurity threat landscape.
A massive uptick in Microsoft Internet Information Services (IIS) attacks, from two thousand in Q1 2018 to 1.7 million in Q2 2018 leads the highlights for eSentire’s Q2 2018 Quarterly Threat Report. Most sources targeting IIS web servers originated from China-based IP addresses. According to Shodan, there are 3.5 million IIS web servers exposed, with one million in China. On the eSentire threat surface, Tencent and Alibaba were the dominant ASNs observed carrying out attacks.
Aside from IIS, Drupal and Oracle WebLogic were commonly targeted web technologies, involved in many exploit campaigns throughout the quarter. The largest percentage of these attacks originated from infrastructures that contained compromised Apache servers.
Biotechnology, Accounting, Real Estate, Marketing, and Construction were the top verticals that experienced the highest amount of traffic due to outdated vulnerabilities. A high volume of exploit attempts does not typically indicate one industry is targeted over another. Rather, it is representative of their exposure to opportunistic attacks. Regardless of industry, most attackers are probably looking to drive ad revenue or adopt compromised servers into their attack infrastructure.
Opportunistic attacks look for misconfigurations and negligence within patching and updating. The reason attacks continue is because most organizations have internal systems they hesitate to update for fear it will change or break something and accidentally expose systems to a firehose of exploits. Or, they are unaware that a patch is necessary or underestimate the gravity of failing to patch. This is an easily rectifiable problem that lingers for many.
During the quarter, eSentire observed successful exploit attempts like Drupalgeddon2 and EternalBlue intrusions due to misconfigurations or absence of routine patching. There also was an increase in phishing attacks that used shipping invoice lures, although the use of DocuSign for lures declined.
eSentire esENDPOINT continues to provide greater context on methods employed by threat actors. It identifies specific techniques that do not involve network communication, such as obfuscated PowerShell and hijacking of trusted Windows processes. In fact, in Q2 2018, the eSentire detection surface revealed that an obfuscated PowerShell realized an increase of 50 percent in commands, partly due to Emotet, a sophisticated malware. Emotet remains a popular choice for threat actors and was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014.
The combination of eSentire’s esENDPOINT, esNETWORK, esRECON, and esLOG+, combined with the expertise of the eSentire SOC analysts, provides the complete picture of a customer’s IT environment. eSentire SOC analysts leverage the power of big data analytics, machine learning, customized rule-sets, and behavioral analysis to make sense of expected and unexpected events and behaviors across the IT environment to identify and respond to potential threats.
Q2 2018 KEY POINTS AND TAKEAWAYS (Sidebar)
- Biotechnology was the most exposed industry, followed by Accounting, Real Estate, Marketing, and Construction.
- Typically failed opportunistic attacks on outdated vulnerabilities.
- A small number of exploit attempts were successful due to misconfigurations or absence of routine patching.
- Successful Drupalgeddon2 and EternalBlue intrusions were observed this quarter due to firewall misconfigurations and patch neglect.
- IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks. IIS attacks alone showed a 782x increase, from two thousand to 1.7 million, since Q1 2018. eSentire continues to see attacks against IIS continuing into Q3 2018.
- Attacks against IIS and WebLogic likely originate from infrastructure that contains a large number of compromised Apache servers, among other publicly exposed servers.
- GPON home routers attacked after PoC code release. eSentire continues to see home router exploits through Q3 2018.
- Increased use of shipping invoice lures.
- Use of DocuSign lures declined, but remains a popular lure for phishing attacks.
- Emotet is a sophisticated malware that continues to be a popular choice for hackers.
- Both endpoint and network security solutions are required to tell a complete picture.
- PowerShell continues to be a popular execution technique.
- Obfuscated malicious PowerShell commands increased 50 percent in Q2 2018.
- Emotet made use of obfuscated PowerShell.
- Endpoint solutions provide greater context around techniques employed by threat actors.
- Endpoint events can identify specific techniques leveraged by threat actors that do not involve network communication, such as obfuscated PowerShell and hijacking of trusted Windows processes.
- Network visibility, however, is still required to understand the complete picture.
MOST AFFECTED INDUSTRIES
Four million potentially hostile events resulted in 57,000 alerts sent from eSentire’s SOC between April 1 and June 30, 2018. Normalizing by sensor count, the top five affected industries were Biotechnology, Accounting Services, Real Estate, Marketing, and Construction (Figure 1).
Figure 1: Top 5 industries experiencing verified hostile traffic.
Intrusion attempts in Q2 2018 made up a large portion of attacks observed on the eSentire detection surface. Most of these attempts targeted commonly used web technologies, such as IIS (30 percent), WebLogic (24 percent), and Apache (less than one percent). A high volume of exploit attempts does not typically indicate one industry is targeted over another. Rather, it is representative of their exposure to opportunistic attacks.
Attacks against most industries were made up largely of remote code execution exploit attempts against IIS version 6.0. Although a patch was made available in 2017 for the associated vulnerability (CVE-2017-7269), a series of opportunistic campaigns sprang up in April 2018 (Figure 2) looking for unpatched systems. The attacks did not appear to target a particular industry. In the same time frame, Trend Micro and F5 Networks reported several cases of the IIS exploit being used to plant cryptominers on vulnerable servers .
Analysis of attacks per IP reveals that Drupalgeddon and GPON demonstrated a high degree of attacks from a small number of IPs, compared to IIS and WebLogic exploits, which maintained a consistent number of attacks per IP (about 200) across organizations (Figure 2, top right).
Most IIS exploit attempts were coupled with attempts against Oracle’s WebLogic service (CVE-2017-10271). It is unclear whether these exploit campaigns were related to cryptomining.
For Biotechnology, the IIS 6.0 and WebLogic exploit were dominant, and this industry also faced web server exploits primarily against PHP and Apache Struts. Real Estate experienced high volumes of D-Link home router exploit attempts. Marketing was subjected to a high volume of D-Link exploit attempts and a sizable degree of malicious PowerShell activity. Finally, Construction experienced a large amount of Drupalgeddon2 attacks.
All five of the top industries experienced a larger share of information gathering events (scans) versus other industries, further indicating a more exposed threat surface. Another common web exploit for all of these industries was the Apache Struts OGNL Expression Injection (CVE-2017-5638), which was highest in Accounting Services. This exploit gained popularity following its usage in the Equifax breach .
Phishing Lures Across Industry
Construction, Education, and Marketing experienced the largest amount of confirmed phishing attacks, with DocuSign dominating the lures observed (Figure 3). Likely, these industries make frequent use of DocuSign in handling digital invoices and quotes due to remotely based business relationships and employees. Healthcare experienced a larger diversity of phishing lures, but no one lure dominated. This is likely because healthcare providers interact with diverse groups, such as employees, other healthcare providers, managed service providers, and patients, so they are apt to use more varied technology making it easier to see different lures as familiar. Meanwhile, lures observed in the Energy, Entertainment, and Lobbying verticals primarily imitated OneDrive. For more details on phishing, see the PHISHING section below.
Figure3: Lures used across industries.
Malware Across Industry
Malware events from network data consisted mostly of detections that catch malware utilizing internet communications, such as C2 beaconing, internet connectivity checks, and use of known bad user-agents. The most commonly observed detections related to Kovter, Coinminers, and DNSChanger, and were most frequently observed in Education, Healthcare, Real Estate, Marketing, and Construction (Figure 4).
Figure4: Malware events observed across industries.
Reputation Blocks Across Industry
Reputation blocks (Figure 5) occur when known bad IPs are detected trying to establish connections with monitored clients. The majority of these IPs earn their negative reputation through opportunistic scanning and exploitation attempts, so reputation block volume serves as a proxy for industry exposure and also can indicate some degree of targeting. For example, Accounting Services and Construction are known to have large threat surfaces, but not Finance. Therefore, it is plausible that Finance experiences a larger volume of reputation blocks due to targeting.
Figure 5: Reputation Blocks observed in Q2
The second quarter of 2018 was host to many exploit campaigns with some indication that the Muhstik botnet may have played a role in Drupalgeddon2, WebLogic exploits  and GPON exploits . While numerous Apache Struts and PHP web server attempts were scattered throughout the quarter, four main exploits were observed (Figure 6) targeting IIS, Drupal, and WebLogic servers, as well as GPON routers.
A useful method to classify attacks over a finite period is to group attacking IPs by the unique set of exploits attempted during that period. For example, some IPs only attempted an IIS or WebLogic exploit, while other IPs attempted both (Figure 6). The IPs attempting IIS and WebLogic persisted throughout the quarter (Figure 6, blue), but those tended to rise with the emergence of other potential campaigns, indicating some threat actors may have an array of botnets in different configurations.
Figure 6: Attacking IPs grouped by exploit combination attempted.
- March 23, 2018: A walkthrough on IIS exploits was published . Soon after, exploit attempts against WebLogic and IIS were observed (Figure 6, blue), peaking on April 1. During this time, a separate group of attacking IPs were observed exploiting only WebLogic servers (Figure 6, grey). It is possible that both IP groups operated under a single threat actor. The Muhstik botnet recently was associated with Drupalgeddon and WebLogic exploits . It is plausible the majority of these attacks are related to Muhstik activity.
- April 13, 2018: An exploit targeting Drupal servers (CVE-2018-7600) was published (dubbed Drupalgeddon2), followed immediately by an uptick in Drupal exploits (Figure 6, green). GreyNoise Intelligence observed a 95 percent overlap between IPs involved in Drupalgeddon2 and those involved in WebLogic attacks .
- May 3, 2018: An exploit for Dasan GPON routers was published. Soon after, Drupalgeddon2 and GPON exploits started to surface. Researchers at NetLab worked with the security community to shut down some of its servers . However, by May 10, the botnet rotated to a new server and detections soared (Figure 6, red). The uptick in GPON exploits was observed alongside an uptick in WebLogic and IIS exploits, indicating the two IP groups may be controlled by a single threat actor.
- Mid-June, a group of IPs emerged exploiting only IIS servers. There were no clear indicators from external sources during this period. However, it is worth noting that during this time, there also was an uptick in WebLogic and IIS exploiting IPs as before.
The majority of sources targeting IIS web servers originated from China-based IP addresses (Figure 7). Tencent and Alibaba were the dominant ASNs observed carrying out attacks on the eSentire threat surface.
Attack Infrastructure for WebLogic and IIS Exploits
Use of compromised hosts for launching attacks is commonly observed across the eSentire detection surface. This tactic reduces the effectiveness of reputation-based controls and complicates attribution efforts by threat researchers. Investigation was performed on attacking infrastructure using Shodan’s historical records.
Figure 8: Top five results for the total (top) and relative (bottom) server make up of attacking IPs.
Throughout Q2 2018, eSentire observed IIS and WebLogic attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services. In April, a larger share of IIS servers was observed participating in the attacks (Figure 8). Moving into May, RDP servers reached nearly 50 percent of attacking infrastructure right at the beginning of another attack. On May 2, SQL servers dominated the records for a short time. Throughout June, servers hosting RDP, SQL, and IIS continued to make significant contributions to the attacks.
Most of the records included known potential vulnerabilities based on server software version. Vulnerability records for attacking servers showed a steady increase (Figure 9). The majority of this growth appeared to come from Apache HTTP Servers, version 2.4.23. In the same period, records reporting vulnerabilities in IIS 7.5 and HTTP Server 2.4.10 appeared to diminish.
Besides the top five servers (Figure 8), there was an interesting collection of other servers. Over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Nearly 350 FTP servers and more than 100 mail servers were reported. There also were VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.
Figure 9: Vulnerability records for IPs attempting IIS 6.0 exploit.
In the first quarter of 2018, Recorded Future reported a combination of compromised MikroTik, Apache, and IIS devices performing DDoS attacks as part of a Mirai botnet . Therefore, it is conceivable that several botnets played a role in exploit campaigns observed over the second quarter. The tendency for threat actors to compromise and recruit any available devices is a recent trend that increases the resiliency of the botnet’s infrastructure against takedowns. Automation of compromise procedures helps the botnet maintain growth, therefore sustaining high attack volumes.
Phishing continues to be a popular attack vector. An uptick in lures mimicking shipping and eFax services was observed in Q2 2018. The use of internet service phishing lures (Google, DocuSign, Dropbox, etc.) significantly declined (Figure 10), possibly due to reduced activity, but also could be a result of attackers rotating to HTTPS. Rotation to secure HTTPS can obscure indicators used to detect phishing pages and behaviors. None of the shipping and eFax lures were successful. However, eSentire Threat Intelligence expects to see increased success with shipping lures during the holidays, when people expect packages . Despite an approximate 70 percent decline, DocuSign remains the most popular lure (Figure 11, right). This is likely because DocuSign dominates the market (49 percent) for electronic document signing software .
The severity of credential theft often relates to why services’ credentials were compromised and how integrated the service is with the victim business. For example, theft of Facebook credentials is more likely to affect an employee’s personal life than disrupt business functions, but theft of DocuSign or Dropbox credentials could have serious impact on a business. When credentials are reused for multiple accounts in an organization or service, compromise of those credentials can have even more severe implications.
Figure 11: Industries affected (left) and most popular lures (right)
Most Successful Days for Phishing
Phishing detections do not generally occur on weekends when employees are less likely to click malicious links and submit credentials. During weekdays, employees are more likely to click on phishing links Tuesday through Thursday (Figure 12, left). On Fridays, not only are employees less likely to click links, they are also less likely to submit credentials (Figure 12, right).
Reduction of phishing events on Monday and Friday is plausibly due to the fact that employees respond to higher priority emails. On Mondays, employees likely have a larger volume of mail to catch up on and unrecognized phishing emails could be ignored initially. Similarly, Friday email management may consist mostly of writing emails regarding weekly deliverables rather than reading unfamiliar emails. A reduction in workplace attendance on Fridays and Mondays, due to extended weekends and employee work culture, may also play a role.
While 17 percent of phishing links clicked occur on a Friday, only 10 percent of the week’s credential submissions happen on a Friday. In a given day, this seven percent difference is the largest gap between links clicked and credentials submitted, indicating that employees are less likely to follow through on a given phishing link. This is likely a result of diminishing productivity near the weekend break. Lower productivity and emphasis on high priority tasks on Friday could mean that less important tasks are not completed, including being lured by phishing emails.
Figure 12: Distribution of phishing clicks (left) and credential submission (right) throughout the work week. Percentages represent what fraction of all phishing incidents took place on that day.
Figure 13: Samples submitted for automated malware analysis and resulting identification.
Analyzed samples fell into four categories based on the number of suspicious and malicious tasks observed during sandbox detonation (Figure 13). The reputation of malicious files also was considered, based on recognized file hash (Figure 14). Malicious samples are determined to have malicious intent, while suspicious files raised some flags based on sandbox behavior. Ambiguous files can be false positives or stealthy malware, while benign samples are considered safe. However, these classifications are to be used as guidelines, as each sample requires manual review when determining if they are malicious or not. Analysts decide based on the threat rating and other properties of the malware provided by sandbox analysis. Many unrecognized, but legitimate, applications can result in a malicious flag, while stealthy malware can sometimes be flagged as benign.
At the time of submission, identification of samples is performed during automated analysis (sandboxing). Unidentified samples are later manually reviewed by an analyst. The sandbox leverages anti-virus definitions to identify malware by known, observed hashes. Most anti-virus feeds (89 percent) can identify WannaCry, a year-old ransomware virus, while captured Panda samples enjoyed a 15 percent detection rate among anti-virus vendors. Emotet, a four-year-old banking trojan, continues to evolve and emerge with an average 22 percent detection rate among anti-virus solutions for the quarter.
If detection rates are mapped against quarter-over-quarter change in samples observed, a negative correlation is found (Figure 15), indicative of a tendency for threat actors to rotate toward malwares with a low detection rate (such as Panda) and away from malware with a high detect rate (such as Crysis). However, given the low occurrence of some samples, sample bias must be considered.
Additionally, there are other factors involved in malware choice, such as the availability and capabilities of the malware. For example, despite Emotet’s higher rate of detection compared to njRAT, it was the most frequently observed named malware in Q2 2018 due to numerous version updates and feature additions since first reported in 2014. Emotet’s malware authors appear to have rotated from a single-purpose banking trojan to a generalized malware downloader over the course of its evolution . Malware authors will respond to high detection rates with added evasion techniques. For example, Emotet is known to employ polymorphism, in which code implementation and file hashes are frequently changed to avoid identification.
Emotet Dominates Malicious Document Events
Malicious documents (such as .pdf and .doc files) are modified to carry malicious payloads. Download and execution of the malware may only require that the document be opened. Most malicious documents arrive at an organization through email spam but can sometimes be downloaded from malicious websites.
Emotet and Hancitor were present throughout the quarter. A large volume of Emotet submissions were observed starting in May (Figure 16). Initially, the samples were not identified as Emotet by sandbox solutions and required hand labeling (Figure 16, Untagged Emotet). Around June 5, anti-virus feeds began identifying Emotet samples (Figure 16, Tagged Emotet) just as public reports emerged . It is likely that this delay between the beginning of May and June 5 represents the approximate time it takes for anti-virus solutions to catch up to evasion tactics of malware authors.
Through network monitoring, Emotet infections were observed attempting to establish a C2 beacon throughout April, then again in June (Figure 17). Many of these detections came in the form of reputation blocks, in which proactive security controls intercepted communications from known, hostile infrastructure. In lieu of endpoint solutions that can detect Emotet’s presence on a device, network detection relies on Emotet reaching out to its C2 server post infection. Monitored endpoint security controls often detect Emotet samples before attempting C2 communications. Further, endpoint protections and network-based protections are made effective by different intelligence streams not always synchronized with each other. Therefore, the combination of network and endpoint solutions tell a more complete story than either technology alone (Figures 16 and 17).
While 50 percent more Emotet samples were submitted in Q2 (Figure 15), more than 500 percent of endpoints were observed attempting check-ins (Figure 18). The discrepancy highlights the fact that, for each incident, only one sample is submitted, but more than one device can often be infected with a particular sample.
Malicious Document Lures
Analysis of lures used for Emotet showed that documents claiming to be invoices were a popular choice (Figure 19). Forty-nine percent of Emotet samples included “invoice,” “payment” or “account” in their filename. The filenames of unspecified documents often consisted only of random strings of numbers and letters. The context for these documents were likely in the body of the email message used to deliver the document. A small number (two percent) of Emotet documents were disguised as IRS forms. For Emotet’s competitor, Hancitor, fax documents were the popular lure (25 percent).
Emotet – A Matured Malware
Emotet was first observed in 2014, functioning as a banking trojan, but has since evolved into a sophisticated and modular malware downloader, typically used to deliver other banking trojans while still retaining its own functionality as a banking trojan. Malicious documents carrying the Emotet downloader are disguised as business-critical documents, such as invoices, shipping forms, and IRS tax forms.
Apart from the payload, Emotet was observed using its worm capability, spreading to internal systems through additional phishing emails and SMB enumeration. The Emotet downloader relies on several different techniques, including Outlook account scraping, user-account brute-forcing, and known password recovery tools. Organizations that leave SMB open, use simple passwords, and reuse passwords across services are susceptible to Emotet propagating across their network. Even when passwords are not successfully guessed, brute-force behavior can cause lock-outs. This inconvenience can consume helpdesk resources, causing attrition in the organization’s environment until infected machines are quarantined. Therefore, Emotet is considered a serious, sophisticated, and impending threat. While defending against Emotet is greatly facilitated by information sharing in the security community, the best defense starts with employee hygiene around emails and web pages.
Protecting Against Emotet
To mitigate worming capabilities, SMB communications between systems in a network should be restricted via group policy settings or in the configuration of Host-based Intrusion Prevention Systems (HIPS). For example, create a group policy that restricts inbound client-to-client SMB connections.
To mitigate spread through automated phishing, known malspam indicators (including subject lines, body text, domains, and IP addresses), should be blocked via email security appliances.
The principal of least privilege is a general security best practice with implications beyond Emotet. Ensure that each user has the minimal permissions required to complete objectives and that administrative privileges are restricted to designated administrative personnel.
Not surprisingly, endpoint solutions detected a large degree of Emotet malware, but malicious PowerShell scripts constituted the majority of events. However, because Emotet utilizes PowerShell, it is likely that some PowerShell detections are the result of Emotet. Use of obfuscated PowerShell commands increased 50 percent from last quarter, partly due to contributions by Emotet.
Endpoint solutions facilitate observation of execution, evasion, and persistence tactics. Among execution tactics, the most common technique observed was the use of PowerShell at 32 percent, followed by VBA Scripting at 21 percent (Figure 20). Leveraging trusted processes, such as mshta and regsvr32, was also popular. Of the PowerShell-based attacks observed, 83 percent used obfuscated command lines in an attempt to hide their intentions.
Overall use of PowerShell held steady, but tactics employed by malware continue to evolve. Observations of malicious PowerShell in Q2 2018 showed a slight decrease in unique PowerShell commands (48 in Q1 vs. 44 in Q2) and a corresponding two percent decrease in obfuscation techniques. About half of malicious PowerShell events tend to utilize command obfuscation. The use of multiple obfuscation tactics in each event increased 20 percent, demonstrating increased sophistication over the previous quarter.
Among techniques observed, character arrays, string joins, and secure string to BSTR increased for the quarter (Figure 21). The split technique was not observed in Q1, but five instances were captured for Q2. Encoded commands, invoked expressions, and stream compression were on the decline. See Box 1 for obfuscation tactic details.
The eSentire Threat Intelligence team used data gathered from 2,000+ proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.
Boilerplate: (add logo)
eSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyber-attacks that technology alone cannot prevent. Its 24×7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before they become business-disrupting events. Protecting more than $6 trillion in corporate assets, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.eSentire.com and follow @eSentire.