Web host havoc: Unveiling the Manic Menagerie campaign.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday". I am Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyber space. Thanks for joining us. [ Music ]
Aassaf Dahan: So, our journey begins pretty much at late 2022 so back at the time we were conducting a really thorough hunting project. We were looking into all sorts of web exploitation conducted by a myriad of threat actors where we stumbled upon this really interesting anomalous behavior and that kind of started this whole quest that we embarked on.
Dave Bittner: That's Assaf Dahan, Director of Threat Research at Palo Alto Networks. Also joining us is Daniel Frank, Principal Threat Researcher at Palo Alto. The research we're discussing today is titled "Manic Menagerie 2.0, the Evolution of a Highly Motivated Threat Actor." [ Music ] Let's go through it together here. Can you give us an overview of what exactly we're dealing with here?
Aassaf Dahan: So, "Manic Menagerie", first of all, it's a name of a cybercrime group that we've been following for over a year now. It's a really kind of interesting story. It's a story that involves cyber archeology, evolution of a threat actor with some plot twists and a good comeback, you know, because you have to have a good comeback. So, the research is really about the re-emergence of this cybercrime group that came back from the dead, so to speak. It was discovered back in 2018, and then like for four years nobody heard anything about them. And all of a sudden, they launched this massive global campaign that targeted web-hosting and IT companies where they were able to compromise thousands of websites around the world that were hosted on these web-hosting servers.
Dave Bittner: So, the title of your research, which begins with "Manic Menagerie 2.0" indicates that there was original Manic Menagerie. What do we know about them?
Daniel Frank: Well, yes, so the original research in 2018 was published by the Australian Cybers Security Centre. And originally, this threat actor's motivation was solely to monetize. They were deploying cryptocurrency miners. What we saw in our research was beside these cryptocurrency miners that we did witness as well was this really interesting shift into -- as Assaf mentioned before -- into deploying tons of web shells into these legitimate websites hosted on these web-hosting companies' servers.
Aassaf Dahan: Yeah, so to expand a little bit on that. When we first witnessed the activity at the end of 2022, initially we thought we were looking at yet another cryptocurrency mining campaign. But as time went by, we saw something that was pretty amazing. As we started blocking them, they responded very quickly and tried to bypass our mitigations again and again. It turned into this cat and mouse game of we're blocking them and they're trying to find smart bypasses. Eventually it seemed like they gave up on the cryptocurrency scheme that they were trying to monetize. And it was then where we observed this attempt to backdoor a lot of legitimate websites in scale. So, yeah, that was pretty interesting to see like, first of all, it was like about the re-emergence of a threat actor that has not been seen for almost four years. And then it was this very quick and adaptive shift in their techniques and tactics, which was particularly interesting to us.
Dave Bittner: And help us understand here, when we talk about that pivot, once they've given up the crypto mining, what are they after in the second phase?
Daniel Frank: So, it's really interesting, so what they did was to -- they deployed web shells on the affected or legitimate websites that hosted their webservers. And to us, it was, you know, a real pickle, you know, like we questioned ourselves why are they doing what they're doing. And the theory that we came up with had to do with when you run a cybercrime operations, there are multiple ways which you can make money off, right? So, one is it could be ransomware, it could be info stealers. And another really popular way of making money today, if you're a cyber crook is to sell access. So, imagine that if you're -- if you just got a hold of a webserver that hosts thousands or even hundreds of websites. They are all legitimate. You can potentially install a backdoor there and it will grant you access to that, not only to the website resource but to the entire server so to speak. So, and you can sell this access, you can further -- you can use it to deploy other malware so you can collaborate with other cyber gangs. So, it's a really nice way for them to -- or you can even build a botnet. So, it's a really interesting way of monetizing access.
Dave Bittner: We'll be right back. Well, let's dig into some of the technical details here. I mean, what sorts of tactics, techniques, and procedures are these folks using?
Daniel Frank: First of all, in order to infiltrate these environments, what we saw was exploitation of various web-facing applications and IaaS servers. This is kind of the first technique that we noticed. And afterwards what they did was deploying a lot of publicly available tools with some custom tools. Now, I believe that this vast usage of the -- of all sorts of publicly available tools, you know, for local privilege escalation and for lateral movement, I think this is what gave them the original name "Manic Menagerie" because I believe it's just like -- you know, like the title that implies like this, I don't know, crazy, a circus or crazy amount of tools all over the place, you know, they were blocked and tried another one, they were blocked and tried another one. And they were kind of also, you know, up to date with the latest releases of local privilege escalation tools. You could actually see them progress. As Assaf said this, you know, sort of cat-and-mouse game. And besides these public tools, there was also the usage of several custom tools, which also really helped us in attributing this activity to the original "Manic Menagerie" research. And, yes, so one of these custom tools was responsible on writing these -- this crazy amount of web shells. And this was the main tool of interest, you know, that like it sparked our curiosity in like, you know, what is this custom tool and why does it writes so many web shells. And I think this was like the main -- our main pivot point in actually understanding who this threat actor is and starting from there. And then we discovered more and more tools. And, yeah, well, to sum it up, just lots of public tools and some really unique custom tools as well.
Aassaf Dahan: It also shows -- if I may? It also shows like the amount of effort that they invested in this campaign because it's one thing to use, you know, off the shelf or like, you know, as Daniel mentioned, public tools, but to write your own custom tools, it takes, you know, effort, it takes developers and it also implies pre-meditated intention. So, it was not just like, you know, a fluke or like a random opportunistic I guess type of attack, it took some time for them to build this tool. As far as we know, they are the only group that uses this tool, which ultimately helped them to backdoor all of the legitimate websites. And this is where the impact I think is really noteworthy to mention because it could be pretty much any website that you can think of. It could be like the neighborhood yoga studio, it could be an insurance company, travel agency, e-commerce, like a small e-commerce business. So, the fact that these attackers gained access to these resources can potentially mean data leakage, PII. You know, we live in a world of a lot of regulations and regulatory fine, GDPR, so there could be really let's say harsh I guess consequences for such attacks, not even to mention like the legal liabilities, reputational damage that can incur because I think the genius thing here about, for instance, selling access of a legitimate website is that a legitimate website enjoys a really good reputation. It's not going to be flagged by firewalls or antivirus software, or other security solutions. So, the attackers if they want to sell these as access point or turn them into C2 servers for that matter, so they can really use this type of access to conduct nefarious or malicious activity under the guise of a legitimate website.
Daniel Frank: Yes, so I just wanted to add a little something here. So, in addition to what Assaf said, so I mean, the thing of the -- like the point of this public access I think is really, you know, crucial to emphasize. I mean, imagine that someone hacks your web-hosting company, I mean, the web-hosting company that Riverside.fm uses, and then you have Riverside.fm/ -- I don't know -- webshell.aspx. Imagine that like this secondary threat actor could just browse through Riverside.fm/webshell.asp and have access to your website's resources just from the public internet. You know, they don't need like any internal access to a web-hosting company anymore potentially. This resource, you know, for, you know, it's running commands or whatever and it's just publicly available for them.
Dave Bittner: Yeah, you mentioned how opportunistic they are. How do you rate their sophistication?
Aassaf Dahan: I think they're not -- like they're not like an APT -- nation-state APT level in terms of sophistication. As Daniel mentioned before, they use a lot of publicly available tools you can just, you know, download and compile from GitHub. So, that on its own doesn't show a lot of sophistication. They did develop their own custom tool which, you know, it's not the state of the art custom tool but it's sophisticated enough. What can characterize this group better is their resilience and adaptiveness. We mentioned before that ongoing cat and mouse game that we have been playing with them for a couple of months, and you could see how important for them it was to maintain the access that they initially gained because like every time we would block them, they would find or try to find a way to bypass those mitigations. So, if I had to give them, you know, to describe them with an adjective, it would not necessarily be sophisticated, but I would definitely say resilient or adaptive.
Dave Bittner: Interesting. So, what are your recommendations then? I mean, in terms of folks best protecting themselves against this sort of thing?
Daniel Frank: Well, I think the first thing would be just to maintain a good IT hygiene because, as we said, the thing that, you know, started it all and not only now but in 2018 as well, it's the same vulnerable servers and third-party software which is obviously an old third-party software when unpatched poses a problem for a lot of organizations. So, I think the first thing to do is to patch your software, keep it up to date, and kind of, you know, have this patching system as kind of your gatekeeper into at least trying to mitigate partially.
Aassaf Dahan: Yes, so definitely I would say it starts with a good IT hygiene, like Daniel mentioned, that the root cause if you will, we did like a root cause analysis of most of the intrusions that we attribute to this group and, by the way, a lot of other groups as well. It has to do with poor IT hygiene. So, it's really important -- it sounds very obvious, right, but like keep your software up to date, keep, you know, deploy patches, and, of course, security in layers. That's another big thing. You need to have like multiple layers that will protect your data and resources. It could be on the network side of the house, it could be on the endpoint side of the house, and so on, the cloud, there is so many ways. So, but I think, yeah, keeping a good IT hygiene and make sure that your data is well protected using a multilayered approach is the right way to go. It will definitely reduce the attack surface. It's not going to be like 100%, you know, bulletproof. What we've learned over the years that when you have a very motivated, well-funded or a resourced threat actor, they'll eventually find a way. So, what we can do as, you know, as defenders or security practitioners is -- the only thing is we can do is to try to make their life harder by keeping, you know, our doors shut and not opening windows that should not be opened. And the last thing maybe is to conduct a proactive type of hunting. If you're in an organization that has like a good IT or security department, I think it's a really good or best practice to conduct a periodic proactive threat hunting tasks in order to find those threats even before you get an alert. Because usually by the time you get an alert from a product, it's almost too late. [ Music ]
Dave Bittner: Our thanks to Assaf Dahan and Daniel Frank from Palo Alto Networks for joining us. The research is titled "Manic Menagerie 2.0, The Evolution of a Highly Motivated Threat Actor." We'll have a link in the show notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our Executive Producers are Jennifer Eiben and Brandon Karpf. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening, we'll see you back here next time. [ Music ]