feat: add rules related to Barracuda ESG exploitation

2023-06-18 22:14:57 +02:00
parent 6312dd1d44
commit 22628faaf0
12 changed files with 294 additions and 5 deletions
@@ -0,0 +1,23 @@
+# UNC4841 Exploiting Barracuda ESG Zero-Day Vulnerability
+
+## Summary
+
+On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.
+
+You can find more information on the threat in the following articles:
+
+- [Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China](https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally)
+- [Barracuda ESG: CVE-2023-2868 Hardening Recommendations](https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening)
+
+## Rules
+
+- [UNC4841 - Email Exfiltration File Pattern](./file_event_lnx_apt_unc4841_exfil_mail_pattern.yml)
+- [UNC4841 - Barracuda ESG Exploitation Indicators](./file_event_lnx_apt_unc4841_file_indicators.yml)
+- [UNC4841 - SSL Certificate Exfiltration Via Openssl](./proc_creation_lnx_apt_unc4841_openssl_connection.yml)
+- [UNC4841 - Download Compressed Files From Temp.sh Using Wget](./proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml)
+- [UNC4841 - Download Tar File From Untrusted Direct IP Via Wget](./proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml)
+- [UNC4841 - Potential SEASPY Execution](./proc_creation_lnx_atp_unc4841_seaspy_execution.yml)
+
+> **Note**
+>
+> The detection and hunting rules provided for this threat might produce false positives when used outside of the context of incident response or compromise assessment. They are meant to be run and executed on affected systems and environments to look for signs of compromise.
@@ -0,0 +1,22 @@
+title: UNC4841 - Email Exfiltration File Pattern
+id: 5627c337-a9b2-407a-a82d-5fd97035ff39
+status: experimental
+description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,63 @@
+title: UNC4841 - Barracuda ESG Exploitation Indicators
+id: 5627c337-a9b2-407a-a82d-5fd97035ff39
+status: experimental
+description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '/11111.tar'
+            - '/aacore.sh'
+            - '/appcheck.sh'
+            - '/autoins'
+            - '/BarracudaMailService'
+            - '/etc/cron.daily/core_check.sh'
+            - '/etc/cron.daily/core.sh'
+            - '/etc/cron.hourly/aacore.sh'
+            - '/etc/cron.hourly/appcheck.sh'
+            - '/etc/cron.hourly/core.sh'
+            - '/get_fs_info.pl'
+            - '/imgdata.jpg'
+            - '/install_att_v2.tar'
+            - '/install_bvp74_auth.tar'
+            - '/install_helo.tar'
+            - '/install_reuse.tar'
+            - '/intent_helo'
+            - '/intent_reuse'
+            - '/intentbas'
+            - '/mknod'
+            - '/mod_attachment.lua'
+            - '/mod_content.lua'
+            - '/mod_require_helo.lua'
+            - '/mod_rtf'
+            - '/mod_sender.lua'
+            - '/mod_udp.so'
+            - '/nfsd_stub.ko'
+            - '/resize_reisertab'
+            - '/resize_risertab'
+            - '/resize2fstab'
+            - '/rverify'
+            - '/saslautchd'
+            - '/sendscd'
+            - '/snapshot.tar'
+            - '/tmp/p'
+            - '/tmp/p7'
+            - '/tmp/t'
+            - '/update_v2.sh'
+            - '/update_v31.sh'
+            - '/update_v35.sh'
+            - '/update_version'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,29 @@
+title: UNC4841 - SSL Certificate Exfiltration Via Openssl
+id: 60911c07-f989-4362-84af-c609828ef829
+status: experimental
+description: Detects the execution of "openssl" to connect to a direct IP. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/openssl'
+        CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+        CommandLine|contains|all:
+            - 's_client'
+            - '-quiet'
+            - '-connect'
+        CommandLine|contains:
+            - ':443'
+            - ':8080'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,25 @@
+title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
+id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
+status: experimental
+description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/wget'
+        CommandLine|contains: 'https://temp.sh/'
+        CommandLine|endswith:
+            - '.rar'
+            - '.zip'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,47 @@
+title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
+id: 23835beb-ec38-4e74-a5d4-b99af6684e91
+status: experimental
+description: Detects execution of "wget" to download a "tar" from a direct IP that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/wget'
+        CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+        CommandLine|contains: '--no-check-certificate'
+        CommandLine|endswith: '.tar'
+    filter_local_ips:
+        # Note: Uncomment this filter if you want to exclude local IPs
+        CommandLine|contains:
+            - 'https://10.' #10.0.0.0/8
+            - 'https://192.168.' #192.168.0.0/16
+            - 'https://172.16.' #172.16.0.0/12
+            - 'https://172.17.'
+            - 'https://172.18.'
+            - 'https://172.19.'
+            - 'https://172.20.'
+            - 'https://172.21.'
+            - 'https://172.22.'
+            - 'https://172.23.'
+            - 'https://172.24.'
+            - 'https://172.25.'
+            - 'https://172.26.'
+            - 'https://172.27.'
+            - 'https://172.28.'
+            - 'https://172.29.'
+            - 'https://172.30.'
+            - 'https://172.31.'
+            - 'https://127.' #127.0.0.0/8
+            - 'https://169.254.' #169.254.0.0/16
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,23 @@
+title: UNC4841 - Potential SEASPY Execution
+id: f6a711f3-d032-4f9e-890b-bbe776236c84
+status: experimental
+description: Detects execution of a specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
+references:
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '/BarracudaMailService'
+            - '/resize2fstab'
+            - '/resize_reisertab'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
@@ -4,8 +4,10 @@ status: experimental
 description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
 references:
    - https://github.com/arget13/DDexec
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 author: pH-T (Nextron Systems)
 date: 2022/07/26
+modified: 2023/06/16
 tags:
    - attack.defense_evasion
    - attack.t1140
@@ -14,7 +16,7 @@ logsource:
    category: process_creation
 detection:
    selection_base64:
-        CommandLine|contains: 'base64 -w0 '
+        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
            - '| bash '
@@ -22,11 +24,11 @@ detection:
            - '|bash '
            - '|sh '
        - CommandLine|endswith:
+            - ' |sh'
            - '| bash'
            - '| sh'
            - '|bash'
-            - ' |sh'
-    condition: selection_base64 and selection_exec
+    condition: all of selection_*
 falsepositives:
    - Legitimate administration activities
 level: medium
@@ -0,0 +1,21 @@
+title: Named Pipe Created Via Mkfifo
+id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
+status: experimental
+description: Detects the creation of a new named pipe using the "mkfifo" utility
+references:
+    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/mkfifo'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
@@ -0,0 +1,26 @@
+title: Named Pipe Created Via Mkfifo
+id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
+related:
+    - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
+      type: derived
+status: experimental
+description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
+references:
+    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
+    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/16
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/mkfifo'
+        # Note: Add more potentially suspicious locations
+        CommandLine|contains: ' /tmp/'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -9,6 +9,7 @@ references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
 author: Nextron Systems
 date: 2022/06/03
+modified: 2023/06/16
 tags:
    - attack.execution
    - attack.t1059
@@ -17,7 +18,11 @@ logsource:
    product: linux
 detection:
    selection_img:
-        Image|contains:
+        - Image|endswith:
+            - '/python'
+            - '/python2'
+            - '/python3'
+        - Image|contains:
            - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
            - '/python3.'
    selection_cli_1:
@@ -6,7 +6,7 @@ references:
    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 author: Max Altgelt (Nextron Systems)
 date: 2021/12/09
-modified: 2023/06/07
+modified: 2023/06/15
 tags:
    - attack.defense_evasion
 logsource:
@@ -99,6 +99,9 @@ detection:
        CommandLine|contains|all:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe'
            - '/update UPDATEORCHESTRATOR displaylevel=False'
+    filter_optional_docker:
+        ParentImage: 'C:\Windows\System32\services.exe'
+        Image|endswith: 'com.docker.service'
    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown