Death by a Thousand Struts a Defenders Tale

Death by a Thousand Struts A Defenders Tale

Justin Warner (@sixdub) $Whoami - Justin Warner (@sixdub)

• Principal Security Engineer @ ICEBRG focusing on detection, network data analysis, and adversary emulation testing • Computer Science grad from USAF Academy & former military computer nerd • Former red team lead who worked w/ multi- national Fortune 100 enterprises • BlackHat USA Instructor in 2015 & 2016 for Adaptive Red Team Tactics

2 Red -> Blue

My career has been a pretty constant flip flop of roles. I feel as though it has strengthened me technically and professionally.

Job #1: Network Analyst, US Air Force Job #2: Red Team Lead, Adaptive Thread Division (ATD) Job #3: Principal Security Engineer, ICEBRG

Understanding the ins and outs of operations of your opponent makes you a better prepared opponent. Let’s Tell A Story This Thing Called Struts

“Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.” https://struts.apache.org/

Apache Struts is a prevalent framework often exposed on internet connected devices. Due to its large sophisticated capability set, it includes a number of external dependencies and legacy code bases. Is Struts Common?

Internet connected Apache devices are everywhere (17 million on Shodan). Struts is also everywhere:

“65 percent of the Fortune 100 companies are actively using web applications built with the Struts framework. This includes organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime.” via Shodan.io

Additionally, based on experience, internal applications are often built on struts making a juicy target during post-exploitation.

https://thenewstack.io/critical-vulnerability-apache-struts-puts- thousands-web-applications-risk/ Are People Still Targeting Struts? Many thanks to Andrew Morris for giving me data!

Takeaways: • VPS Providers are common scanning source • People are still looking for struts servers • This is only for external facing looking for default paths from exploit POC

https://greynoise.io/ Lots of CVEs

CVE-2017-5638: “The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.” https://nvd.nist.gov/vuln/detail/CVE-2017-5638

CVE-2017-9791: “The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.” https://nvd.nist.gov/vuln/detail/CVE-2017-9791

CVE-2017-9805: “The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.” https://nvd.nist.gov/vuln/detail/CVE-2017-9805 Lots of Struts IR in 2017

In 2017, I saw many engagements that began with struts exploitation.

Throughout these cases, Struts exploitation led to: • Continuous and automated compromise for criminal purposes • Enterprise wide ransomware deployments • Targeted attacks by threat groups with focused objectives

Even after signatures were released and people knew what to look for and how to fix, we continued to witness devastating in-the-wild compromise. But why?! Real World Conversation

Common Themes: • Did not know the asset was exposed (lacked visibility). Often a Legacy asset w/ no endpoint protection. • Trusted their security stack and provided detections • Did not have any practice performing response and remediation on the public facing asset. Takeaways: • Visibility is a key first step. • The state of detection within organizations is still Thank you Kaya (my daughter) for maturing. showing how I feel here • Offensive testing and exercises could have helped these particular customers. What We Will Discuss - Goals

Blue teams must better understand the applied detection logic in their environments. Detection authors must strive to better understand root cause/adversary behavior to author robust indicators and analytics.

Red teams should focus their actions to be threat representative to further a training objective. This might include noisy actions. This might get you caught or it might identify detection gap.

Let’s use Apache Struts as a case study. Analysis of POC Exploit & Detection Time For Fun Is This Signature / Rule Effective?

One public signature for CVE-2017-9805 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder?)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted- user; sid:2024663; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

Where did the red content match come from? Abuse Gadget From MSF

Is this the only abuse gadget that can be used? Public Signatures

SID Rule Message 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)

https://rules.emergingthreats.net/ Public Signature Analysis

This evasion took less than an hour of development and Goal testing. • https://github.com/mbechler/m arshalsec

Just in case you didn’t assume this… bad guys know how to do this research too.

Requirement *Credit to Casey Smith and Matt Graeber

Slide credit: Casey Smith and Matt Graeber

https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20D ecks/MattGraeber.CaseySmith.pdf Back To Basics Of Detection Getting In a Habit

Identify TTP A rough process that can be Indicator Intel & Behavior used to work through Maintenance Analysis authoring an indicator.

Let’s further dive in on the Indicator Loose / Strict Deployed Criteria light blue ones…

Durability Indicator Testing Creation Defining Loose & Strict Criteria

Strict Criteria Components of a particular attack chain that are required to be present for the chain to Strict Criteria 1 AND Strict Criteria 2 exist.

Loose Criteria Components of a particular attack chain that will commonly be present in the attack chain. Loose OR Loose OR Loose Generally, at least one of these will be Criteria 1 Criteria 2 Criteria 3 present. Also includes attacker behavior choices. Behind The Scenes Attacker

Abuse Gadget Executed Upon (K,V) Access

Abuse Gadgets: • System command execution Unmarshal XML Object and • JNDI Populate Map Object *image from McAffee Labs • Remote classloading (plain) • Remote classloading (serviceloader) Unpack XML Nodes into • Local classloading New Structure Returned to Reflection Provider “Object”

doUnmarshal Searches For Updates Field with Value Class Where Node Names From Nodes Defined

https://securingtomorrow.mcafee.com/mcafee-labs/apache-struts-at-rest- analyzing-remote-code-execution-vulnerability-cve-2017-9805/ Criteria for Network Detection of CVE-2017-9805

Strict Loose • Exploit payload is XML • HTTP or SSL/TLS • Abuse Gadget Paths • POST requests with • JNDI: ‘application/xml’ data o org.springframework.jndi.support.SimpleJndiBeanFactory o com.sun.rowset.JdbcRowSetImpl o com.sun.jndi.ldap.LdapAttribute • Remote classloading(plain): o javax.naming.Reference o com.sun.jndi.rmi.registry.ReferenceWrapper • Remote classloading(serviceloader): o javax.script.ScriptEngineFactory • System command execution: o java.lang.ProcessBuilder o java.lang.Runtime.exec • Local classloading: o com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl Indicator Creation

Process by which we author rules/signatures/analytics to detect a clearly identified TTP. • Leverage all of the systems at your disposal. • There are usually many ways to detect something. Consider this a one-to-many phase. TTP TTP • Indicator / Detection overlap is a good thing if you can TTP properly visualize and use the alerts. • Helps a TON if you can explore data in the same “language” as to which you author indicators • Helps a TON if you can perform retro-active search IDS Signature FTW

For the purposes of this demonstration, we can construct a basic network IDS signature for this activity leveraging the criteria. Left as “exercise for audience”.

• Consider ports/protocols • Include strict criteria • Boolean “or” on the loose criteria • Optimize rule for performance

https://suricata-ids.org/ Many thanks to Dan Caseldan and Chenming Xu aka Sparrow for the example! More Demo Getting Creative With Detection Changing Old View of “Blinky Boxes”

What if we decide to treat traditional alerts from systems as “just another event” that we look at holistically… • Less concern of FPs • Ability to author “hunt” style signatures on various systems • Post process, enrich, and perform detection later • Combine alert streams, network metadata, application logs, and endpoint data for total win.

https://memegenerator.net/instance/61315184/disaster-girl- intrusion-detection The Modern Approach

Think of a traditional “sensing” system like the human bodies nervous system….

Senses Nerves Brain

PAYMENT SYSTEMS

Event Analytics Streams Data and From Processing Detection Sensors Behavioral Detection

Rather than look for specific *known* attacks, look for abstract patterns or behaviors of threat actors. Singular • Move away from reactionary IOC based Atomic Event Behavioral approach. Indicators Based Indicators • Can be FP prone depending on approach. Indicators Can you handle the triage? • Challenging at scale. Are you tall enough to ride the ride?

Example w/ FIN7: Better when you retain forensic event Atomic Indicator: 204.155.31[.]167 level detail for transparency. Singular Event: DNS TXT to KingServers ASN Behavioral: “Abnormal DNS Ratio” event to low prevalence server Dream Bigger On The Struts Scenario

Imagine generating events for things like: • A non-browser (JA3 fingerprint) connects to SSL/TLS webserver • An internet asset classified as a “server” connects to my server • External access to a resources with little prevalence in dataset (novelty detection) • A POST is followed by a connection out to an external IP (or the requestor IP) within a time threshold • A POST is followed by an process start event with processes inside a certain “category”

Take these observations and perform time series analysis, clustering, correlation, etc.

Will these survive in your environments? ¯\_()_/¯ Where Does The Red Team Fit? Let’s Conduct a Self Survey

1. Are you exercising your client’s detection & response capabilities to the fullest extent across the adversaries kill chain?

2. Are you ensuring your client can effectively identify adversary behaviors in addition to tool artifacts?

3. Are you exercising your blue team’s processes AFTER detection to include investigation, remediation and eviction?

4. Are you working with your client after engagements to close the detection gap and reduce dwell time? Self-Reflection

Many different views on these topic. Definitions aside, the real thing that matters is the ”customer” get value.

Red team thoughts: These make me sad: • Emulate adversarial TTPs • “I always have to be advanced.” • Exercise processes/people/systems • “I take whatever path gets me to my • Focus on detection, response, eviction objective.” and remediation. • “It’s not my job to know defense.” • Allow for “practice” in live environment. • “I cant share my TTPs with blue team, then I wont be able to stay ahead.” Offense Could Have Helped

Here’s how it could have helped: • Vulnerability scanning would have identified the exposed vulnerable assets. • Penetration testing would have demonstrated the risk of that asset being exposed and what an attack chain might look like. • Red teaming would have allowed blue team to exercise a full incident response process on this asset to include remediation and get feedback from adversary. • Atomic Detection Testing would have validated the organization had the visibility it needed to detect the TTPs

When I was a red teamer, I never used exploits because they “get you caught”... Looking back, I question that mindset… Atomic Detection Testing

Atomic detection testing is the measured and structured unit testing of detection capabilities in a live environment.

Detection is a class of engineering and engineers test their products. • Controlled and isolated process • Atomic testing by itself is NOT red teaming (in my opinion) • Red teamers as threat experts can be VERY helpful in this process or perform the testing themselves

https://github.com/en https://github.com/redcan https://github.com/mitre/caldera https://github.com/u dgameinc/RTA aryco/atomic-red-team ber-common/metta Wrap Up Parting Thought

We (red and blue) are all in this together.

"Sometimes when you win, you really lose, & sometimes when you lose, you really win, & sometimes when you win or lose, you actually tie, & sometimes when you tie, you actually win or lose. Winning or losing is all one organic mechanism, from which one extracts what one needs.” - Rosie Perez Thank you

Questions?