Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for December 2022:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 2 | Threat name: | Threat description : Open source tool used to identify attack paths and relationships in Active Directory |
| Last month's rank: ⬇ 3 | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬇ 4* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| Last month's rank: ⬇ 6 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬇ 7* | Threat name: | Threat description : Dropper/downloader, often distributed through search engine redirects |
| Last month's rank: ⬆ 7* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬆ 9* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects, can extend its functionality with a native scripting language |
| Last month's rank: ⬆ 9* | Threat name: | Threat description : Information stealer used to siphon credentials and other information including credit card data, cryptocurrency wallets, and browser data |
| Last month's rank: ⬆ 9* | Threat name: | Threat description : MacOS malware family associated with ad fraud activity through the distribution of adware applications |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Here at Red Canary, we saw our customers doing a lot of testing in December. In September 2022, we started removing customer-reported testing from our top 10 trending threat lists to help reduce error and white noise. However, some testing is not explicitly marked as such by our customers, so it does not get removed from the trending threat numbers. We think these unmarked tests are reflected in December’s top 10 list. While Mimikatz and BloodHound are also leveraged by adversaries, we assess their place as the top 2 threats is likely due to unreported testing as opposed to a recent increase in their malicious use. Other trends to note include Zloader, Emotet, and Remote Utilities dropping out of the top 10, replaced by Cobalt Strike, Raccoon, and Shlayer.
ProxyNotShell exploitation of Exchange servers
Red Canary observed increasing exploitation of CVE-2022-41040 and CVE-2022-41082 in November and December 2022. In September 2022, security researchers identified variations of the Microsoft Exchange server ProxyShell vulnerability being exploited with limited scope. These new variations became known collectively as “ProxyNotShell.” We assess that the recent increase in exploitation is likely due to the public release of proof-of-concept (POC) code on November 16, as outlined by BleepingComputer.
Red Canary observed exploitation incorporating the following characteristics:
- Web shell files named
iisstart.aspxandlogout.aspxbeing written toinetpub\wwwroot\aspnet_clientandexchange server\v15\frontend\httpproxy\ecp\auth - Activity initiated from
w3wp.exewith a command line containingMSExchangePowerShellAppPool. Based on Red Canary testing, the activity we saw, and other researchers’ observations, malicious activity spawning from aw3wp.exeprocess with this command line is an indicator of potential ProxyNotShell exploitation. - We observed execution of Visual Basic Scripts (
.vbs) from thewindows\tempfolder writing a malicious Meterpreter executable and subsequently making network connections. The executable’s internal file name,ab.exe, is the default metadata used by Meterpreter for its payloads. - In a separate intrusion, the malicious executable written to the
windows\tempfolder was a Cobalt Strike beacon. - A malicious
.NETbinary designed to rewrite the aforementioned web shells.
Based on historic exploitation of previous Exchange vulnerabilities as well as the follow-on activity seen by ourselves and other researchers, we assess a high likelihood of domain-wide compromise if ProxyNotShell activity is not remediated early. We recommend all organizations remediate CVE-2022-41040 and CVE-2022-41082 by following Microsoft’s guidance to update Exchange to the latest version.
There are many behavior-based detection opportunities available during ProxyNotShell exploitation. One of those opportunities is keeping an eye on dynamic link library (DLL) files executing from the Windows Temp directory. Adversaries like to drop payloads in windows\temp because it’s typically available to all users in a system with read/write privileges enabled by default.
Detection opportunity: Rundll32 executing DLL files located in the Windows Temp directory
The following pseudo-detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious.
process == (rundll32)
&&
command_line_includes == (windows\temp)
&&
command_line_does_not_include == (*)
Note: * is a placeholder for approved software in your environment that loads legitimate DLLS from windows\temp