*****By Yiftach Keshet, Director of Product Marketing, Silverfort*****
A new APT campaign, dubbed ‘FunnyDream’, has been discovered by security researchers. The campaign primarily targeted South East Asian governments. Attack findings have been reported since October 2018. The investigation of the APT group’s espionage activity shows evidence of lateral movement. It seems that compromised credentials were used to execute many batch files with scheduled tasks and WMI on remote machines. Further evidence shows that the attackers used the wmiexec.vbs script to run remote commands. This is a painful reminder that lateral movement is still a blind spot, due to a critical gap in the standard security product stack of most organizations. In this blog we will explain how lateral movement is executed in this attack, and then zoom in on how Silverfort’s innovative technology can block lateral movement altogether, by identifying it’s abnormal authentication patterns and enforcing security policies on command line remote access tools.
Table Of Contents
FunnyDream Campaign Overview
The FunnyDream campaign targeted high-profile entities in Malaysia, Taiwan, the Philippines and Vietnam. It features a highly sophisticated custom-made persistence mechanism using advanced backdoors and droppers to facilitate silent and long term data collection and exfiltration. Following the initial infection, and implementation of the persistence mechanism, evidence suggests that the FunnyDream threat actors seek and succeed in compromising their victims’ domain controllers. They then executed extensive lateral movement activity using scheduled tasks and WMI , with special preference for using wmiexec.vbs to explore and execute code on remote machines.
Lateral Movement: Legitimate by Design, Malicious by Context
Lateral movement, as seen in APT campaigns such as FunnyDream, can be executed using legitimate remote admin tools such as PSexec, Powershell or in the case of FunnyDream WMI, to explore and access resources in the network. These tools eliminate the need to discover zero day vulnerabilities, develop exploits, or craft a complicated backdoor, since these admin tools are purposely built to enable network and infrastructure operators to seamlessly access any remote machine. In other words, these tools are by design both incredible productivity drivers as well as lethal blades in the hands of attackers.
Lateral Movement Presents Challenges to Security Products
There are two reasons why lateral movement is difficult to detect and prevent with common security solutions:
• The attack is performed using legitimate, yet compromised, credentials: this means that, in practice, what you see is merely a login with valid user credentials. There is no explicit indication that the credentials used are in fact compromised.
• Real time detection of abnormal behavior is difficult due to the complexity of these attacks: Some solutions like EDR, NDR, and SIEM, can detect a potential anomaly after lateral movement has occurred, and generate a retroactive alert. However, since they don’t detect it in real-time, they can’t block it.
To better illustrate the point – malicious activity, by definition, deviates from legitimate activity. For example, in the case of malware or exploits, it’s a deviation from the standard behavior of a process followed by its immediate termination by the endpoint protection. In the case of mass data exfiltration it’s a deviation from the standard patterns of network traffic which, once detected, triggers immediate blocking by the network protection product. And so on. However, when using legitimate credentials to access resources, the deviation would be seen only in the user’s activity. And, if an anomaly in the user’s activity is detected, it should be followed by an immediate response – either block the user’s access, or requiring the user to reauthenticate in order to verify the true identity of the user. This is where Silverfort comes into play.
Silverfort: The First Unified Identity Platform
Silverfort is the first Unified Identity Protection Platform that was purpose built to secure organizations against identity-based attacks, that use compromised credentials to access targeted resources. Silverfort integrates with your IAM infrastructure to monitor all the authentication activity in the network, to both to cloud and to on-prem resources, for continuous risk analysis and access policy enforcement.
Paradigm Shift: Block Lateral Movement by Stepping Up Authentication Requirements in Real Time
Silverfort’s holistic visibility into the entire authentication activity of each user enables it to evaluate with unmatched precision the behavior profile of your users. It continuously calculates the risk of each access request compared to the observed behavior of the user and its community. To read more about this see the blog: Detecting and Predicting Malicious Access in Enterprise Networks Using the Louvain Community Detection Algorithm
When Silverfort identifies abnormal activity, as happens with lateral movement attacks, it can step up the authentication requirements in real-time to block access, or require the user to authenticate with an MFA of choice (it can be Silverfort’s agentless MFA solution or a 3rd party MFA solution). Silverfort is the only solution that is capable of enforcing MFA on the command line remote access tools that are the bread and butter of lateral movement. While traditionally MFA is not considered a native part of the counter-APT arsenal in the post-compromise lateral movement stage, applying it to such command line tools in combination with adaptive risk policies, provides simple yet effective protection against these threats.
How Does it Work?
Let’s illustrate this using the ‘FunnyDream’ lateral movement example:
1. The attacker attempts to log in to a machine with wmiexec.vbs, using compromised user credentials.
2. The Silverfort recommended policy for the use of WMI for remote access requires MFA. Hence, the actual user, the legitimate user who owns the credentials, is prompted to verify the authentication.
3. The attacker can’t complete the authentication so access to the resource is blocked.
4. The SOC is immediately notified by Silverfort about the attempt to use wmiexec.vbs allowing the security team to further investigate and eradicate the malicious presence from their network.
To learn more about Silverfort’s ability to block lateral movement attacks please watch our on-demand webinar:
We hope we managed to explain in this blog how Silverfort mitigates these threats, and blocks lateral movement. However, we’re always happy to discuss this further. Let us know if you have any questions or if you’d like to see a full demo of this solution: