Director of Research, Lacework Labs
Last week we blogged about attacks exploiting a Confluence vulnerability (CVE-2019-3396). You may be wondering how Lacework detects these attacks? In this blog, we answer that question!
If you recall, CVE-2019-3396 is an unauthenticated remote code execution (RCE) vulnerability. It’s exploited with a specially crafted HTTP POST request to a vulnerable Confluence Server. In the attacks, an exploit contains a payload to run some sort of command. In most cases, this command is a curl or wget request for a shell script. The shell script executes a variety of tasks, one of which is to download an ELF binary that maintains backdoor access to the victim host. The backdoor takes care of downloading coinminers, and other components. All this activity generates a number of opportunities for detection. Let’s walk through some of those next.
Anomaly detection is a powerful detection technique we use in analyzing cloud infrastructure traffic. It takes roughly two weeks to develop a solid baseline for application behavior. By ingesting process metadata and using machine learning techniques we build a graph of relationships between entities such as users and applications. New relationships that emerge deviate from the baseline and are flagged. During the Confluence attacks, we see a number of new behaviors emerge.
New Network Connections
These attacks generate a lot of network activity. These connections comprise of malware downloads, command and control communications, coinmining activity, and more. Anomaly detection triggers on these connections based on their new relationship to existing entities. This makes it possible to alert on legitimate domains that are used out of normal context. In our case, this occurred when malicious scripts were retrieved from places like Pastebin, Bitbucket, GitHub, and ngrok.io.
Figure 1. New external host connection alert from wget downloading a script from Pastebin.
Anomaly detection also works well at flagging new applications. This is especially helpful when you have no other knowledge about the application. In our case, we see many new applications used by our victim machines such as curl, wget, and a number of malware binaries like kerberods.
Figure 2. Alert for the first instance of kerberods.
File Integrity Monitoring
We use File Integrity Monitoring (FIM) to alert on key file changes and detect malware. In the Confluence attacks, a number of dropped binaries matched hashes from our intelligence sources. These create critical alerts like the following:
Figure 3. Alert for the known malicious binary khugepageds, used for illicit coinmining by kerberods.
Attacker infrastructure can rapidly change, but that doesn’t mean it’s a bad idea to use threat intelligence. We expect cryptojacking attacks against cloud servers, so monitoring for connections to popular mining pools, especially Monero, is a win-win. Although we observed a number of new private pools in use by the cryptomining components, we did see connections to major pools as well like pool.minexmr[.]com. This makes for a reliable signal.
Perhaps one of the most vital pieces of the puzzle is compliance auditing. Compliance auditing provides the first warning sign. We expect violations from exposing resources to the internet. Following compliance rules can help prevent future attacks.
Combining multiple techniques reduces the probability of false negatives. At Lacework, we use anomaly detection, FIM, threat intelligence, and compliance auditing to name a few.
Anomaly detection allows you to alert on abnormal activity in your environment, this works well at exposing unknown threats. File integrity monitoring allows you to monitor for malware and changes to sensitive files. Properly curated threat intelligence provides coverage on known threats. Lastly, compliance auditing enforces best practices and could flag breaches before they happen.
If you would like to learn more about how Lacework provides workload security to detect attacks, follow this link to kick off a Free Cloud Risk & Threat Assessment to learn more.
Photo by Jesse Orrico on Unsplash