Threat Research
Industry Insights, Security Research, Hunting & Detection
Tuesday, May 9, 2023
Threat Hunt - MS08-067 RCE
Tuesday, April 18, 2023
Threat Hunt - KillNet’s DDoS HEAD Flood Attack
Executive Summary
Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching DDoS attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.
Killnet has been linked to several high profile attacks, including distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk's Starlink satellite broadband service.
The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.
The aim of this threat hunt is to create a virtual attack environment that simulates Killnet's tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.
The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.
Network Artifacts
To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after "HEAD /?" consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.
Figure 1 –Wireshark - Dynamically Generated 11-12 Digits
Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.
Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts
Detection Guidance
Hunting Process
Appendix A. – Adversary Emulation
Appendix B. – IOCs
At OTX pulse was created listing over the 12K+ indicators from this research.
References
Threat Hunt - MS08-067 RCE
Executive Summary The MS08-067 vulnerability was a remote code execution vulnerability that affected Windows XP and Windows 2003 systems. Th...
-
Executive Summary The MS08-067 vulnerability was a remote code execution vulnerability that affected Windows XP and Windows 2003 systems. Th...
-
Executive Summary Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching D...