orbitmsp 0 Posted September 9, 2017 Share Posted September 9, 2017 In my MSP partnership with ESET, or my entire life have I saw such an efficient attack that started talking to me. I will try to keep this short because its very pressing to make sure non of my 150 managed servers/workstations were infected. The event is, chonologically, first seen when the admin account of a domain host suddenly changes username to domain/mysqlserver. No password i try works, Because I was experimenting with a small PC turned into a linux nas running OMV, the last thing I remembered was a week prior trying to get the mysql plugin working to see how a webserver would perform on it. Something really didnt feel right, but my admin account not working and ws2016 patching the cmd swap in accessibility, I just wiped my host, all VMs and files were on the other drives anyways. Plus i just couldnt believe what some were saying, it being a breach, after all i had all parts of OS and vms running ESET business, my router had dns filtering comodo and all the firewall by trend micro, and the windows security, it didnt cross my mind. I posted this initial findings on spiceworks but besides opinion, some of which said a hack, there was just too little i knew to solve it. 2nd time around, i had just finished setting up the serever, started adding roles, and decided i'd leave the AD DS since its a home srever that i primary run VMS to connect to customers. That was a friday, the friday before the McGregor fight. When I got back, the admin account was again switched to mysqlserver and since i had not setup a domain, i just used an entry from a vm to reset the password. This time I had that account password removed and started to see the shocking truth.On the desktop of the mysql userf, which i had wiped and only had the files under the C: users, i saw a dozen .txt files all containing MILLIONS of account stolen during the Netflix, yahoo, aol, gmail, and what not series of attacks,. And yes, they were millions of lines with stolen creds, and just to put in perspective, one file was named 9M(good) and had accounts only starting with N O P. I saw an abundance of port scanners and all the settings or dictionaries used by password crackers...i mean i was actually troubles they needed so much material. At that point i remembered an argument I had with parent complaining about some short periods of internet performance drops while some music was being streamed, my dns server had some issue and caused the entire set of problems but most people think its easy to configure a solid and secure network with wifi AC5300 and a 200mbps ISP spped and hit a constant 10ms and 230mbps which is the absolute maximum since the ISP send extra for loss. And people think its just a name, password some small basic knowledge settinsg and its all good. So furiously reset the router with the months of tweaking, static ip with forwarding rule, the thing was great, the customers had all the agents talking to my servers, but the dns server caused a small stir and all of a sudden people forgot years ok stability for a bug and thinking that 40 years ago some army soldiers had responsibility of having the communication radio and because of those teachings, hes an expert in wifi. When I took a look at the settings, this being an Asus AC5300 with merlin firmware, it was so obvious they used a brute force method as nothing was set to prevent from responding to any wan request, nor was any alert and log in place to find all the clear black on white breaches here and there. So I coulnt risk any customers. I took my Dell Poweredge T410 with dual xeon x5550 and 128Gb of ram, 6 sas drives, half are 15K other 7200, I also formated any of my devices, thats 3 laptops, 1 macbook running a dual boot, i factory reset all networking devices, and started the long rebuild just to have all devices online, not even setup with my work, just updates, some software, accounts loged in, and told everybody else to do the same as i didnt have any time to check everything. One day after, I barely installed anything but some ESET file server, roles and features, hypervisor, with only ERA and went to a customer that same night. I log in remotely to my server just to transfer the agent and what do i see at the login screen. AGAIN. i log on and the first thing I do is call home and scream to go down and unplug the router and start a full scan of all options i could check with file security and at that moment, they spoke to me. I was stunned, but furious.I kept closing the messages and they i saw "Hey i want to talk, open task manager and cli......" the router probably went offline and closed the window. But I had never been through an infection that is so stubborn, leaves all traces behind, that part i just don't get, even the last time it wasnt the same stuff. And ultimately never damages anything, cant say about the screen not being streamed and my typing loges, but i did deal with a worm that spread from 1 computer to everything on the network within seconds and i had no doubt the only thing to do is destroy all data on all drives. Because i know the network was down and i knew at what time it was unpluged it would allow me to check out all possible logs, on router, server, ESET, and try to see if I could understand really what I was faced with. But honestly I don't know what to make of all this, i have all the text files with stolen accounts, all the tools they used to brute force all the account, files with huge dictionaries of words to try and match, some russia port scanner and man-in-the-middle attacks, ans a lot of PSN hacking software, origin patches Paypal related stuff, and the very complete and very american written guides that explained some of the complicated stuff in detail. I really would like the input of the forum, IVe been an MSP for 2 years, usually except for one crypto a year back, eset has been pretty tight, but this just seemed to be dealt with, not prevented. And definitely not fully detected. I spent 12 only tonight, i got a good understanding they always ended up using my server to mine cryptocurrency, but what kind could possibly make sence with 16 cores of computing but 1 crappy card just there to use a descent monitor. As far as im aware, the 490W shown on the small front LCD when they were mining will barely give any money, and would be more costly (for me) in electricity. If any ESET tech want to remote in and take a look, i can set it up, i tried to keep as much as I could, but due to my issue being a risk for customers that pay me to manage their IT, I already booted the server from the lastest liverescue cd whatever i found on the forum. I don't know how that will go as 2h in, and it found 5 threats. I put t least a dozen of those brute force files on the desktop. P.S. Spreading it will, here are some of the infections that poped up at some point: MSIL_Bladabindi.AH _ ESET Virusradar and MSIL_TrojanDropper.Agent.DDT _ ESET Virusradar Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 9, 2017 Author Share Posted September 9, 2017 Just as was pressing post, the scan completed just as i though, well almost completed. But until now it flaged what i wanted to copy to my usb drive and save to find out what they left this time Link to comment Share on other sites More sharing options...
itman 1,755 Posted September 9, 2017 Share Posted September 9, 2017 My guess is someone has installed a backdoor on one of your servers and is connecting remotely through the backdoor. Whereas Eset is detecting and removing the bitcoin miner malware locally, attacker can just reinstall it through the backdoor. Also appears the bitcoin miner malware is being run from a scheduled task. Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 9, 2017 Author Share Posted September 9, 2017 Unfortunately there no servers, just 1 server. Thats has been wiped clean 2 times from the perc raid controller. I wish it were as simple, the backdoor is obvious, the mining is the goal, but the question is 1- why leave so many million accounts, 2- since when do they try to reach out to the victom 3- its quite obvious that trigger is still somewhere, the 2nd time i had put enough pieces toguether to correctly wipe my entire server. Now where are they hiding, and how to know....plus all they did is really take advantage of how little people know about anything more than whats an ip, a mb a gb but ask them what is a port and their stare is blank. Anyways, eventually, I hope people will start helping because i should have never let him configure the wifi. Well i hope he got his lesson, and they didnt steal any of his key inputs. Everything they used was just 95% time, 4% default settings, 1% ii have no idea...but it works Link to comment Share on other sites More sharing options...
itman 1,755 Posted September 9, 2017 Share Posted September 9, 2017 (edited) Since you wiped and reinstalled twice on the server, my best guess is you have a vulnerable/infected endpoint on your network. Attacker entered through the endpoint and dropped a worm. That is how he is getting at your server. Of note he is using RDP port 3389. That port should be locked down to allow only inbound traffic from Trusted local network devices. Are all your endpoints fully patched? Think along the lines of a WannaCry attack. I am not saying this is WannaCry since Eset's IPS should have blocked that. But a "worm is a slithering bugger." Also, have you disabled SMBv1 protocol? Also of note: https://www.coindesk.com/nsa-doublestar-backdoor-blamed-cryptocurrency-mining-malware/ Additionally, the Adylkuzz coin miner was being distributed via DoubleStar in early May: https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar, prior to both Microsoft's patch for EternalBlue/DoublePulsar and Eset's IDS detection for the prior. It is therefore possible this malware has been sitting in your network since then. Also explains the large volume of files you found on your server. Edited September 10, 2017 by itman Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 11, 2017 Author Share Posted September 11, 2017 So there is help on the way and from not only and unexpected source, but I assume it's safe to call it about as good as it gets, and if more is needed than more will be given. Last week I called ESET support at the end of their support line hours, which I thought ere open later and weekends for MSP partners but either it was just an illusion or since moving away from the US and splitting both into a 2 country 2 teams system. Anyways, they were closing for the weekend, and when they saw what I dad been left in terms of documents, databases, list of IPs, hacking software and all the instruction on how to create a full fledge hacking, cracking and data theft, but not for some small not too secure business, big targets. Example, Paypal had an entire set of tools to brute breach and steal. They hinted at possibly calling the local police as they had not seen some side effect of this caliber. I didnt't think the police would do much, I had previously reported some of those Microsoft scammers and was stuck calling from one force to some other and after the 4th I just gave up. But this time, I called and the response was "they will send somebody Monday" since they asked if i can provide them a dvd for analysis and if I was willing to have somebody take a look to see if it was worth moving forward... i said i cant wait until then, my customers are cut from they ERA, I have many VMs acting as file servers, i could wait until Saturday, but past that, my server would be put back online with a direct access to the modem and no other device on the network. He put me on hold, and said OK tomorrow it is. The guy comes and no offence to him, but he's a policeman, I had to baby talk him just so he understood that my server was here, its downstairs, not somewhere in a fancy data center, and the hack, the files are all located on it. I showed him a sample of the documents, and he said he needs to call his superior. He goes to his car, but leaves the window a tiny bit down so i overheard when there were no cars. The guy made me laugh so much, you know that video of the black reporter going ghetto in 5 seconds because a bee flies into his mouth, that was identical. He was super formal talking to me, the goes ghetto saying "it's in crazy, he saw it for himself" that i showed him 2 of the dozens of files and they had millions and millions of lines each with account info for some big names, AOL, Gmail, Netflix, and the software was something out of a spy movie. I could help but start cracking up and he saw me so closed the window. When the guy came back, he told me that he would like me to find a way to keep everything as is, until at least the time for an expert to come. He said he was just waiting for a person from the provincial police to call because he wanted to talk to me. Turn out that guy was a legit expert. He was basically the person that teaches in the police academy in the major universities of the province. He's essentially the guy on top of the entire state when it comes to the cyber-crime division. Very nice guy, he asked a few question and was very silent about the way he replied so I wasn't sure if he really understood, but yes, he very well did. We got into a bit of a friendly conversation and he said he's been a top level analyst and now teaches others, he has seen it all, but this was a first. He asked if I was willing to wait until a data extractor would come and to leave the server as is, and he offered help with dealing with my part of the problem because he really felt like his goal was for me to keep my customers safe and only would work around that to see if they could get the most out of the reason why this was a bit more than a by the book attack. He provided me with some forensics tools to image the server, and hes going to send an expert to extract the rest. I gave him the disk with the accounts and software, and said he'll follow up, but def felt like I AM THE CHOSEN ONE. Well, not the first time some weird thing involving the cops add to the story to tell grandchildren Link to comment Share on other sites More sharing options...
itman 1,755 Posted September 11, 2017 Share Posted September 11, 2017 Here's an example of a bitcoin miner using mrtwashere directory that was dropped via a .zip file: https://malwr.com/analysis/YzA5ZGM5NGFlNmU4NGZhNGFkMmZlY2RhZWY0NDEzMGM/ Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 11, 2017 Author Share Posted September 11, 2017 It doesn't seem like a very common way of inserting mining software. And regardless, it doesn't make any sense whatsoever. Who mines with an astronimical amount of processing power and RAM but a 256mb GPU from 2008. It will take anybody not paying for the actual electricity exponentially more time than any average mining rig. So to get back to my investigation about who why and when, it seems like a winrar exe was the trigger. I paid for it, and remember shortly after installation getting a notice to activate when i remember already doing it. And the winrar seems to be the first thing leading to a lot of the rest of spreading. Eset also has a few logs of malware detected while accessing winrar. I utilized my very shallow knowledge of Kali Linux but were able to find a few things that were poping out. There is a hidden rdp file by default in every document folder, a blank template....not the one i had, it actually had an ip prefilled and a simple trace again leaks to pakistan. I'm starting to think this was a messy instance of mafia boy. AKA what happens when an amateur finds some powerful tools and tries to make money. It would explain a lot, sloppy job, traceable, no actual damage, only time lost, and the endgame seemed to be mining, with processors, like an amateur that never researched. They had a few VMs with open doors into other targets with so much more value to thieves. But nope. We'll see if the experts find anything better. One thing really bothers me, 2 of my laptops have issues with the different components not working well. I tried everything to get it working but it wont budge. Any suggestion, refer to screenshot Link to comment Share on other sites More sharing options...
itman 1,755 Posted September 11, 2017 Share Posted September 11, 2017 (edited) This is a bit dated but since you mentioned WinRAR, this three part series by Carbon Black might help. You might be able to do something equivalent w/Eset: https://www.carbonblack.com/2014/07/08/bitcoin-mining-malware-101/ https://www.carbonblack.com/2014/07/18/how-to-investigate-a-bitcoin-mining-malware-infection/ https://www.carbonblack.com/2014/07/24/investigating-bitcoin-malware-infections-using-carbon-black/ -EDIT- You also might want to checkout this current CodeFork bitcoin miner malware described here: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/codefork-malware/ . This is a real nasty one. Runs entirely in memory by injecting multiple Win system processes. The only way to detect it is to search for the two registry keys it uses for persistence. The first is a key containing the encrypted malware; most likely stored in a key located in HKCU as noted below. The next key is a Run key containing this code: Quote C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\[Same Random Key]').[Random Value Name]))) Edited September 12, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,755 Posted September 11, 2017 Share Posted September 11, 2017 The other question I have is how did MinerGate-6-9-Win64.exe end up on your desktop? This is file can be malware depending on where you downloaded it from. Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 12, 2017 Author Share Posted September 12, 2017 Well, ive been on this a lot, i was the rare case of them picking on somebody their own size. I did theories about why me, why my server, why so many documents and software left behind, and why bother mining on a processing powerhouse.....everything makes sense when you get in their shows. I was planning on wiping all possible spread points, any storage device that was at one point connected to the network or through a device that was. So i took my most powerful laptop with the fastest SSD on the market and knowing the full destructive format would take 2 or 3 hours at the 3200 read and 2700 write i thing of my samsung 960 pro, why not disconnect, turn on airplane mode and lock myself in, start the car and wait for the end. I'm glad I did, and i will most def continue because its a rather important lesson about how quickly and efficiently they can breach so many huge companies and extract hundreds of M at a time. Their goal was not to mine....that was a simple camouflage. The miner program is totally fake. Offline and it accepts any account info as valid. Then it looks and acts exactly as the real one, except for one thing, the mining is the facade, it tricks you that they are dumb to mine off a cpu, they are not. They basically tricked the task manager to show the wrong values. so you think 5% cpu while the fans are full speed, the computer is heating up, the only other relevant value is network but unless you are in this world of understanding, a simple miner or user, and most ITs dont even know mining, so they would never see that the Ressource Monitor tell a much different story. They somehow bypass thermal throttling and would kill any standard rig, but a server can take the hit, mine was at it the PSU was hitting 98%, the fans heard from the 2nd floor when it was in the basement....but noting happened. This this can make a hell of a lot of noise with the turbo prop style cooling. I made a video forgot to turn off the 4K, my phone is now full, as soon as I have reduced the 26GB 10min video to a reasonnable, size, i can even post one where you see how they work paypal accounts, everything is actually well though of. Link to comment Share on other sites More sharing options...
orbitmsp 0 Posted September 17, 2017 Author Share Posted September 17, 2017 On 9/11/2017 at 7:33 PM, itman said: The other question I have is how did MinerGate-6-9-Win64.exe end up on your desktop? This is file can be malware depending on where you downloaded it from. On 9/11/2017 at 4:24 PM, itman said: This is a bit dated but since you mentioned WinRAR, this three part series by Carbon Black might help. You might be able to do something equivalent w/Eset: https://www.carbonblack.com/2014/07/08/bitcoin-mining-malware-101/ https://www.carbonblack.com/2014/07/18/how-to-investigate-a-bitcoin-mining-malware-infection/ https://www.carbonblack.com/2014/07/24/investigating-bitcoin-malware-infections-using-carbon-black/ -EDIT- You also might want to checkout this current CodeFork bitcoin miner malware described here: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/codefork-malware/ . This is a real nasty one. Runs entirely in memory by injecting multiple Win system processes. The only way to detect it is to search for the two registry keys it uses for persistence. The first is a key containing the encrypted malware; most likely stored in a key located in HKCU as noted below. The next key is a Run key containing this code: Thanks to all of you for the input. This has been a very unusual situation for me. A lot of things still don't make any sense. But what matters is I should now be ok. The drives and every other storage device i had access to has been wiped using the 3 pass us military standard. As mentioned before, mining was not the goal. It was a simple diversion for what the real purpose was. I am impressed on how they were able to trick an IT professional, at first, with things like false task manager data. But I guess when you know what you're doing you try not to rely on one source, and that's how i saw that in the admin tools, the perf minitor was giving totally different data which made more sense. But they had 1 major flaw in their plan, almost anybody that knows what mining is, also know it taxes a GPU. And my Nvidia Quadro 1700 is not remotely suitable for anything but giving me something more than the 480p res the server outputs. The police are still waiting for the paperwork, but the data extraction unit has reached out, they gave me some forensics tools to image my system so i can move on with my business. As for the evidence, I am open to providing ESET with all the tools used in this attack, i have it on an encrypted USB drive I will use to better understand how they operate but I think this could be a great way to make ESET react sooner because to my disappointment, it did nothing to prevent, or stop them. The fact that they were chating with me while ESET was deleting the files shows the irony of the situation Link to comment Share on other sites More sharing options...
Recommended Posts