#ThreatThursday - HoneyBee

    Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation. EkoParty is an Argentinian security conference and I wanted to find an actor that was actively operating and targeting their country. As usual, we consume Cyber Threat Intelligence, map to MITRE ATT&CK, create an adversary emulation plan, emulate the threat actor, and discuss how to detect and respond to an attack. We hope you enjoy it.

    Cyber Threat Intelligence

    This week we will introduce a different way to identify a threat actor, based on location. I was preparing an Adversary Emulation talk for an Argentinian security conference called EkoParty and wanted to pick a threat actor that was relevant to the audience. Thankfully, the search function on the ATT&CK site is thorough (although not as quick as desired) and I was able to find a single threat actor that was mapped to Argentina as shown in Figure 1:

    Figure 1: Searching MITRE ATT&CK site for Argentina

    Lucky for us, MITRE had already done the mapping to the Cyber Threat Intelligence provided by McAfee in this post as shown in Figure 2:

    Figure 2: HoneyBee ATT&CK Navigator Layer

    Adversary Emulation Plan

    Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for Honeybee:

     

    Tactic

    Description

    Summary

    Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018.

    Command and Control

    T1071 - Application Layer Protocol

    T1071.001 - Web Protocols

    T1219 - Remote Access Software

    T1573 - Encrypted Channel

    Execution

    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.003 - Windows Command Shell

    T1053 - Scheduled Task/Job

    T1053.005 - Scheduled Task

    Defense Evasion

    T1036 - Masquerading

    T1036.004 - Masquerade Task or Service

    T1218 - Signed Binary Proxy Execution

    T1218.011 - Rundll32

    T1553 - Subvert Trust Controls

    T1553.002 - Code Signing

    Discovery

    T1007 - System Service Discovery

    T1057 - Process Discovery

    T1069 - Permission Groups Discovery

    T1082 - System Information Discovery

    T1518 - Software Discovery

    Privilege Escalation

    T1068 - Exploitation for Privilege Escalation

    T1548 - Abuse Elevation Control Mechanism

    T1548.002 - Bypass User Access Control

    Persistence

    T1543 - Create or Modify System Process

    T1543.003 - Windows Service

    Collection

    T1005 - Data from Local System

    T1074 - Data Staged

    T1560 - Archive Collected Data

    Exfiltration

    T1020 - Automated Exfiltration

    T1041 - Exfiltration Over C2 Channel


    The two main things that call out are that Honeybee uses File Transfer Protocol (FTP) as the Command and Control (C2) channel and they Abuse Elevation Control Mechanism: Bypass User Access Control. I could not recall off the top of my head which C2 frameworks have FTP as a channel so I visited the C2 Matrix site and looked for FTP. Unfortunately the only C2 is a commercial one by Immunity called INNUENDO. For this Adversary Emulation we will have to deviate and rely on our trusted HTTPS method.

    The second item is Abuse Elevation Control Mechanism: Bypass User Access Control. In this case, the user logging in already has administrative privileges but the process the attacker is running on is running with medium integrity. There are many methods to bypass this as documented in UACMe. For our example, we will use the simplest of methods, just ask.

    As usual, we have created an adversary emulation plan and shared it on our Community Threats GitHub. Shout out to Adam who worked on this emulation plan that takes advantage of our threat automation language. The first steps check the integrity of the process, if it is not high, it will try to escalate. If it is high, then it goes through the automation which requires that privilege to emulate Honeybee.

    Don’t Get Stung by HoneyBee

    The most interesting and differentiating TTP I identified about Honeybee is it uses File Transfer Protocol (FTP) as a Command and Control (C2) channel. Most organizations probably do not need to allow FTP at all and therefore blocking the FTP protocol from ingress and egress would be the ideal preventive measure. FTP uses TCP port 20 and 21 and both should be blocked inbound and outbound. If FTP must be allowed, I highly recommend having an Access Control Rule (ACL) to only allow it to the hosts/domains/IPs that you require connecting to.

    The second item I would focus on is least privilege. Honeybee uses UAC bypass to gain higher privilege. User Access Control (UAC) is a Windows security feature designed to split admin privileges from normal user privileges. It is implemented by Windows via “token integrity levels”:

    • Low: Restricted privileges
    • Medium: Normal user privilege
    • High: Administrator privileges
    • SYSTEM: Highest Windows privilege

    UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt. The best solution here is to have standard user accounts and admin user accounts that only login for administrative functions.

    Conclusion

    This week we covered identifying a threat actor based on the country they have operated against as I prepared to present at EkoParty, an Argentinian security conference. We identified Honeybee as a threat actor that has operated in Argentina, consumed cyber threat intelligence, built and shared an adversary emulation plan, and covered how to defend against it. We hope you enjoyed this week’s Threat Thursday.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

    Latest Posts

    Threat Thursday: March
    Threat Thursday: March
    March 21,2024
    Threat Thursday: February
    Threat Thursday: February
    February 22,2024
    Threat Thursday: January
    Threat Thursday: January
    January 18,2024
    Threat Thursday Buzz
    Threat Thursday Buzz
    November 16,2023
    Threat Emulation: APT36
    Threat Emulation: APT36
    July 27,2023

    Related Threat Thursday