MicroSocks: Convenient access through a compromised SonicWall SMA

Introduction 介绍

In a recent investigation conducted by my colleague, Giuseppe Paternicola, it was discovered that the initial entry point that ultimately led to the deployment of the Abyss ransomware was a compromised SonicWall Secure Mobile Access (SonicWall SMA) device. The threat actor exploited CVE-2021-20039 to gain access (Authenticated Command Injection). Subsequent analysis of the SonicWall revealed that the attacker had placed two files on the device, as illustrated in Figure 1.
在我的同事朱塞佩·帕特尼科拉 (Giuseppe Paternicola) 最近进行的一项调查中,发现最终导致部署 Abyss 勒索软件的初始切入点是受感染的 SonicWall 安全移动访问 (SonicWall SMA) 设备。威胁参与者利用 CVE-2021-20039 获取访问权限(经过身份验证的命令注入)。随后对 SonicWall 的分析显示,攻击者在设备上放置了两个文件,如图 1 所示。

MicroSocks: Convenient access through a compromised SonicWall SMA

Figure 1: Files left behind by the attacker
图 1:攻击者留下的文件

We have identified the file named wafxSummary (refer to Figure 1) as a web shell (MD5 (wafxSummary) = b664a4701731651056c22c8d4cd3ed16). Truesec has extensively discussed this specific scenario in their highly informative blog titled “Persistent web shell identified in SonicWall SMA”. The hash of the file mentioned in the Truesec blog matches precisely the file we discovered. Therefore, we will refrain from further elaborating on the details of this file and instead recommend reading the blog post from Truesec for more insight.
我们已将名为 wafxSummary 的文件(请参阅图 1)识别为 Web Shell (MD5 (wafxSummary) = b664a4701731651056c22c8d4cd3ed16)。Truesec 在其内容丰富的博客中广泛讨论了这一特定场景,标题为“在 SonicWall SMA 中识别的持久性 Web Shell”。Truesec博客中提到的文件的哈希值与我们发现的文件完全匹配。因此,我们将避免进一步阐述此文件的细节,而是建议阅读 Truesec 的博客文章以获得更多见解。

Remarkably, in our case, the web shell (wafxSummary) had already been installed on the system by April 25, 2023. The duration between the initial compromise, the compromise of the entire domain, and the ransomware distribution was nearly 11 months.
值得注意的是,在我们的案例中,Web Shell (wafxSummary) 已经在 2023 年 4 月 25 日之前安装在系统上。从最初的入侵、整个域的入侵到勒索软件的分发之间的持续时间接近 11 个月。

wafySummary wafy总结

A quote from the Truesec blog post mentioned earlier: “Interestingly enough, two additional file names are present: wafySummary and wafzSummary. These were not present on the device Truesec CSIRT examined”. [1]
前面提到的 Truesec 博客文章中的一句话:“有趣的是,还存在两个额外的文件名:wafySummary 和 wafzSummary。这些在Truesec CSIRT检查的设备上不存在“。[1]

We found no traces of the wafzSummary file either, but we found the file wafySummary (refer to Figure 1 again). This file was copied to the system in November 2023, six months after the web shell was dropped to disk. A straightforward examination of the strings of the binary revealed the following line:
我们也没有找到 wafzSummary 文件的痕迹,但我们找到了文件 wafySummary(再次参见图 1)。此文件已于 2023 年 11 月复制到系统,即 Web Shell 被删除到磁盘六个月后。对二进制文件字符串的简单检查揭示了以下行:

  • usage: microsocks -1 -q -i listenip -p port -u user -P password -b bindaddr_
    用法:microsocks -1 -q -i listenip -p port -u user -P password -b bindaddr_

This leads us to the GitHub repository from microsocks. The microsocks binary from our examined device is available on VirusTotal. The thor scanner flags this binary as PUA_MicroSocks_Proxy_Server_Oct21 (screenshot below from VirusTotal).
这将我们从 microsocks 引导到 GitHub 存储库。我们检查的设备中的microsocks二进制文件可在VirusTotal上找到。雷神扫描程序将此二进制文件标记为PUA_MicroSocks_Proxy_Server_Oct21(下面来自 VirusTotal 的屏幕截图)。

MicroSocks: Convenient access through a compromised SonicWall SMA

Figure 2: THOR scanner
图 2:THOR 扫描仪

Analysis of wafySummary wafySummary分析

We transferred the binary from the compromised SonicWall device to an Ubuntu test server in the cloud. We started the binary without any command lines, eliminating the need for a username or password (see the README on the GitHub repository for the exact parameters). We successfully routed the traffic from curl through microsocks (in a first attempt, we tested the connection locally).
我们将二进制文件从受感染的 SonicWall 设备传输到云中的 Ubuntu 测试服务器。我们在没有任何命令行的情况下启动了二进制文件,无需用户名或密码(有关确切参数,请参阅 GitHub 存储库上的 README)。我们成功地将流量从 curl 路由到 microsocks(在第一次尝试中,我们在本地测试了连接)。

$ curl --socks5-hostname localhost:1080 'https://api64.ipify.org?format=json'

Port 1080 is the default port used by microsocks, as indicated on the README page of the GitHub repository. Port 1080 is also the default Socks port, visible in the /etc/services file:
端口 1080 是 microsocks 使用的默认端口,如 GitHub 存储库的 README 页面上所示。端口 1080 也是默认的 Socks 端口,在 /etc/services 文件中可见:

2363:socks           1080/tcp   # Socks    
2364:socks           1080/udp   # Socks 

By opening the firewall to our Azure cloud machine where the microsocks proxy is running (as inbound ports are typically restricted by default), we will try to utilize the socks proxy from our local machine.
通过打开运行 microsocks 代理的 Azure 云计算机的防火墙(因为默认情况下通常限制入站端口),我们将尝试从本地计算机使用袜子代理。

MicroSocks: Convenient access through a compromised SonicWall SMA

Figure 3: Azure: Allow Inbound Ports
图 3:Azure:允许入站端口Figure 3: Azure: Allow Inbound Ports

From our local machine, we use curl via the socks proxy on the Azure cloud machine to fetch the IP address of the machine where the socks proxy is installed:
在本地计算机上,我们通过 Azure 云计算机上的 socks 代理使用 curl 来获取安装了 socks 代理的计算机的 IP 地址:

% curl --socks5-hostname 'https://api64.ipify.org?format=json'

And it worked! In our investigation, the attacker tunneled RDP traffic into the internal network through the compromised SonicWall. Through this access, there was no need for the attacker to place further backdoors in the network, and almost no further malicious code was executed, which would have led to anti-virus or other detections. This access allowed the attacker to operate relatively unnoticed until the encryption of the network was done.
它奏效了!在我们的调查中,攻击者通过受感染的 SonicWall 将 RDP 流量通过隧道传输到内部网络。通过这种访问,攻击者无需在网络中放置更多的后门,并且几乎没有执行进一步的恶意代码,这将导致防病毒或其他检测。这种访问允许攻击者在网络加密完成之前相对不被注意地操作。

Conclusion 结论

The attackers exploited a vulnerability that had been publicly available in the Metasploit framework since January 2022 (pull request). Over a year later, the attackers used the vulnerability to gain a foothold in the network by placing a web shell on the SonicWall device. Subsequently, they utilized the microsocks proxy to gain access to the internal network by tunneling traffic through the compromised device.
攻击者利用了自 2022 年 1 月以来在 Metasploit 框架中公开可用的漏洞(拉取请求)。一年多后,攻击者利用该漏洞通过在 SonicWall 设备上放置 Web 外壳在网络中站稳脚跟。随后,他们利用 microsocks 代理通过隧道传输受感染设备的流量来访问内部网络。

Another case where (no) patch management, a lack of vulnerability scanning, and missing monitoring was a deadly combination. Florian Roth is right when he writes in his Cyber Security 2024: Key Trends Beyond the Hype article:
另一个案例是(没有)补丁管理、缺乏漏洞扫描和缺少监控是致命的组合。弗洛里安·罗斯(Florian Roth)在他的《网络安全2024:超越炒作的主要趋势》一文中写道:

Attackers are increasingly focusing on systems that aren’t usually covered by common security tools like Endpoint Detection and Response (EDR) or Antivirus software. This includes everyday devices like appliances, routers, and IoT (Internet of Things) systems. Since these devices aren’t typically monitored by standard security software, they become easy targets for attackers looking to sneak into a network unnoticed.
攻击者越来越关注通常不被端点检测和响应 (EDR) 或防病毒软件等常见安全工具覆盖的系统。这包括日常设备,如电器、路由器和 IoT(物联网)系统。由于这些设备通常不受标准安全软件的监控,因此它们很容易成为攻击者的目标,他们希望在不被注意的情况下潜入网络。

To wrap up: 总结一下:

  • Ensure that your externally facing applications and devices are promptly patched.
  • Proactively scan your network for vulnerabilities, both externally and internally.
  • Whenever feasible, deploy an EDR agent or utilize agentless solutions to monitor your devices and hosts for indicators of compromise.
    在可行的情况下,部署 EDR 代理或利用无代理解决方案来监视设备和主机,以查找入侵迹象。

Indicators of Compromise

Filename 文件名 MD5
wafySummary wafy总结 203d11d50091900e7c0a872d5a95665c


原文始发于dfir.ch:MicroSocks: Convenient access through a compromised SonicWall SMA

版权声明:admin 发表于 2024年4月1日 上午11:50。
转载请注明:MicroSocks: Convenient access through a compromised SonicWall SMA | CTF导航