Pacific Rim Timeline: Insights for Defenders from a Network of Coordinated Attack Campaigns

MITRE Techniques

• [T1584.008] Compromise Infrastructure: Network Devices – “In a Sophos sinkhole, analysts identified the actors had made User-Agent strings and payload requests mapping to consumer and SOHO routers as-well as various requests potentially tied to the Ragnarok ransomware.”
• [T1078] Valid Accounts – “The actors deployed malware via valid administrative credentials.”
• [T1078.004] Valid Accounts: Cloud Accounts – “The actors pivoted from on-premises devices to cloud assets by exploiting an IAM configuration related to AWS SSM.”
• [T1190] Exploit Public-Facing Application – “The actors targeted devices with internet-facing web portals.”
• [T1189] Drive-by Compromise – “The actors implemented malware designed to run on Mac OS X and iOS, and IFRAME injection code that exploits a vulnerability in WebAssembly (wasm).”
• [T1036.055] Masquerading: Match Legitimate Name or Location – “The actors replaced SSH and SSHD with versions related to a malware family ESET named Onderon.”
• [T1027.001] Obfuscated Files or Information: Binary Padding – “The actors swapped out the binaries that verify the cryptographic signature in the firmware to bypass integrity checks.”
• [T1014] Rootkit – “The actors installed a rootkit named Cloud Snooper on a victim device, which the attackers used to disguise malicious C2 traffic. The actors also ran the libsophos.so rootkit.”
• [T1036] Masquerading – “The actors renamed a legitimate device binary and dropped the RAT in its place. The actors also used a custom-built, fully featured userland rootkit which closely mimicked Sophos product file naming conventions and behavior.”
• [T1562] Impair Defenses – “The actors provided a malformed JSON which triggered an exception to additional input sanitization meant to mitigate CVE-2022-3236.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – “The actors wrote the script patch.sh to the filesystem; the patch set a flag in a database that disabled automatic hotfix updates, re-running this command every five minutes.”
• [T1562.006] Impair Defenses: Indicator Blocking – “The actor deployed a scripting loop that continuously set the administrative setting to accept hotfixes to false to sabotage the victim’s ability to repair devices.”
• [T1202] Indirect Command Execution – “The actors leveraged a command injection vulnerability (CVE-2022-3236) in a Perl-based component for initial access to a device.”
• [T1406] Obfuscated Files or Information – “The actors used malicious JAR files and a connection to a C2 IP on a device that had received the CVE-2022-3236 patch.”
• [T1003.006] OS Credential Dumping: DCSync – “The actors used sniffed credentials to run a DCSync credential dump from a LAN-side domain-controller.”
• [T1110.001] Brute Force: Password Guessing – “The actors gained initial access to numerous impacted devices via weak SSH credentials.”
• [T1649] Steal or Forge Authentication Certificates – “The actors stole privileged internal Active Directory credentials with a 64-bit ELF backdoor.”
• [T1212] Exploitation for Credential Access – “The actors exploited CVE-2020-15069 to deliver a payload that stole credentials saved on an appliance.”
• [T1046] Network Service Discovery – “The actors conducted network scans using a low-privilege computer in the victim’s environment.”
• [T1210] Exploitation of Remote Services – “The actors leveraged a post-authentication remote code execution vulnerability in an operating system component.”
• [T1021.004] Remote Services: SSH – “The actors used the libsophos.so library to inject itself into the system’s SSHD by using the LD_PRELOAD environment variable.”
• [T1205] Traffic Signaling – “The actors sent a specially crafted packet to a device, which triggered a back-connect shell RAT when received by the device.”
• [T1205.001] Traffic Signaling: Port Knocking – “The actors inserted the libsophos.os library in the SSHD process to enable the actors to identify and respond to specially crafted ICMP packets… which could open a SOCKs proxy or reverse shell.”
• [T1205.002] Traffic Signaling: Socket Filters – “The actors deployed a kernel-level rootkit with stealthy command and control.”
• [T1090] Proxy – “The actors, using the libsophos.so library injected in a system’s SSHD, crafted ICMP packets which deployed a SOCKS proxy… In a separate instance, the actors deployed a Fast Reverse Proxy (FRP).”
• [T1090.003] Proxy: Multi-hop Proxy – “The actors chained together multiple proxies to obfuscate the true origin of the attacks.”
• [T1105] Ingress Tool Transfer – “The actors downloaded suspicious binaries from a LAN-side internal web server.”
• [T1059.004] Command and Scripting Interpreter: Unix Shell – “The actors abused Unix shell commands to aid with code execution.”
• [T1059] Command and Scripting Interpreter – “The actors used a command injection privilege escalation, alongside exploiting an SQLi vulnerability (CVE-2020-12271), to gain root access to devices and install the Asnarök trojan… delivered two malicious Linux shell payloads (patch.sh and IC.sh).”
• [T1203] Exploitation for Client Execution – “The actors exploited the CVE 2020-12271 vulnerability… to gain root access to the device and install the Asnarök trojan… exploited CVE-2020-15069 to deploy malicious payloads to the TStark cluster of devices.”
• [T1505.003] Server Software Component: Web Shell – “The actors deployed a malicious web shell indiscriminately to devices running a WAN-facing web portal.”
• [T1554] Compromise Host Software Binary – “The actors replaced a device’s SSH and SSHD binaries with malware named Onderon (aka bl0wsshd00r67p1).”
• [T1037.002] Boot or Logon Initialization Scripts: Login Hook – “The actors inserted a hook into the firmware upgrade process. The hook wrote the backdoor into the temporary partition used for the new firmware before the device rebooted, allowing it to survive firmware upgrades.”
• [T1133] External Remote Services – “The actors apparently used VPNs intermittently to access TStark devices, as telemetry switched between several IP addresses in different locations.”
• [T1136.001] Create Account: Local Account – “The actors exploited CVE-2020-29574 to create a new administrator-level user account (named cybersupport) on devices.”
• [T1574.004] Hijack Execution Flow: Dylib Hijacking – “The actors embedded Trojanized class files inside pre-existing Java archive (JAR) files, which were then loaded into an internet accessible Java servlet to act as a dynamic loader for other AES-encrypted class files provided to it via a HTTP POST.”
• [T1547] Boot or Logon Autostart Execution – “The actors used a rootkit module that enumerates devices on the local system on startup, then executes the core module.”