RSA Incident Response White Paper: Inside the Response of a Unique CARBANAK Intrusion
RSA Incident Response and Discovery Practice (RSA IR) analysts spend a significant amount of time engaged in the research, hunting, and effective response of advanced and persistent actors. A customer engagement early-to-mid-2017 is an excellent example of a unique case in which RSA IR successfully responded to an intrusion perpetrated by the threat actor group CARBANAK, also known as FIN7. The CARBANAK actions illustrated in this post and associated paper were observed with other RSA clients as recently as November 2017, with the methods and intelligence supplied by these publications having been used successfully to detect and track attacker activities.
Several intrusions associated with the CARBANAK actors have been reported within the last year, describing compromises of organizations within banking, financial, hospitality, and restaurant verticals. However, they all describe a relatively equivalent progression, with only slight deviation in specific attacker actions. The intelligence surrounding recent CARBANAK incidents indicate that phishing attacks have been the group’s primary method of initial compromise. After gaining access to a user system, the attackers move laterally throughout the environment, conduct internal reconnaissance, establish staging points and internal network paths, harvest credentials, and move towards their intended target. However, this intrusion began with a significantly higher level of privilege due to the exploitation of the Apache Struts vulnerability CVE-2017-5638 allowing the attackers to quickly gain administrative access within the client’s Linux environment. This intrusion presented substantial challenges due to:
- The initial intrusion vector
- Unique attacker toolset
- The attacker dwell time
- The large, heterogeneous environment
- The speed with which the attackers gained administrative access
- The forensic mindfulness of the CARBANAK attackers
The attackers’ toolset was a mix of custom tools, freely available code, and open source software utilities. RSA IR researched all 32 of the malicious files in the CARBANAK toolset using various publicly available and open-source resources. Six of the tools used in this intrusion were found to have been uploaded to a publicly available anti-virus aggregation site. Of these six, five have little-to-no detection or indication of malice from antivirus vendors. This observation explains why the client’s signature-based host protection mechanisms were unable to identify or prevent the use of these tools.
Figure 1: Findings from Public and Open Source Research of Toolset Reference
While the attackers used more than 30 unique samples of malware and tools, they also demonstrated a normalization across Windows and Linux with respect to their toolset. The toolsets they deployed can be broken down into five basic functionalities:
- Ingress/Egress/Remote Access
- Lateral Movement
- Log Cleanup
- Credential Harvesting
- Internal Reconnaissance
The ingress, lateral movement, and internal reconnaissance mechanisms used by the attackers during this investigation were not that sophisticated in and of themselves. However, when viewed in aggregate, and from an operational view, RSA observed the actors normalized their choice in toolset across the Linux and Windows environments. The attackers in this engagement primarily used modified versions of legitimate administrative tools, commonly used penetration testing utilities, and common network file acquisition tools. Though specialty malware was observed during this intrusion, the attackers used basic XOR encoding just above Layer 4 to facilitate communication, communicated via SSH tunnel directly over TCP/443, or just transmitted and received data in clear text across the network. Of the observed actions during this intrusion, none of the attacker tools, techniques, or procedures were particularly advanced. However, they were still able to bypass a significant security stack, obtain initial access and lateral access effectively, deploy malware and toolsets with impunity, and traverse over 150 systems in the span of six weeks. While, at first glance, this attack was not sophisticated in its toolset, it was sophisticated in its operationalization and agility of attackers’ actions. The correlations between the Linux environment tools and the Windows environment tools are shown below:
Cross-Platform Toolsets and Purpose
Tinyp (PSEXEC Variant)
Auditunnel (Linux Version)
Auditunnel (Windows Version)
PScan (Linux Version)
PScan (Windows Version)
WGet (Linux Version)
WGet (Windows Version)
RSA IR released a white paper containing an in-depth review of this engagement, including observed attacker operational patterns, TTPs, and the techniques used during this engagement to successfully track and respond to the threat. The observations illustrated in this paper identify that not only do CARBANAK actors have the capability to successfully compromise various operating system environments, they have standardized and operationalized this capability. This attribute indicates strategic operational thought and effort being invested in this group’s compromises, suggesting that the CARBANAK actors are working towards becoming a more organized, structured, resourceful, and mature threat group.
During an intrusion, time is the single most critical resource to an organization’s security team and is the most significant indicator of determining if the security team will be successful in containing, eradicating, and remediating the extant threat. There are two specific sets of time related to an intrusion that may determine the difference between success and failure: the time that the attackers are in the environment prior to detection (dwell time), and the time it takes security teams to identify, investigate, understand, and contain the attacker’s actions (response time). In this specific incident, the attacker’s dwell time at intrusion declaration was 35 days, which is a significant amount of time given the level of access immediately available upon compromise. However, by utilizing the methodology and visibility described in this paper, RSA IR was able to complete containment, eradication, and remediation in only nine days. We also discuss the methodology used by RSA IR to successfully detect, investigate, understand, and contain the attackers before the actors could achieve their intended goal.
The CARBANAK actors not only showed the capability to successfully compromise both Linux and Windows systems, they chose a toolset that was either directly cross-platform or extremely similar in both function and command line usage. This indicates a level of tactical organization and operationalization not previously observed by this actor group. Additionally, they were significantly cognizant and aware of actions taken by the security team, switching to new methods of ingress after initial compromise, detected remediation actions, and environmental migration. They were methodical in their choice of staging systems, basing the system utilized on:
- a critical function of lateral access
- or responder detection and investigation
They chose key systems based on their needs rather than systems the organization would consider ‘key’ assets. They ensured the toolsets they would interact with most often contained very similar functions and commands across environments in order to limit mistakes made at the keyboard. They included a method, whether manually or automatically, to remove any record of their activities. They operated with purpose, patience, planning, and most significantly, persistence.
This intrusion was successfully discovered, investigated, contained, eradicated, and remediated only due to the following reasons:
- The organization invested in the necessary visibility at a host and network level to allow analysts to rapidly and effectively hunt for and investigate these types of threats.
- The organization had invested and empowered their personnel to creatively and proactively hunt for, understand, investigate, and learn from threats within their environment.
- The organization had maintained a relationship with a proven and trusted advisory practice and had worked to recreate and implement a solid and proven Threat Hunting and Incident Response methodology within their own organization.
- The organization had a solid top-down understanding of what role Threat Hunting and Incident Response held during daily operations and security incidents, and provided the necessary support and enablement to subordinate units and analysts.
While a first look at the tools used in this engagement may appear simplistic, upon review of the entire intrusion, it becomes quickly apparent that each of them was purpose-chosen with an overall operationalized capability in mind. CARBANAK has shown themselves to be a coordinated and extremely persistent group of actors that are consistently moving towards more agile methods of intrusion and standardization of processes across heterogeneous environments. They have proven their capability to use that persistence and agility to defeat or bypass organizational security controls. Even with the least advanced of their capabilities, they can be a difficult adversary to track within an environment due to their speed, efficiency, adaptability, and care in leaving little trace of any activity. However, this difficulty compounds exponentially for organizations without the necessary visibility, practices, methodologies, or trusted partner relationships necessary to effectively detect and respond to these types of threats. This white paper shows that with the necessary visibility, planning, methodology, and analyst enablement, organizations can be successful against these types of threats.