The NCSC has detected lately massive malicious activities from known threat actors in order to harvest sensitive data (such as user credentials). These threat actors target organizations by brute forcing the access to exchange servers, VPN gateways, and portal services pages and obtain valid credentials.
Techniques that have been observed during this campaign include but not limited to:
•Brute force and crack a remote authentication service.
•Exploit SMB windows vulnerability.
•Tool to identify a variety of devices from a large number of known routers.
•Enumerate subdomains of websites using OSINT.
•Tool for searching through email in a Microsoft Exchange environment for specific terms.
Threat actors are using multiple IPs and c2 servers to conduct these activities: the majority of these IPs are located inside the Kingdom of Saudi Arabia, in addition to external Virtual Private Servers located in multiple countries.
The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia. The observed malicious activities used by the threat actor, was a PowerShell based malware connects to multiple known-bad domains. The malicious PowerShell utilizes HTTP tunneling to communicate with the command and control domains. The HTTP requests and responses contains data ex-filtrated from infected machines or commands to be executed by the threat actor.
The following two techniques have been observed in the delivery and installation stages:
Most of the samples observed were Microsoft Office files containing a macro or a linked object that was delivered through spear phishing emails. Additionally, the malicious documents are sometimes compressed in a password protected RAR file to avoid mail protection mechanisms. The password is usually included in the email body.
Some samples were delivered using the watering hole or similar techniques such as cross site scripting. The infection were observed through a compromised website “legitimate websites” where the user is redirected to a malicious website and asked to download a malicious executable. The malicious file would infect the machine with the same VBS and PowerShell scripts
To detect such malicious activates, the NCSC recommends following the below actions:
• Review Proxy logs / SIEM or NG firewalls for query strings in HTTP requests that follows the pattern below:
• HTTP requests to explicit IPs with no domain names
• High number of HTTP traffic going to one IP or domain.
• HTTP Connections to: 184.108.40.206 & 220.127.116.11
• Review the email gateway for emails with password protected attachments or office attachments with macros that either been blocked or alerted.
• Increase usage of PowerShell on endpoints and servers
It is recommended to have the following controls in order to identify and prevent similar activity:
• Upgrade to PowerShell version 5, and remove older versions.
• Enable Module Logging, Script-Block Logging and Transcript Logging in PowerShell Version 5
• Implement Application whitelisting throughout the organization, this also needs to be implemented on running PowerShell scripts. Only allow the specific scripts that you need to run, if any especially on Public facing servers.
• Prevent the execution of executables and scripts from user controlled folders, such as C:\Users\<Username> and temporary folders, such as C:\Windows\Temp
• Use email filtering to scan and block incoming email for macro-enabled documents and other malicious files such as executable, Windows Host Scripting and HTA files.
• Implement a File Integrity Monitoring (FIM) Solution on the www root all internet-facing applications, such as web applications, email and VPN portals. It’s critical to alert on any unauthorized modification to those servers, as this might indicate a successful attack.
The NCSC has detected new activities related to a previous campaigns where new tools and malicious files, from a known threat actor, have been observed. The observed behavior is using a new malicious HTA document. The threat actor in this wave, used an HTA file including two malicious executable files which utilize the DNS protocol as a channel for Command and Control communication.
1. Prevent HTA files from being run by Software Restriction Policies or by Device Guard for Microsoft systems.
2. Change the opening program of the HTA file from the default “mshta” to notepad so that the malware will not run and instead this will be opened by Notepad.
3. Block any HTA-type attachment or file through the Email Gateway.
4. Updating operating systems continuously, especially security updates and applications.
5. Keep monitoring the mentioned IOCs.
6. Monitor DNS protocol logs.
As NCSC mission is to help protecting national cyber space. NCSC would like to share the following alert with you:
NCSC detect massive dump of credentials in suspicion server and NCSC recommends, as minimum:
1. Implement strict password policies, as many of the published passwords are considered weak.
2. Implement adequate security controls for any web facing authentication service. Those controls should include lockout policies and multi-factor authentication.
3. If the organization hasn’t forced users to change passwords in the last 6 months, it’s critical to perform it as soon as possible.
4. Ensure that not using any corporate email in public site.
NCSC is providing this recommendations, and it is the entity responsibility to ensure the proper fixation based on the entity infrastructure design and business needs, then apply what meets your requirements.
NCSC would like to warn all organizations in the Kingdom about a new Ransomware campaign called “WannaCry”. The“WannaCry” Ransomware massively distributed world widely starting from 12th May 2017 encrypting all files of the infected systems. The “WannaCry” Ransomware is using the MS17-010 vulnerability to distribute through the network. NCSC is working to identify infected organizations in Saudi Arabia if any, and to help protecting them as required. NCSC will provide updates as become available.
1. Make sure all systems has deployed Microsoft patch MS17-010
2. Please be aware that Microsoft has announced a new update on the same vulnerability (MS17-010)
for the Windows OS 2003/ XP. Please make sure to update your system accordingly.
3. Review all ports that are accessible from the internet. DISABLE/BLOCK NetBIOS & SMB ports.
(135,139 & 445) from listening to external connections.
4. Make sure you have a process and it is implemented for offline Full Backup for all critical systems/applications on backup tapes/hard drives.
A set of malicious tools were leaked, that exploit some of Microsoft vulnerabilities. Microsoft had already released a set of patches last month for all supported operating systems, most notably is the patch in Microsoft Security Bulletin MS17-010. It could be that many organization haven’t yet applied the patches, which may put their network at a high risk..
1- Review all open port on your network and accessible from the internet. It’s highly recommended to disable NetBIOS & SMB ports (135,139 &445) from listening to external connections.
2- Immediately upgrade all servers running on non-supported operating system, i.e. Windows XP, Windows 2003, and Windows Vista. Those versions have working exploits without any patches.
3- Immediately apply the security patches specified in Microsoft’s Security Bulletin’s specified above.
4- Immediately disable any web server running on Windows Server 2003 with WebDAV enabled.
5- Immediately disable any publicly accessible RDP port running on Windows Server 2003.
6- Disable all RDP ports exposed to the internet. If there is a critical business need to enable it, then strict security controls must be enabled, such as but not limited to two-factor authentication, monitoring of incoming connections and strict password policies. Domain Admins should never have access rights for RDP access.
As NCSC mission is to help protecting national cyber space in Saud Arabia. NCSC would like to warn all organizations in the kingdom as NCSC has detected a massive phishing emails campaign that were targeting multiple organizations in the kingdom. The phishing emails is fake and has a malicious PDF file.
1- Immediately delete the phishing email from the email gateway and the email mailbox (if possible).
2- Identify all systems received the phishing email.
3- Isolate the infected systems from the network.
4- Investigate the infected systems.
5- For more details refer to Alert # 1704037 (sent by email)
As NCSC mission is to help protecting cyber space in the country. NCSC would like to warn all organizations in the kingdom as the center has noticed many organization were infected with destructive attacks using SHAMOON2 malware. NCSC believes other waves may come if the proper measures is not implemented.
1- Gathering (scan) information about the organization using multiple sources.
2- Gaining access to the network in one of the two ways: brute force or phishing emails. Repeating these steps until gaining domain admin credentials.
3- Lateral movement and access to the critical servers (domain controllers or exchange server).
4- Use PSexec.exe to distribute SHAMOON2 malware 32-bit ntermgr32.exe and a batch script ntertmgr.bat in the local \SystemRoot\Windows\System32\ folder of all reachable systems in the network
5- Scan and Manual access to the backup servers to delete the backup (if available)
6- Use PSexec.exe to run the batch script and execute SHAMOON2 malware and destruct the systems.
• Please refer to NCSC RECOMMENDATION: Recent Attacks Protection and Detection Steps.
As NCSC mission is to help protecting the national cyber space in Saud Arabia. NCSC would like to warn all organizations in the kingdom, as NCSC has detected massive outbound FTP and SSH connections from Saudi Organizations going to known bad Command & Control (C2) severs or bad reputation IPs/domains. The identified suspicious servers contain multiple suspicious executable files and other leaked documents.
• Block all un-secure protocols either incoming or outgoing such as TFTP, FTP and telnet and replace them with secure protocols.
• Review any outgoing FTP and SSH traffic in the last month and investigate any abnormal behavior.