Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation. EkoParty is an Argentinian security conference and I wanted to find an actor that was actively operating and targeting their country. As usual, we consume Cyber Threat Intelligence, map to MITRE ATT&CK, create an adversary emulation plan, emulate the threat actor, and discuss how to detect and respond to an attack. We hope you enjoy it.
This week we will introduce a different way to identify a threat actor, based on location. I was preparing an Adversary Emulation talk for an Argentinian security conference called EkoParty and wanted to pick a threat actor that was relevant to the audience. Thankfully, the search function on the ATT&CK site is thorough (although not as quick as desired) and I was able to find a single threat actor that was mapped to Argentina as shown in Figure 1:
Lucky for us, MITRE had already done the mapping to the Cyber Threat Intelligence provided by McAfee in this post as shown in Figure 2:
Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for Honeybee:
The two main things that call out are that Honeybee uses File Transfer Protocol (FTP) as the Command and Control (C2) channel and they Abuse Elevation Control Mechanism: Bypass User Access Control. I could not recall off the top of my head which C2 frameworks have FTP as a channel so I visited the C2 Matrix site and looked for FTP. Unfortunately the only C2 is a commercial one by Immunity called INNUENDO. For this Adversary Emulation we will have to deviate and rely on our trusted HTTPS method.
The second item is Abuse Elevation Control Mechanism: Bypass User Access Control. In this case, the user logging in already has administrative privileges but the process the attacker is running on is running with medium integrity. There are many methods to bypass this as documented in UACMe. For our example, we will use the simplest of methods, just ask.
As usual, we have created an adversary emulation plan and shared it on our Community Threats GitHub. Shout out to Adam who worked on this emulation plan that takes advantage of our threat automation language. The first steps check the integrity of the process, if it is not high, it will try to escalate. If it is high, then it goes through the automation which requires that privilege to emulate Honeybee.
The most interesting and differentiating TTP I identified about Honeybee is it uses File Transfer Protocol (FTP) as a Command and Control (C2) channel. Most organizations probably do not need to allow FTP at all and therefore blocking the FTP protocol from ingress and egress would be the ideal preventive measure. FTP uses TCP port 20 and 21 and both should be blocked inbound and outbound. If FTP must be allowed, I highly recommend having an Access Control Rule (ACL) to only allow it to the hosts/domains/IPs that you require connecting to.
The second item I would focus on is least privilege. Honeybee uses UAC bypass to gain higher privilege. User Access Control (UAC) is a Windows security feature designed to split admin privileges from normal user privileges. It is implemented by Windows via “token integrity levels”:
UAC prevents a user with administrator privileges in a medium integrity context from performing admin tasks without approval via a UAC prompt. The best solution here is to have standard user accounts and admin user accounts that only login for administrative functions.
This week we covered identifying a threat actor based on the country they have operated against as I prepared to present at EkoParty, an Argentinian security conference. We identified Honeybee as a threat actor that has operated in Argentina, consumed cyber threat intelligence, built and shared an adversary emulation plan, and covered how to defend against it. We hope you enjoyed this week’s Threat Thursday.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.