Insikt Group® de Recorded Future a mené une étude sur les infrastructures de commande et de contrôle (C2) malveillantes identifiées à l'aide de méthodes d'analyse proactives en 2020. Toutes les données ont été obtenues à partir de la plateforme Recorded Future®. Les données de ce rapport sont datées du 15 novembre 2020.

Executive Summary

Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware frameworks, and open-source remote access trojans. The effort has been ongoing since 2017, when Insikt Group created methodologies to identify the deployments of open-source remote access trojans (RATs). Recorded Future collected over 10,000 unique command and control servers during 2020, across more than 80 families.

Key Findings

• Over 55 percent of detected servers (5,740 servers) were not referenced at all in open sources; they were only identified in a proprietary Recorded Future list of command and control servers.
• On average, command and control servers had a lifespan (that is, the amount of time the server hosted the malicious infrastructure) of 54.8 days.
• Where possible, lead time was calculated if the detection was the first event for an IP address in 2020. Lead time is the length of time (in days) between when a C2 server is created, and when it is reported or detected in other sources. This identified 924 servers where lead time was generated, by comparing first sighting on the Recorded Future command and control list and its subsequent sighting on another source. Our detections had an average 61-day lead time before an IP address was found on open sources.
• Monitoring only “suspicious” hosting providers can leave blindspots, as 33 percent of C2s observed by Recorded Future were hosted in the United States, many on reputable providers.
• The hosting providers that had the most command and control servers on their infrastructure were all U.S.-based: Amazon, Digital Ocean, and Choopa.
• Detecting offensive security tools is just as important as detecting custom implants: elite operators from APT groups, human-operated ransomware actors, and common criminals use these tools to cut costs just as much as red teams do. Over 40 percent of the detections were open source tools.

Background

Lead time in identifying malicious servers can be a proactive measure in neutralizing threats. Before a server can be used by a threat actor, it has to be acquired, either via compromise or legitimate purchase. Then, the software must be installed, configurations must be tuned, and files added to the server. The actors must access it via panel login, SSH, or RDP protocols, and then expose the malware controller on a port to allow the data to transfer from the victim and to administer commands to infections. Only then can the server be used for malicious purposes.

However, in exposing, configuring, and accessing the server, the adversary leaves behind their fingerprints; sometimes in software deployed on the server, sometimes via the login panel, sometimes via SSL registration patterns. This creates an opportunity for detection, which can occur prior to a phishing email being sent or an implant getting compiled.

Similarly, such a collection can illuminate many things about adversaries. Seeing how many command and control (C2) servers are created can help one quantify the breadth of an actor’s campaigns. Comparing such data to reports of intrusions related to those families can identify how many intrusions get caught, and potentially how many events remain unknown in the public domain. Finally, it can provide novel indicators and intelligence that is otherwise not available in the public domain.

Threat Analysis

Les familles les plus couramment observées étaient dominées par des outils open source ou disponibles dans le commerce. Les détections de déploiements Cobalt Strike inchangés ( certificat TLS préconfiguré,port d'administration Team Server ou en-têtes HTTP révélateurs ) représentaient 13,5 % du total des serveurs C2 identifiés. Metasploit et PupyRAT constituent les autres principaux serveurs de commande et de contrôle open source identifiés par Recorded Future.

_**Figure 1**: Top detected malware families by command and control infrastructure (These numbers include preexisting servers that were still up at the time of analysis and do not represent newly created servers in 2020)._

Les 10 outils de sécurité offensive (OST) les plus courants, basés sur le nombre de serveurs C2 observés, comprenaient des familles nouvelles et anciennes. Il est à noter que Recorded Future a observé 393 serveurs Cobalt Strike qui échappaient aux mécanismes de détection courants; nous estimons que ces détections ne représentent qu'une partie de l'utilisation totale de Cobalt Strike. PWC et Blackberry ont constaté que la majorité des déploiements de Cobalt Strike pour lesquels une charge utile a été observée utilisaient des versions piratées ou d'essai de l'outil disponible dans le commerce.

_**Figure 2**: Example open source malware families tracked by Recorded Future (These numbers include preexisting servers that were still up at the time of analysis and do not represent newly created servers in 2020)._

Nearly all of the OSTs detected by Recorded Future have been linked to APT or high-end financial actors. The ease of access and use of these tools, mixed with the murkiness of potential attribution makes them appealing for unauthorized intrusions and red teams alike. This, in addition to the adoption of these frameworks by ransomware actors, makes their detection a priority.

Host(er)s With the Most (C2s)

Les données C2 enregistrées par Recorded Future nous ont permis d'identifier les fournisseurs d'hébergement les plus populaires pour les serveurs C2. Nous avons observé la création d'une infrastructure C2 chez 576 fournisseurs d'hébergement, ce qui ne représente qu'un faible pourcentage du nombre total d'opérateurs AS, qui dépasse les 60 000 fournisseurs.

The most-used ASNs are undoubtedly linked to the size of the provider, not necessarily implying that they are bulletproof hosting providers or complicit in adversary actions. The most used tooling can be considered dual use, increasing the volume of these servers on more reputable AS ranges.

Amazon.com, Inc., operating out of the United States, hosted the most C2s of an ASN observed by Recorded Future. They accounted for 471 individual command and control servers (roughly 3.8 percent). The most commonly observed family on Amazon.com, Inc. was Cobalt Strike, with 167 servers identified. The next largest was Digital Ocean, also operating out of the U.S.

Servers in the United States that accounted for other top hosting providers can be seen below. The deployment of Cobalt Strike and Metasploit controllers on these providers is not indicative of malpractice or negligent hosting, but is more likely due to authorized red teams using these tools on cloud infrastructure.

_**Figure 3**: Hosting providers who hosted the most command and control servers during 2020._

There is less predictability in the most common ASNs used across OSTs, as they are readily available for red team exercises and unauthorized intrusions.

_**Figure 4**: Top hosting providers for each OST._ Publicly available tooling published as remote access trojans (RATs) also had limited predictability of its favored hosting providers.

_**Figure 5**: Top hosting providers for each RAT._

Recommendations

• Proactive detection creates an advantage for defenders, giving them preparatory time to ensure additional file- and network-based detections are in place.
• Recorded Future clients can rapidly identify infections by detecting IP addresses found in the Recorded Future Command and Control List.
• Recorded Future users can query any malware entity, using the source Recorded Future Command and Control List, to conduct similar research of their own.
• Employ detection-in-depth for common open source tooling via correlation searches for SIEMs for suspicious behaviors, YARA for suspicious file contents, and SNORT for suspicious or malicious network traffic.
• The detections for each family show the increased use of open source tools beyond just the families that get major publicity. These other families should be prioritized for network and host-based detection in enterprise environments.
• The adoption of lesser-known open source tooling such as OctopusC2, Mythic, and Covenant by APT and criminal adversaries highlights the need for threat intelligence practitioners to track and evaluate use of these tools.

Outlook

Au cours de l'année à venir, Recorded Future prévoit une adoption accrue des outils open source qui ont récemment gagné en popularité, notamment Covenant, Octopus C2, Sliver et Mythic. Trois de ces outils disposaient d'interfaces graphiques, ce qui les rendait plus faciles à utiliser pour les opérateurs moins expérimentés, et les quatre étaient accompagnés d'une documentation détaillée sur leur utilisation. Ces outils ont été rapidement adoptés après leur lancement et ont été utilisés tant par des équipes rouges que par des acteurs non autorisés. Malgré les gains attendus de ces frameworks open source, Cobalt Strike devrait très probablement conserver sa place en tête de nos détections, en raison de son omniprésence et de son utilité. Étant donné que le code source du framework a été divulgué, nous prévoyons une adoption encore plus large de Cobalt Strike par tous les types d'acteurs malveillants.

We also anticipate that, despite various publications detailing detection methodologies, espionage-oriented actors are less likely to modify their server-side components. Threat actors engaged in state-sponsored espionage will use whatever tooling necessary to achieve their goals. If targeted organizations are unable to defend their network from tooling that has been disclosed, threat actors have little motivation to pursue new capabilities. Financially motivated actors using custom tooling, however, are very likely to respond to detections by either rebuilding their components (as was the case with BazarBackdoor and TrickBot actors) or introduce entirely new tooling (which FIN7 is known to do).

Due to these factors, it is important to implement security controls and mitigations against these malware families. While proactive detection of the command and control servers can help prevent incidents, defense-in-depth approaches are recommended to detect intrusion activity on the victim host, at the perimeter, and on the wire.