Page 37 - index
P. 37
of the ASPXSpy web shell that is used on internally accessible servers running Internet
Information Services (IIS).
TG-3390 also uses publically-available tools such as Windows Credential Editor (WCE),
gsecdump, winrar and nbtscan.
There is also some evidence that the group may be divided into teams. For example, after
penetrating the network, the attackers used the Baidu search engine to perform reconnaissance
on their target. This indicates one team may not have known as much about the organization
being attacked as the other.
RESPONSE TO EVICTION
Kicking TG-3390 out of an environment is easier said than done, and requires a coordinated
plan to remove all access points. Within weeks of eviction, the threat actors were seen
attempting to access their ChinaChopper web shells from previously used IP addresses. If the
web shells were inaccessible, the adversaries searched google.co.jp for remote access
solutions. CTU researchers discovered the threat actors searching for “[ACME] login,” which
directed the adversary to the landing page for remote access. The group attempted to re-enter
the environment by brute forcing credentials for remote access solutions that do not require two-
factor authentication. After re-establishing access, the adversaries downloaded tools such as
gsecdump and WCE from legitimate websites they have previously compromised but never
used. CTU researchers believe legitimate websites are used to host tools because they are
categorized as safe by web proxies.
Once they have re-entered the environment, the threat actors focus on obtaining the active
directory contents, and have been able to regain a foothold in a network in just five hours.
FIGHTING BACK
As sophisticated as the group may be, there are steps organizations can take to protect
themselves. Among the most basic is mandating the use of two-factor authentication for all
remote access solutions. This would help prevent the attackers from re-entering the
environment after they have been booted out.
Organizations should also keep their third-party software patched, and remove local
administrator rights on employee machines unless those rights are necessary. Finally, Dell
SecureWorks recommends organizations audit ISAPI filters on Microsoft Exchange servers for
evidence of compromise.
Following these steps will go a long way towards keeping this set of bad guys off your network,
and could be the difference between a good night’s sleep and a data breach.
37 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide