[ad_1]
Government summaryf
On April twenty first, 2023, AT&T Managed Prolonged Detection and Response (MXDR) investigated an tried ransomware assault on considered one of our purchasers, a house enchancment enterprise. The investigation revealed the attacker used AuKill malware on the consumer’s print server to disable the server’s put in EDR resolution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a weak model.
AuKill, first recognized by Sophos X-Ops researchers in June 2021, is a complicated malware designed to focus on and neutralize particular EDR options, together with SentinelOne and Sophos. Distributed as a dropper, AuKill drops a weak driver named PROCEXP.SYS (from Course of Explorer launch model 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been noticed within the wild, utilized by ransomware teams to bypass endpoint safety measures and successfully unfold ransomware variants reminiscent of Medusa Locker and Lockbit on weak programs.
On this case, SentinelOne managed to isolate a lot of the malicious recordsdata earlier than being disabled, stopping a full-scale ransomware incident. Consequently, AT&T MXDR discovered no proof of knowledge exfiltration or encryption. Regardless of this, the consumer opted to rebuild the print server as a precautionary measure. This examine supplies an in-depth evaluation of the assault and gives suggestions to mitigate the chance of future assaults.
Investigating the primary part of the assault
Preliminary intrusion
The focused asset was the print server, which we discovered uncommon. Nonetheless, upon additional investigation we concluded the attacker misidentified the asset as a Area Controller (DC), because it had lately been repurposed from a DC to a print server. The attacker wanted each native administrator credentials and kernel-level entry to efficiently run AuKill and disable SentinelOne on the asset. To realize these native administrator credentials, the attacker efficiently brute-forced an administrator account. Shortly after the compromise, this account was noticed making unauthorized registry modifications.
Establishing a beachhead
After compromising the native administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging space for subsequent phases of their assault. All AuKill-related binaries and scripts had been executed from this path, with the innocuous “Music” folder identify serving to to hide their malicious actions.
AuKill malware has been discovered to function utilizing two Home windows providers named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In different variants, it targets completely different EDRs, reminiscent of Sophos, by using corresponding Home windows providers like “aSophos.exe” and “aSophosX.exe”.
Establishing persistence
We additionally found “aSentinel.exe” working from “C:Windowssystem32”, indicating that the attackers tried to determine a foothold on the compromised server. Malware authors regularly goal the system32 folder as a result of it’s a trusted location, and safety software program might not scrutinize recordsdata inside it as carefully as these in different areas. This may also help malware bypass safety measures and stay hidden. It’s seemingly that the malware was initially positioned within the “UsersAdministratorMusicaSentinel” listing and later copied to the system32 listing for persistence.
Community reconnaissance
Our investigation additionally revealed that PCHunter, a publicly accessible utility beforehand exploited in ransomware incidents like Dharma, was working from the “UsersAdministratorMusicaSentinel” listing. This implies that the attackers used PCHunter as a reconnaissance instrument to survey the consumer’s community earlier than deploying the EDR killer malware. Moreover, PCHunter allows risk actors to terminate packages and interface instantly with the Home windows kernel, which aligns with the wants of the attacker. We noticed PCHunter producing a number of randomly named .sys recordsdata, as illustrated beneath:
Stopping knowledge restoration
We discovered that the attacker deleted shadow quantity copies from the print server. Home windows creates these copies to revive recordsdata and folders to earlier variations in case of knowledge loss. By eradicating the shadow copies, the attacker was making an attempt to make it more difficult for our consumer to get better their recordsdata in the event that they had been efficiently encrypted. Though no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This data, along with the utilization of PCHunter and the staging of the EDR killer malware, paints a extra full image of the attacker’s targets and techniques.
Bypassing native Home windows safety
With all these items in place, the attacker final wanted to amass kernel-level entry. Regardless of gaining administrator rights early on, the attacker didn’t have sufficient management over the system to kill SentinelOne at the moment. EDR options are categorized as important by Home windows and are protected against being turned off by attackers once they escalate privileges. To efficiently circumvent these safeguards, the attacker would want to journey one degree deeper into the working system and achieve kernel-level entry to the machine.
Investigating the second part of the assault
Dropping the weak driver
Our workforce found that AuKill had changed the present Course of Explorer driver, PROCEXP152.sys, with an outdated and weak model named PROCEXP.SYS (from Course of Explorer launch model 16.32), situated within the C:WindowsSystem32drivers listing. The alarm screenshot beneath demonstrates how AuKill swapped the present driver with this older model, making the system prone to additional exploitation.
Home windows incorporates a safety characteristic referred to as Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a legitimate code signing authority earlier than they’ll run. To bypass this safety measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated within the SentinelOne screenshot beneath, the motive force is signed and verified by Microsoft. Moreover, the originating course of was aSentinel.exe, an executable created to disable SentinelOne.
Buying kernel-level entry
Course of Explorer, a official system monitoring instrument developed by Microsoft’s Sysinternals workforce, allows directors to look at and handle purposes’ ongoing processes, in addition to their related threads, handles, and DLLs.
Upon startup, Course of Explorer masses a signed kernel-mode driver, facilitating interplay with the system’s kernel, which is accountable for managing {hardware} and sources. Usually, that driver is PROCEXP152.sys. The attacker changed the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, using what is called a BYOVD (Carry Your Personal Weak Driver) assault. The attacker used this technique to use the now weak kernel mode driver to achieve the kernel-level entry they wanted to efficiently kill SentinelOne.
Killing SentinelOne
The kernel-mode driver utilized by Course of Explorer has the distinctive capability to terminate handles which are inaccessible even to directors. A deal with is an identifier that corresponds to a particular useful resource opened by a course of, reminiscent of a file or a registry key. At this level, AuKill hijacked Course of Explorer’s kernel driver to particularly goal protected handles related to SentinelOne processes working on the print server. AuKill then generated a number of threads to make sure that these EDR processes remained disabled and didn’t resume. Every thread focused on a sure SentinelOne part and often checked to see if the focused processes had been energetic. In the event that they had been, AuKill would terminate them.
Response
Buyer interplay
At this level, the attacker had gained privileged entry to the asset, deployed their malware, and efficiently killed the endpoint safety resolution, SentinelOne. Primarily based on the Cyber Kill Chain methodology developed by Lockheed Martin, we will conclude that the attacker had now efficiently reached the “Command and Management” stage. Nonetheless, the attacker didn’t attain the “Actions on Targets” stage, as SentinelOne managed to disrupt ransomware deployment sufficient earlier than it was killed to forestall any further harm.
Any makes an attempt to re-deploy malware or transfer laterally following the disablement of the EDR had been thwarted by our workforce, who swiftly alerted the consumer to the exercise and suggested that the asset be taken offline and remoted from the remainder of the community. Our workforce knowledgeable the consumer that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our risk hunters completely assessment their atmosphere, w e reassured the consumer that no delicate data was exfiltrated or encrypted. In response to the assault, the consumer moved to rebuild their print server and reinstall SentinelOne.
Suggestions
As BYOVD assaults to bypass EDR software program grow to be extra widespread, we strongly advise blacklisting outdated drivers with a recognized historical past of exploitation. Moreover, we encourage our purchasers to take care of a list of the drivers put in on their programs, making certain they continue to be present and safe. Lastly, we advocate bolstering the safety of administrator accounts to defend in opposition to brute pressure assaults, because the incident detailed on this weblog submit couldn’t have transpired with out the preliminary privileged person compromise.
[ad_2]