It's raining credentials.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities. Solving some of the hard problems and protecting ourselves in a rapidly evolving cyber space. Thanks for joining us.
Alex Delamotte: I had a found a little bit of this activity with one of my virus total hunting rules, but I didn't have quite the full picture. And we were fortunate enough to have Ian and Daniel from Permiso Security reach out to my team. And see if we could collaborate and try to hunt on some of this stuff together. So we ended up doing that, and it was definitely a productive, collaborative venture.
Dave Bittner: That's Alex Delamotte. She's a Senior Threat Researcher with SentinelLabs. The research we're discussing today is titled "Cloudy With a Chance of Credentials - AWS-Targeting Cred Stealer Expands to Azure and GCP."
Dave Bittner: Well let's go through some of the details here. What are we talking about? What is it that you discovered?
Alex Delamotte: So my rules are -- when it comes to cloud threat hunting, my rules are incredibly broad. And some of these look for activities that might seem, I would say, in the abstract too noisy? But when it comes to virus total hunting there actually is not quite as much noise as one would expect for certain things. So, this rule is a modified rule that looks for behavior where curl is initiated from a system that has been profiled as Kubernetes. So, I believe that the scripts had some of those magic keywords in it to show up in my rule. So I found it that way. And yeah, we went from there.
Dave Bittner: Well, help us understand what exactly goes into action here. I mean, this pops up, it grabs your attention. What do you do next?
Alex Delamotte: So next, I would try to find -- so these scripts are very modular. They all do -- some of them are larger and they do, you know, they have more functions that will do more things. But you're never going to have the full picture with only one of these scripts. And the next step is to find what these actors are doing after running the first script. So I would say the primary script are the scripts named aws.shell, or .sh. Or one of those variants. There were a couple that had like g-aws.sh. So these are kind of the main scripts that I associate with this actor. Who we have described as TeamTNT-like.
Dave Bittner: Hm.
Alex Delamotte: Yes. That's an interesting topic in itself. But --
Dave Bittner: Sure.
Alex Delamotte: Yeah. So we find that initial aws.sh script. And then there were other scripts that will tie into it. There's clean.sh, which is, I believe, kind of aptly named as an uninstaller. And then some of the scripts we found through there was a binary in this campaign. That was a Golang compiled binary. And that was one where I actually did a little bit of reversing and thanks to my colleague's work on AlphaGolang project, which is a reverse engineering leap that aims to make analyzing Golang binaries a little bit less painful. So I put that to use in IDA Pro. And I determined that it is dropping another script. It was actually a very simple binary. It basically dropped one more script and kind of set up the environment to use it then.
Dave Bittner: Well jumping back up to the higher level here. I mean, these folks are after credentials? They're after cloud credentials?
Alex Delamotte: Yes, exactly. So the main part of the aws.sh script is to collect credentials and to profile the environment.
Dave Bittner: And how are they going about this? They're targeting -- is it web applications?
Alex Delamotte: Yes. Exactly. So, they land, like the propagation that we saw in this campaign was primarily looking for a response on Docker ports that contained the string of Version 1.16. Which was a little mysterious because it wasn't a known Docker version. Although, I did get a tip from Emily over at Censys that this could be related to Golang container that runs in Docker sometimes.
Dave Bittner: Interesting. So, they have expanded the areas that they're after here, right? I mean it's not just AWS. They're going after some other cloud environments now?
Alex Delamotte: Exactly. That was one of the biggest findings that we had was these campaigns were kind of -- they were going on from mid-June to the end of June. I want to say like June 14th was the earliest sample that I saw from this campaign. And at one had some functionality for Azure cred collection and GCP. So the Azure credentials were not yet implemented. And when we saw this follow-up activity from these actors about a week later, they were then using the Azure collection modules. So they were actively tuning it. And it does look like they have their sight set on more cloud providers. So it's no longer just AWS in the crosshairs.
Dave Bittner: What did you all see in terms of anything related to command and control?
Alex Delamotte: That's a good question. I don't know if we had specific visibility there. We did have, like the scripts do have C2 URLs hard coded in them. And we can tell what they do because these are, you know, shell scripts. It effectively open source. So we can just put together what they're doing through the functions of the code. And these were pretty interesting C2 domains. They used to use IP literal URLs for C2 and they're no longer doing that. Evidently they were also using open directory, where you just, you know, browse and download the payloads. But that has since been mitigated. The open directory feature was found by Permiso back in December of 2022. So it seems like they're getting a little more secure and they're using dynamic DMS for C2 domains now. Like we saw the silentbob.anondns, that was a popular C2 domain that kind of named the campaign. There was also a really nefarious domain that looked like an AWS region. It was ap-northeast-1. compute.internal.anondns. Which I thought was really interesting that they're mimicking the normal structure of the AWS subdomains.
Dave Bittner: In terms of the information they're gathering here, what sort of insights did you have there?
Alex Delamotte: So they're gathering credentials, and they're also profiling what processes are running on the system. And I don't think that everything there would be automated afterward. I believe that was for follow on activity when it was determined to be a high value system. So, they would enumerate running processes and use them, Docker, to inspect all of the Docker associated processes. So, my guess would be they are using this to get either more credentials or move laterally whatever it is that their goal is going to be. Which unfortunately with this actor, the goals are not clear. And I think that is part of their MO, so to speak.
Dave Bittner: And what are you seeing in terms of their ability to spread this around? What are their propagation strategies?
Alex Delamotte: The most recent one that we noticed was in that Golang binary, there was an IP scanner where it would reach out to the C2 and get a range of IPs to scan. And then it would look for that user agent response from the targeted systems that included V1.16. I am unsure what the significance of that was, again, but we thought potentially this was profiling honeypots, because that was the only thing I could find on Shodan that was responding with that user agent.
Dave Bittner: Oh, interesting.
Alex Delamotte: So, I'm not sure whether that was cause or effect, though. Maybe another researcher saw that they were doing this and decided to make their honeypot respond to that to try to get more activity.
Dave Bittner: Is your sense that they're sort of opportunistic or does there seem to be any targeting, in terms of, you know, different verticals that they might be after?
Alex Delamotte: This seems opportunistic because it is scanning the open internet for systems responding with that user agent. But, I caveat that by saying the Sysdig report on SCARLETEEL I think is one of the more interesting cloud attacks that we've seen this year. And that actually tied back to this. Abigail Meztinger reached out to me on Twitter and said that this overlapped with SCARLETEEL and I thought that was really interesting because those attacks are motivated by stealing source code from the targeted organization. Which is very different than crypto mining. They do deploy a crypto miner, but it's suspected to be a diversion while they actually go after code from the targeted organization.
Dave Bittner: So, in terms of folks defending themselves against this, what are your recommendations?
Alex Delamotte: Definitely keep everything patched and up-to-date. I know it's -- I sound like a broken record with that, but really, I think so many cloud attacks are opportunistic. That really, the basic security hygiene is going to take care of it most of the time. It's also a matter of being aware of what is running on your environment. So if you have people spinning up rogue containers, that could be a potential infection vector. Good to keep an inventory on that in your organization. Make sure that you know what's running. Particularly internet exposed services.
Dave Bittner: How would you rate the sophistication of this threat actor and what they put together here?
Alex Delamotte: That's another interesting question. Because some of what they do is very obvious, it's been done. You know, if it is TeamTNT, maybe they are the ones who have primarily done it in real life. But they have a pretty strong understanding of limitations. It seems like they readily adapt their tools. I think it's quite sophisticated that they added a functionality to craft HTTP requests through bash. It was -- it's really neat. They actually put the headers into the code and they manually create a request for containers that don't already have curl. So it will then make this request to the C2 and download the curl binary, which expands its functionality a lot. But I just thought that was incredibly interesting that the actor's overcoming more minimal containers and finding a way to make them more useful.
Dave Bittner: You know, you mentioned that your work here was in part a collaboration with some folks over at Permiso. Could you speak to that element of this? The importance of researchers like yourself sharing your information and collaborating with folks even across companies.
Alex Delamotte: Definitely. That is so welcome and it's so needed. Because I think everybody is somewhat on an island when it comes to cloud. No one is seeing the full picture. And I'll caveat that by saying maybe the cloud service providers have a pretty good idea of what's happening in customer environments or just their own environments. I can't speak exactly to that. But for other organizations that don't have that level of visibility, it's really crucial to just form these relationships and collaborate with people, share what you know, you know, since we've been talking to them. I threw some samples over to Permiso that were related to another thing they had written about. So it's been a really nice exchange.
Dave Bittner: Our thanks to Alex Delamotte from SentinelLabs for joining us. The research is titled "Cloudy With a Chance of Credentials - AWS-Targeting Cred Stealer Expands to Azure and GCP." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're cobuilding the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.