Manic Menagerie — Looking Beyond the Narrative
Operation Manic Menagerie — Summary
In May 2018, the Australian Cyber Security Centre (ACSC) investigated what they dubbed ‘Manic Menagerie’ where at least eight Australian web hosting providers were compromised, and therefore possibly the websites of their customers. Engaging with three hosting providers for the investigation, the ACSC were able to identify new tactics of cybercriminals. The malware used was a variant of ‘Gh0st’ — a remote access tool — which led to significant modifications to the network communications protocol.
Using web shells as an initial access point, the actor was able to exploit vulnerable web applications. While the actor rarely required doing privilege escalation, they did demonstrate the capability and persistence to escalate privilege when necessary. Using privilege escalation tools, the actor exhibited an ability to use public proof-of-concept exploits. The persistence techniques varied across incidents, with the actor having the capability to modify tools to suit the compromised environment.
The post-exploitation activity was centred on financial gain, using techniques such as search engine optimisation (SEO), advertising, and cryptocurrency mining to achieve this.
The toolchain was made up of local system denial of service (DoS) tools, in the form of a fork bomb binary, and a network scanning utility used to identify other vulnerable hosts for lateral movement.
Details of tools, techniques and procedures
The actor relied on exploiting vulnerable web applications to gain initial access to the servers, using a combination of automated scanning and manual interaction with the network. Analysis of the weblogs from the compromised hosts shows the actor used a web browser to manually interact with websites to identify vulnerabilities. Once identified, the vulnerability was manually exploited to create a web shell on the server to enable future steps. The actor used multiple publicly available web shells, including variants of ChinaChopper. When the web shell was in place, the actor switched from using a web browser to use a controller to perform future interactions with the web shell.
Regarding privilege escalation, the actor showcased their ability to tailor their tools to suit the environment they were compromising, including exploiting misconfigured services and uploading additional binaries to assist with privilege escalation.
The ACSC identified three privilege escalation binaries used by the actors. All three were implemented proof-of-concept (POC) exploit code publicly available on the internet. The vulnerabilities used in privilege, CVE-2018–10388, CVE-2016–32259 and CVE-2016–009910, were patched prior to the compromise. The POC of CVE-2018–10388, known as TotalMeltdown, was released publicly in late April 2018 and uploaded to a web hosting provider a few days later. This showed the actor was quickly able to take the POC code and use it in a compromise.
In one instance, the actor used valid credentials to authenticate and subsequently login to an FTP server as a user with the home directory ‘C:\’. The FTP server was configured to run as the local administrator user and gave the actor full read/write access to the victim’s system drive. Access to the FTP was used to backup and replace the binaries for several operating system services with binaries which, when executed, would install Gh0st RAT or perform credential manipulation known as RID hijacking. These services included:
· TeamViewer
· NetTime
· RPD Defender
· ClamAV
When any of the above services restarted, or the host was rebooted, the actor’s malware ran as the SYSTEM user. Resource exhaustion (fork bomb) utility was identified by the ACSC and could have been used to force an administrator to reboot the machine.
There was no evidence the actor attempted to move laterally to other hosts on the network, instead of using their web shell access to move laterally to other sites on compromised servers to create additional web shells for persistence. They continued web shell access and create alternative access methods in the weeks following the initial compromise. The ACSC identified a network scanning utility that was uploaded using the actor’s web shells, and while the use of this tool could not be confirmed, it indicated a desire to perform lateral movement on a network.
Gh0st is a full-featured RAT that provides functionality such as keylogging, webcam and microphone streaming, file upload and download, as well as providing full remote-control access to the host. The actor deployed several iterations of the Gh0st dropper using a range of packets/protection mechanisms including UPX and VMProtect.
In one incident, the Gh0st dropper was detected by the victim’s anti-virus software and quarantined. The actor, in response, disconnected from the compromised environment and returned several hours later to deploy a new instance of the dropper which evaded the victim’s anti-virus. When executed, the Gh0st dropper creates a Windows executable with a .gif extension in a legitimate Windows directory then registers a new service to execute the dropped file on start-up. Every execution of the dropper results in a binary with a different hash being generated, which causes hash-based detection to be ineffective.
Older versions of Gh0st use a relatively well-known protocol with the first five bytes being set to ‘Gh0st’ or some other five-byte campaign ID.
The newly identified variant of Gh0st uses a much longer header which closely resembles an HTTP 200 response.
The response to this request contains a Base64 encoded string wrapped in a ‘GIF89a’ tag. The response is decoded and then performs an ADD 0x7a followed by XOR 0x19. This decode structure is very similar to that featured in the Gh0st 3.6 source code. When decoded the response contains the IP and port the malware is to connect to, the response can optionally include proxy information. The Gh0st binary was not digitally signed, however, the Gh0st dropper was signed with an expired, stolen certificate issued to ‘Fujian identical investment co., Ltd’ less than one week prior to being deployed onto the victim’s network.
The actor deployed a utility that poorly implemented a technique known as RID hijacking. Using the utility, the actor created a new Windows user account with effective permissions of the local administrator account. RID hijacking is a relatively new technique that allows an attacker with local administration or higher privileges to replace the relative identifier (RID) of one account with that of another. This resulted in two accounts using the same RID.
RIDs make up part of a user’s security identifier (SID), the remainder of which is shared by all users of a system, which Windows uses to manage security permissions on everything from personal files to core operating system files and registry keys. RID hijacking allows an attacker to create an account that will not be a member of any groups but has the permissions of the target account (e.g. the local administrator).
RID hijacking requires read/write access to the target’s SAM hive, the technique must be executed by either the SYSTEM user (which has full read/write control over the SAM hive) or a member of the Administrators group (which has permission to change the permissions of the SAM hive and can therefore give itself the required read/write access).
Despite the actor’s tool running as the SYSTEM user, their implementation modifies the permissions of the entire SAM hive to provide the ‘Everyone’ group with the Full Control permission. This modification allows every user account, process, and web shell to create/modify/read any user account details (including hashes), as well as create and delete user accounts (regardless of permission level).
After an account with a hijacked RID, any Windows events generated by this account (e.g. logging into a system or mounting network share) will be recorded in the Windows event log as having been caused by the hijacked account. An actor could use this to make their traffic appear as if it was coming from a legitimate Windows account.
The RID hijacking utility used during the investigated incidents was digitally signed with an expired, stolen certificate issued to ‘上海域联软件技术有限公司’ (Shanghai YuLian Software Technology co. Ltd.) less than one week prior to being deployed onto the victim networks.
Two of the compromised hosts contained evidence of the actor deploying software to add the hosting server itself into a Monero mining pool with the wallet ID 44hRSVqJicHZGpLQErsnjS3V7zgn3xsvn2Rw5e4GUSB4jHhyA1C3Ny3cC3g3cxPhVNccFQrVdQXtS2Tcg peB7wULKwpaYZT.
The mining pool provided statistics for any submitted worker ID. After extracting the actor’s worker ID from their crypto miner softer software, the ACSC determined:
1. The actor received their first payment on 21 November 2017.
2. As of June 2018, the actor made a total of 22.57 XMR (Monero) with an approximate value of $3868 AUD
3. On average, the actor was receiving a payment of 0.5 XMR (Monero) every 3–4 days, which equates to approximately $28 AUD a day
In all incidents, the actor manually exploited servers and deployed malware, taking them an hour or, in one case, multiple days. The mining pool does not report the number of hosts connected via the actor’s pool ID; it does, however, provide the number of hashes per second.
The actor has a current hash rate of 19.47KH/s or 19,470 hashes per second. This indicates the actor still has a Monero miner installed on between 13 and 38 machines; as they have only been observing targeted servers, it is likely the number of compromised hosts is at the lower end of this range.
An additional wallet ID of 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4f hdUyZijBGUicoD was extracted from the Monero miner. This wallet ID was not observed being used by the malware, however, it does appear to be used elsewhere.
The actor modified other sites on hosting providers to boost SEO rankings and redirect legitimate traffic to sites selling illegitimate products.
In this example, the user agent is checked to identify whether the user understands a variation of the Chinese language. If the condition is met, then the user is directed to Chinese advertising websites.
Links to China
From open source investigation, it is very likely that the attacker was a Chinese threat group.
Deep Panda is one likely suspect, as they are known to target many industries, including government, defence, financial, and telecommunications. Deep Panda’s last public known attack in Australia, was the breach of Australian media companies, prior to the G20 in 2014.
The reason Deep Panda is one likely perpetrator of ‘Operation Manic Menagerie’ is that web hosting providers fall under their target industries under telecommunications, and some of the tools used, StreamEx, are exclusively used by the Deep Panda Group.
Despite this, assessing the other tools used, most notably China Chopper and gh0st, it is indicative of other Chinese threat group techniques, that are not exclusive to only one.
Gh0st is known to be used for the groups APT18, Night Dragon, Pitty Tiger, TA459 and Threat Group-3390. The last attributed use of gh0st was in February 2018 by Night Dragon. China Chopper’s use has only been directly attributed to two threat groups, Leviathan, and Threat Group-3390, with the last attributed use of China Chopper in March 2018 by Leviathan. All groups stated have been associated as a Chinese threat group.
Using the open source information available the intent behind the attack is unclear. With such advanced techniques and methods used, the post-exploitation actions revealed seem underwhelming, especially as there are much easier ways to achieve their seeming end-goals in simpler ways.
Only Threat Group-3390 have been associated with crypto-mining in the past out of these groups and have used this method in conjunction with espionage abilities, utilising gh0st. ACSC’s report indicated that the actor’s main goal was financial gain, however, only two of the affected hosts indicated that a Monero mining pool had been deployed.
Considering gh0st is a fully featured RAT that allows the attacker full remote control of the host, as well as keylogging, microphone and webcam streaming, and file upload and download, it brings into question the transparency of ACSC’s investigation and conclusions, as these techniques and methods indicate a bigger end-game.
SEO modification has also been utilised as highly targeted watering holes, with the most known being the targeting of financial institutions in Russia and Ukraine with Buhtrap. Threat Group-3390 has utilised watering hole attacks before, most notably at a data centre in an unnamed central Asian country in 2017.
Threat Group-3390 thus is another likely suspect in perpetrating ‘Operation Manic Menagerie’. Known to target organisations in the aerospace, government, defence, technology, energy, and manufacturing sectors — a web hosting provider wouldn’t be outside of their usual scope of targets. Utilising two unique tools attributed to Chinese threat groups as well is another indicator.
One of the issues with the lack of knowledge of who the targets were, we can’t assume which hosting providers were targeted or why, or what websites were exploited. Websites can hold a significant amount of information that is not immediately seen from a customer-facing perspective. Databases, internal web pages and limited access content are but a few examples, and with the ACSC getting involved, it also queries the attacker’s actual targets, and whether they were after the websites themselves rather than the web hosting providers.
From the open source data available, the conjecture is that a Chinese threat group was likely behind ‘Operation Manic Menagerie’ with APT groups Deep Panda and Threat Group-3390 being the likely suspects. With the level of technique and tools used, it is deemed unlikely that financial gain was the main goal of this operation. With the range of techniques used it also brings into question whether we are dealing with a single threat group or a collaboration between multiple. Lack of information has also limited us in supposing the threat groups main targets and motive.
What does this mean for you?
Deep Panda and Threat Group-3390 can both be interpreted as potential threats to many verticals.
Deep Panda is considered one of the most advanced Chinese nation-state cyber intrusion groups, and commonly target strategic and business verticals in the target industries, including government, defence, finance and telecommunications. They often target western government agencies and officials for policy information both concerning their region and more recently the middle east. Deep Panda has also been attributed to the Anthem breach, where they obtained approximately 80 million records of customer data.
Threat group-3390 conducts strategic web compromises (watering hole attacks), on websites associated with the target organisation’s vertical or demographic to increase the likelihood of finding victims with the relevant information. It is assessed Threat Group-3390 uses information gathered from prior reconnaissance activates to selectively compromise users who visit websites under its control. Based on their previous activities, Threat Group-3390 have been motivated on collecting defence technology and capability intelligence, other industrial intelligence, and political intelligence from governments and NGOs.
Both Deep Panda and Threat Group-3390 target government, and considering many companies’ ongoing relations with government, disruption of supply chain and unauthorised access to communications between the two could be desirable for these threat actors. Threat Group-3390 is also known to target entities within the Technology vertical, thus customer PII, intellectual property, and R&D are potential desirable targets for both attackers.
When compromising the web hosting providers, the attackers demonstrated the ability for persistence in the network, privilege escalation, and lateral movement. Using the tools present in Operation Manic Menagerie, extensive enumeration of internal systems, and espionage tactics are likely to be deployed in case of compromise.
Opportunities to reduce and mitigate risk are available, however. We assess that operating on a zero-trust network significantly reduces the potential risk. Strengthening the perimeter with only authorised devices allowed access to internal networks, and application whitelisting on devices and systems can be quite effective. Ensuring segregation of networks to prevent lateral movement, as well as internal access controls within the network, reduces the risk that if a device or a section of the network is compromised, that the attacker is limited in privilege and lateral movement.
In cases where implementing a denial focused network is too difficult, or not desirable, employing deceptive methods throughout the network through honeypots and honeytraps via fake accounts, personas, webpages, etc. that are observable could lead to the ability for more rapid response in worst case scenarios.
As Threat Group-3390 especially operates by compromising targets via the web, patching and securing your company’s web application is important. Confirming that all plugins and applications running on the web app are necessary is also a basic requirement. Frequent resets of admin and moderator credentials, accurate version control, and website modification monitoring will also help mitigate potential compromise via a web app.
