Credential Dumping Campaign Hits Multinational Corporations

April 9, 2019
|
co-authored by Limor Kessem
|
6 min read

Server Misconfigurations Result in Ongoing Theft of Corporate Credentials, Cryptojacking Infections on User and Enterprise Assets

IBM X-Force Incident Response and Intelligence Services (IRIS), our team of veteran incident response and intelligence professionals, responds to cyberattacks taking place in different parts of the globe.

In a recent investigation, our team discovered that multinational corporations in various sectors are being targeted by attackers using malicious scripts to automate attacks on misconfigured servers. The attacks resulted in a continuous credential dumping campaign that exfiltrated the corporate credentials of infected network users. On the other side of the compromised servers, attackers continue to operate a public File Transfer Protocol (FTP) server that collects credentials from additional compromised networks and then sends them to a third host, presumably into the attackers’ hands for later use.

On top of the credential theft, the attackers behind this campaign infect devices with cryptocurrency miners.

Let’s examine the technical details of this live campaign to shed more light on attacker tactics, techniques and procedures (TTPs) and outline some tips to help defenders prevent this sort of active leak.

IBM X-Force duly reported this ongoing operation to law enforcement in the corresponding jurisdictions.

Automation and Windows OS Tools Make for a Stealthy Operation

In a malicious campaign X-Force IRIS discovered in February 2019, the team found that some of the top adversarial tactics reported by IBM to target organizations in the wild are being actively used against unsuspecting organizations:

  • Exploiting misconfigured servers and Windows-based client-side operating systems;
  • Living off the land by using embedded operating system tools; and
  • Automating attacks using malicious PowerShell scripts.

The attack campaign harvests corporate credentials from a number of compromised networks, most likely due to the same reason across the board: server misconfiguration leaving various ports open and unprotected and weak administrator passwords without second-factor authentication enforced.

The attackers in this ongoing campaign are using PowerShell scripts and automation to exploit the servers with the DoublePulsar kernel exploit. They also take advantage of Transmission Control Protocol (TCP) port 445 for communicating with the network — a Server Message Block (SMB) ports that has been exploited in previous attacks, including WannaCry and NotPetya, for lateral movement.

A look at the distribution of victimized devices reveals that while most of them could be user devices (Win7), the second-most targeted asset type is Windows Server 2008.

Figure 1: Distribution of affected devices per OS version

Multistage Malicious Script Fetches and Runs Malware Files

To get to network users and harvest their credentials, the attackers in this campaign begin with a malicious script. The script fetches and runs additional files via PowerShell, enabling it to use Mimikatz and PowerSploit on the targeted devices to dump the user’s credentials.

An excerpt of the script appears below (please note that this article does not provide a comprehensive analysis of the malicious service’s installation script).

Figure 2: Malicious script installs attacker’s Windows service

The overall goal of the script is to fetch additional malcode from various rogue hosts maintained by the attackers. Below are two of the main components of the attacks:

  1. s.txt
  2. up.txt

We can see those being pulled from a remote server hosted on hxxp://74.222.1.38. With WhoIs data being protected, we could only note that the host is a dedicated server infrastructure likely rented out by the attackers or exploited for their attacks.

Figure 3: Malicious script installs attacker’s Windows service

A Closer Look at Malicious File ‘Up.txt’

Looking into the activity launched by the extra files fetched into the compromised devices, we could see that the code is executed and performs the following actions:

  • Collects the private and public IP address of the infected device and identifies the public IP address via hxxp://2019.ip138.com/ic.asp.
  • Enumerates the device’s OS version and live processes from the system using WMI queries.
  • Downloads and executes Mimikatz from GitHub.
  • Creates an output file with process information and dumped credentials. File names attributed to each file are structured as follows: PublicIP_PrivateIP_OSVersion_CPUload.txt. For example: 79.XXX.XX.12_192.168.37.147_Microsoft Windows 7 Ultimate [6.1.7601]_5{30bfbf8d9f2833f0337133e196b4dc87825dfb7d33a3602d05ee876ecd6f1178}.txt.
  • Uploads output file to a public FTP server using the attacker’s hardcoded credentials.

While the attacker placed their hardcoded credentials to the malicious FTP in plain view, they ensured that unwelcome access would receive read-only rights. That means outsiders cannot grab existing content on the FTP server.

Output files containing stolen system information and network credentials arrive at the FTP server but only remain there for a few seconds before being exfiltrated onward to another server and deleted from the FTP server.

How Much Is Too Much? Campaign Statistics

Statistics of uploaded data to the malicious FTP server show that the activity is generating a large number of uploads from compromised devices. While the number of uploads is large, file sizes are very small, likely because they only contain a few strings of textual information. The following image shows the accumulation of data on the public FTP server within 60 seconds:

Figure 4: Rapid accumulation of victims’ stolen data on public FTP server

Judging by the number of unique IP addresses from which the data is being streamed into the attackers’ FTP — close to 85,000 IPs — we are seeing that the scope of the campaign is meaningful.

The following numbers accumulated over the period of 11 days provide further context about the size of this malicious operation:

Description

Number

Affected countries per IP geo-location analysis.

180 – ongoing

Files uploaded from infected devices.

1,663,156 – ongoing

Unique IP addresses uploading stolen data.

84,683 – ongoing

Files exfiltrating large amounts of data.

59,688 – ongoing

Files exfiltrating small amounts of data.

933,994 – ongoing

The campaign’s scope can be estimated through the number of uploads per day, showing many devices are likely compromised in each organization.

Figure 5: A sample of campaign dates showing the scope of stolen data dropped daily

A view of the location of infected devices affected by this campaign reveals that the largest number is located in China, Taiwan and Russia. This may be part of a nation-sponsored campaign by regional threat actors targeting organizations and government entities in Asia.

Figure 6: Campaign’s country distribution per geo-IP location

All in an Attacker’s Workday

The TTPs used in this malicious campaign by unknown attackers are almost taken from an attacker’s playbook. Using automated tools, living off the land, using PowerShell and infecting devices with cryptominers are the top tactics highlighted by IBM X-Force’s “Threat Intelligence Index.”

Below are some tips to protect assets against this sort of attack and help prevent initial access to externally facing servers and user devices:

  • Ensure systems are fully patched.
  • Perform regular vulnerability scans to identify missing security updates.
  • Keep antivirus and anti-malware solutions up to date and configure them to automatically conduct regular scans.
  • Manage usage of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed.
  • Enhance security of WMI by authorizing WMI users and restricting permissions.
  • Enable host-based firewalls and restrict internal communications to limit unnecessary lateral movement.
  • Close ports on externally facing servers.
  • If ports remain open, secure them with the necessary controls or place compensating controls as needed.
  • Monitor communication via SMB ports to external servers and investigate suspicious cases of data regularly leaving the organization.
  • Disable SMB v1 and similar legacy protocols completely.

Campaign IoCs

This malicious activity is still ongoing at the time of this writing. Security professionals who wish to use indicators of compromise (IoCs) from the campaign to defend their networks can receive additional data via X-Force Exchange.

Thanassis Diogos
X-Force IRIS Consultant

Thanassis has graduated as Electrical Engineer and I hold an MSc in Information Security. He has been in the industry as a security professional for the last...
read more