Threat Thursday

SCYTHE Library: #ThreatThursday - HoneyBee

Written by Jorge Orchilles | Sep 17, 2020 4:00:00 AM

Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation. EkoParty is an Argentinian security conference and I wanted to find an actor that was actively operating and targeting their country. As usual, we consume Cyber Threat Intelligence, map to MITRE ATT&CK, create an adversary emulation plan, emulate the threat actor, and discuss how to detect and respond to an attack. We hope you enjoy it.

Cyber Threat Intelligence

This week we will introduce a different way to identify a threat actor, based on location. I was preparing an Adversary Emulation talk for an Argentinian security conference called EkoParty and wanted to pick a threat actor that was relevant to the audience. Thankfully, the search function on the ATT&CK site is thorough (although not as quick as desired) and I was able to find a single threat actor that was mapped to Argentina as shown in Figure 1:

Figure 1: Searching MITRE ATT&CK site for Argentina

Lucky for us, MITRE had already done the mapping to the Cyber Threat Intelligence provided by McAfee in this post as shown in Figure 2:

Figure 2: HoneyBee ATT&CK Navigator Layer

Adversary Emulation Plan

Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for Honeybee:

 

Tactic

Description

Summary

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018.

Command and Control

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1219 - Remote Access Software

T1573 - Encrypted Channel

Execution

T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1053 - Scheduled Task/Job

T1053.005 - Scheduled Task

Defense Evasion

T1036 - Masquerading

T1036.004 - Masquerade Task or Service

T1218 - Signed Binary Proxy Execution

T1218.011 - Rundll32

T1553 - Subvert Trust Controls

T1553.002 - Code Signing

Discovery

T1007 - System Service Discovery

T1057 - Process Discovery

T1069 - Permission Groups Discovery

T1082 - System Information Discovery

T1518 - Software Discovery

Privilege Escalation

T1068 - Exploitation for Privilege Escalation

T1548 - Abuse Elevation Control Mechanism

T1548.002 - Bypass User Access Control

Persistence

T1543 - Create or Modify System Process

T1543.003 - Windows Service

Collection

T1005 - Data from Local System

T1074 - Data Staged

T1560 - Archive Collected Data

Exfiltration

T1020 - Automated Exfiltration

T1041 - Exfiltration Over C2 Channel


The two main things that call out are that Honeybee uses File Transfer Protocol (FTP) as the Command and Control (C2) channel and they Abuse Elevation Control Mechanism: Bypass User Access Control. I could not recall off the top of my head which C2 frameworks have FTP as a channel so I visited the C2 Matrix site and looked for FTP. Unfortunately the only C2 is a commercial one by Immunity called INNUENDO. For this Adversary Emulation we will have to deviate and rely on our trusted HTTPS method.

The second item is Abuse Elevation Control Mechanism: Bypass User Access Control. In this case, the user logging in already has administrative privileges but the process the attacker is running on is running with medium integrity. There are many methods to bypass this as documented in UACMe. For our example, we will use the simplest of methods, just ask.

As usual, we have created an adversary emulation plan and shared it on our Community Threats GitHub. Shout out to Adam who worked on this emulation plan that takes advantage of our threat automation language. The first steps check the integrity of the process, if it is not high, it will try to escalate. If it is high, then it goes through the automation which requires that privilege to emulate Honeybee.

Don’t Get Stung by HoneyBee

The most interesting and differentiating TTP I identified about Honeybee is it uses File Transfer Protocol (FTP) as a Command and Control (C2) channel. Most organizations probably do not need to allow FTP at all and therefore blocking the FTP protocol from ingress and egress would be the ideal preventive measure. FTP uses TCP port 20 and 21 and both should be blocked inbound and outbound. If FTP must be allowed, I highly recommend having an Access Control Rule (ACL) to only allow it to the hosts/domains/IPs that you require connecting to.

The second item I would focus on is least privilege. Honeybee uses UAC bypass to gain higher privilege. User Access Control (UAC) is a Windows security feature designed to split admin privileges from normal user privileges. It is implemented by Windows via “token integrity levels”:

  • Low: Restricted privileges
  • Medium: Normal user privilege
  • High: Administrator privileges
  • SYSTEM: Highest Windows privilege

UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt. The best solution here is to have standard user accounts and admin user accounts that only login for administrative functions.

Conclusion

This week we covered identifying a threat actor based on the country they have operated against as I prepared to present at EkoParty, an Argentinian security conference. We identified Honeybee as a threat actor that has operated in Argentina, consumed cyber threat intelligence, built and shared an adversary emulation plan, and covered how to defend against it. We hope you enjoyed this week’s Threat Thursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io