Batu69 Posted August 23, 2016 Share Posted August 23, 2016 SecureWorks observes new technique used by threat actors Adversary's use of the MMC (mmc.exe) SecureWorks reports on a new tactic used by threat actors, who are now attempting to install and run a virtual machine, with the purpose of hiding their malicious actions. For the non-connoisseur, virtual machines are emulated file systems, most of the times complete with a fully-running operating system that runs inside your existing operating system. In layman's terms is an OS inside your OS, allowing users to start Linux or Windows 98 just by clicking an icon on their desktop. Virtual machines are generally used by software developers to test products and are often embedded in other applications, such as some security software. Threat actor tried to install a new VM called "New Virtual Machine" SecureWorks reports about a recent incident with one of their clients where their security platform detected some strange events on July 28, 2016. After requesting more logs to analyze from the affected company's sysadmin, the researchers discovered the log lines that made their product trigger the alert. "The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client," SecureWorks Counter Threat Unit (CTU) researchers noted. "Figure 1 shows the threat actor using the Microsoft Management Console (MMC) to launch the Hyper-V Manager, which is used to manage Microsoft's virtual machine (VM) infrastructure," the team added. VMs can hide malicious actions from security products The intruder tried to start a virtual machine on the infected host. Fortunately for the compromised company, the machine the intruder managed to gain access was a virtual machine itself, and virtual machines can't be nested inside each other. The attacker failed in his attempt, but this shows a new tactic threat actors are now using to hide their activity on hacked systems. Their plan is very smart and well thought through, because after setting up and launching a virtual machine, they would have been able to connect to the VM, and execute malicious actions, like exfiltrating sensitive data, out of the reach of security products. Article source Link to comment Share on other sites More sharing options...
straycat19 Posted August 23, 2016 Share Posted August 23, 2016 This release left out some information that might be of use to those interested in security that was included in its 15 August email release to security professionals. This is an extract of the actual logs. I am sure these hackers will perfect their attack in the near future since they were within a cat's whisker of getting their VM to work. Time (UTC) Event Source/ID Description 12:50:06 Microsoft-Windows-Sysmon/1 Process started (mmc.exe virtmgmt.msc) 12:50:44 Microsoft-Windows-Hyper-V-VMMS/13002 New VM created Microsoft-Windows-Security-Auditing/4648 New logon attempt using explicit credentials Microsoft-Windows-Sysmon/6 Drivers loaded (vhdmp.sys, fsdepends.sys) 12:50:45 Microsoft-Windows-Hyper-V-VMMS/27311 New VM created 12:50:56 Microsoft-Windows-Sysmon/1 Process started (vmconnect.exe) 12:51:01 Microsoft-Windows-Hyper-V-VMMS/20144 VM failed to start Microsoft-Windows-Hyper-V-VMMS/15130 VM failed to start 12:51:08 Microsoft-Windows-Sysmon/5 Process terminated (vmconnect.exe) 12:51:14 Microsoft-Windows-Hyper-V-VMMS/13003 VM deleted 12:51:57 Microsoft-Windows-Sysmon/5 Process terminated (mmc.exe) Link to comment Share on other sites More sharing options...
pc71520 Posted August 23, 2016 Share Posted August 23, 2016 7 hours ago, Batu69 said: VMs can hide malicious actions from security products... Pretty smart, isn't it? Link to comment Share on other sites More sharing options...
edwardecl Posted August 23, 2016 Share Posted August 23, 2016 3 hours ago, pc71520 said: Pretty smart, isn't it? Ever since some arsehole installed a Paypal scam site on my Linux machine years back I've had to be extra vigilant. Fuck knows how they did it but there are some clever people out there that will exploit any hole no matter how tiny it is. Getting a call from your ISP saying "you know running a Paypal scam site is illegal" is fucking awesome. The best defence is to change the ports standard services like SSH run on, and only ever whitelist IPs if you want to remotely log into a web server or something. I dread to think how companies secure their shit, I just left an Apache server running with no modules loaded with just the default page running and that fucker got hacked so nothing is really secure. I assume whatever exploit that was got fixed in the last 10 years though ^^. But if they have got to the point where they are installing VM's you're fucked anyway. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.