Defending Systems Against Attacks With Layers of Remote Control
Fortunately, we were able to provide the customer with timely alert and intervention from the moment the initial intrusion via the cloud server was observed all the way to guidance during the cleanup and remediation process.
Insights from the threat report and the threat handling perspective
Incidents such as this provide security teams opportunities to see attacks from different angles and in a big-picture manner. We discuss key insights below that organizations can consider when adopting a proactive cybersecurity approach to ensure utmost protection of their systems.
On detecting and responding to the web shell
MDR discovered a number of Possible_Webshell detections. The names of the detected files were random and they were placed in the directory where server scripts are usually found in Internet Information Services (IIS) instances. (Created by Microsoft, IIS is an extensible web server software used with the Windows NT family.) This instantly made it interesting because, first, it did not look like a test and, second, the numerous files detected with the random names could mean that there was an attacker attempting to place a number of web shells on the server. Later, we noticed web shell activity indicating that the malicious actor successfully planted at least one web shell that they were able to access.
On TightVNC and Ngrok
TightVNC and Ngrok are both legitimate applications that have been abused by malicious actors for their nefarious ends. Relying solely on EPP detection can impair a security team’s ability to perceive the presence of such abused tools as red flags for serious attacks. MDR automatically collects and correlates data across multiple layers of security, thus significantly enhancing the speed of threat detection, investigation, and response. In this case, MDR’s integrated approach provided the context that helped the security analysts correlate the chain of events for accurate threat assessment and adequate response.
From the attacker’s point of view, the external-facing vulnerable server gave them a path into the environment. To solidify their foothold and carry out their objective, they used TightVNC and Ngrok as means to remotely control endpoints. At this stage, they had the web shell-infested server, a normal remote tool (that the EPP would not be able to detect), and a tunneling application (that the EPP would also not be able to detect).
Conclusion
Organizations can learn many lessons from this incident. One is that organizations cannot depend on EPP alone to thwart persistent threats because it is incapable of providing a holistic view necessary for early detection, investigation, and response. As we have seen, the series of attacks in this case used stealthy means to intrude into the system, including seemingly innocuous tools across several security layers. The complexity of the attacks made it extra challenging for the security team and threat researchers to analyze the chain of events and arrive at a clear contextual understanding of the threat scenario at hand.
Another key takeaway, one that has gained more relevance now that the pandemic has pushed enterprises to adopt remote work setups, is that even the most benign of tools, such as RDP, can be a threat vector as malicious actors always strive to outsmart the good guys through creative tricks.
Adequate response, and not just time, is of the essence in containing the impact and minimizing the scope and severity of an attack.
Trend Micro Vision OneTM with Managed XDR is a purpose-built platform that goes beyond traditional XDR solutions. Data collected and analyzed in silos impairs visibility as serious threats can evade detection. Vision One lets security teams see more, respond faster, and achieve greater security by providing a clear contextual view of threats across more threat vectors. It allows security teams and threat analysts to connect more dots into a holistic view, simplifying the steps toward achieving an attack-centric view of an entire chain of events, so organizations can take action all from one place. For more information, read the Vision One solution brief.