Publicado el 24 abril, 2018
Azure Security Center helps customers overeenkomst with myriads of threats using advanced analytics backed by global threat intelligence. Ter addition, a team of security researchers often work directly with customers to build up insight into security incidents affecting Microsoft Azure customers, with the objective of permanently improving Security Center detection and alerting capabilities.
Ter the previous blog postbode ",How Azure Security Center helps expose a Cyberattack",, security researchers detailed the stages of one real-world attack campaign that began with a brute force attack detected by Security Center and the steps taken to investigate and remediate the attack. Te this postbode, wij&rsquo,ll concentrate on an Azure Security Center detection that led researchers to detect a stadionring of mining activity, which made use of a well-known bitcoin mining algorithm named Cryptonight.
Before wij get into the details, let&rsquo,s quickly explain some terms that you&rsquo,ll see across this blog. &ldquo,Bitcoin Miners&rdquo, are a special class of software that use mining algorithms to generate or &ldquo,mine&rdquo, bitcoins, which are a form of digital currency. Mining software is often flagged spil malicious because it hijacks system hardware resources like the Central Processing Unit (CPU) or Graphics Processing Unit (GPU) spil well spil network bandwidth of an affected host. Cryptonight is one such mining algorithm which relies specifically on the host&rsquo,s CPU. Ter our investigations, wij&rsquo,ve seen bitcoin miners installed through a multitude of technologies including malicious downloads, emails with malicious linksom, attachments downloaded by already-installed malware, peer to peer opstopping sharing networks, and through cracked installers/bundlers.
Initial Azure Security Center waaks details
Our initial investigation embarked when Azure Security Center detected suspicious process execution and created an attent like the one below. The attent provided details such spil date and time of the detected activity, affected resources, subscription information, and included a listig to a detailed report about hacker implements like the one detected ter this case.
Wij began a deeper investigation, which exposed the initial compromise wasgoed through a suspicious download that got detected spil &ldquo,HackTool: Win32/Keygen",. Wij suspect one of the administrators on the opbergruimte wasgoed attempting to download instruments that are usually used to patch or ",crack", some software keys. Malware is frequently installed along with thesis devices permitting attackers a backdoor and access to the opbergruimte.
- Based on our loom analysis, the attack began with the creation of a user account named &ldquo,*server$&rdquo,.
- The &ldquo,*server$&rdquo, account then created a scheduled task called ",ngm&rdquo,. This task launched a batch script named ",lijm.bat&rdquo, located te the ",C:\Windows\Temp\ngmtx", folder.
- Wij then observed process named ",servies.exe&ldquo, being launched with cryptonight related parameters.
- Note: The &lsquo,bond007.01&rsquo, represents the bitcoin user&rsquo,s account behind this activity and &lsquo,x&rsquo, represents the password.
Two days straks wij observed the same activity with different verkeersopstopping names. Ter the screenshot below, sst.bat has now substituted lijm.bat and mstdc.exe has substituted servies.exe . This same cycle of batch opstopping and process execution wasgoed observed periodically.
Thesis .bat scripts emerge to be used for making connections to the crypto televisiekanaal pool (XCN or Shark coin) and launched by a scheduled task that restarts thesis connections approximately every hour.
Extra Observation: The downloaded executables used for connecting to the bitcoin service and generating the bitcoins are renamed from the original, 32.exe or 64.exe, to &ldquo,mstdc.exe&rdquo, and &ldquo,servies.exe&rdquo, respectively. Thesis executable&rsquo,s naming schemes are based on an old technology used by attackers attempting to hide malicious binaries te plain look. The mechanism attempts to make files look like legitimate benign-sounding Windows filenames.
- Mstdc.exe: &ldquo,mstdc.exe&rdquo, looks like &ldquo,msdtc.exe&rdquo, which is a legitimate executable on Windows systems, namely Microsoft Distributed Transaction Coordinator required by various applications such spil Microsoft Exchange or SQL Server installed te clusters.
- Servies.exe: Similarly, &ldquo,services.exe&rdquo, is a legitimate Service Control Manager (SCM) is a special system process under the Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. Here again attackers are attempting to hide by using similar looking binaries. &ldquo,Servies.exe&rdquo, and &ldquo,services.exe&rdquo,, they look very similar, don&rsquo,t they? Superb tactic used by attackers.
Spil wij did our timeline loom analysis, wij noted other activity including wscript.exe using the &ldquo,VBScript.Encode&rdquo, to execute &lsquo,test.zip&rsquo,.
On extraction, it exposed &lsquo,iissstt.dat&rsquo, opstopping that wasgoed communicating with an IP address ter Korea. The &lsquo,mofcomp.exe&rsquo, guideline emerges to be registering the verkeersopstopping iisstt.dat with WMI. The mofcomp.exe compiler parses a verkeersopstopping containing Mouw statements and adds the classes and class instances defined ter the opstopping to the WMI repository.
Recommended remediation and mitigation steps
The initial compromise wasgoed the result of malware installation through cracked installers/bundlers which resulted te finish compromise of the machine. With that, our recommendation wasgoed very first to rebuild the machine if possible. However, with the understanding that this sometimes cannot be done instantaneously, wij recommend implementing the following remediation steps:
1. Password Policies: Reset passwords for all users of the affected host and ensure password policies meet best practices.
Two. Defender Scan: Run a total antimalware scan using Microsoft Antimalware or another solution, which can flag potential malware.
Trio. Software Update Consideration: Ensure the OS and applications are being kept up to date. Azure Security Center can help you identify virtual machines that are missing critical and security OS updates.
Four. OS Vulnerabilities &, Version: Align your OS configurations with the recommended rules for the most hardened version of the OS. For example, do not permit passwords to be saved. Update the operating system (OS) version for your Cloud Service to the most latest version available for your OS family. Azure Security Center can help you identify OS configurations that do not align with thesis recommendations spil well spil Cloud Services running outdates OS version.
Five. Backup: Regular backups are significant not only for the software update management verhoging itself, but also for the servers that will be updated. To ensure that you have a rollback configuration ter place ter case an update fails, make sure to back up the system regularly.
6. Avoid Usage of Cracked Software: Using cracked software introduces unwanted risk into your huis or business by way of malware and other threats that are associated with pirated software. Microsoft very recommends evading usage of cracked software and following legal software policy spil recommended by their respective organization.
More information can be found at:
7. Email Notification: Ultimately, configure Azure Security Center to send email notifications when threats like thesis are detected.
- Click on Policy tile ter Prevention Section.
- On the Security Policy blade, you pick which Subscription you want to configure Email Alerts for.
- This brings us to the Security Policy blade. Click on the Email Notifications option to configure email alerting.
An email waakzaam from Azure Security Center will look like the one below.
To learn more about Azure Security Center, see the following: