Today we are announcing details of an investigation by Carbon Black’s Threat Research team that uncovered a second supply-chain compromise of the Ask Partner Network (APN).  This latest compromise brings to light how attackers are leveraging widely used general tools, such as toolbars and browser extensions, to conduct sophisticated targeted attacks, distribute malicious code, and maintain persistence in enterprises.

The latest APN compromise, detailed in this post, highlights how the continued ubiquity of potentially unwanted programs (PUPs) is increasing organizations’ attack surface and creating the need for better user education, more robust security hygiene, and immediate removal of unwanted programs.

The information below describes how you can detect and defend against these threats with each of our products.

How to Stop the Attack with Cb Protection

The hashes seen in this attack have already been added to SRS via the Collective Defense Cloud, so you will receive a malicious file alert if they exist in your environment.

For CbP deployments in High and Medium enforcement, unknown executables will be blocked or alerted on, which would mitigate many components of this attack. For CbP deployments in “Low” enforcement, and customers who want added security, here are some extra steps you can take.

You can ban APN and other unwanted applications by banning the Publisher name, or banning each certificate individually. For blacklisting, we recommend banning by Publisher name, as that will cover many different certificates by the same publisher.

Banning by publisher:

Banning by certificate:

In addition to banning unwanted applications by publisher, Version 8 of Cb Protect allows you to create custom rules that can search for specific command line arguments, such as encoded PowerShell.

A sample rule:

Platform: Windows

Rule Type: Advanced

Operation: Execute

Execute Action: Report Process Create

Path or File: Specific Path

<OnlyIf:Bit9Version:Atleast:8.0.0.0><CmdLine:*Enc*>powershell.exe

Process: Any process

User or group: Any user

For increased visibility in both CbP 7.2 and 8.0, you can create Report Execute rules to look for legitimate shell commands that are frequently used by attackers. These rules will have some level of false positives from your IT administrators, but by excluding specific users or policies, you can customize them to your environment and reduce false positives. Our Services team can assist you in customizing the below rule to suit your environment:

How to Detect the Attack with Cb Response

Our First Party behavioral threat feeds already contain queries that detect a number of the behaviors exhibited by this attacker, such as:

• PowerShell executed with encoded instructions (Advanced Threats)
• PowerShell Executing Hidden, Encoded commands (Community)
• Use of legacy task scheduler (Endpoint Visibility)
• Execution of quser.exe (Suspicious Indicators)
• Possible persistence regmod - run/runonce key (Suspicious Indicators)
• System Profiling (Suspicious Indicators)

In addition, the Known IOCs feed contains all of the static indicators seen in this incident and will alert you on those.

Here are some additional watchlists to detect attacker behavior, which we are testing prior to inclusion in the feeds. Because our customer environments vary wildly, we encourage you to test and refine all watchlists to suit your particular deployment. You can ask the Services team for assistance, or post on the User eXchange to get feedback and tips from other community members.

Typical Recon/Enum Commands:

This watchlist looks for standard OS commands run together, in a way frequently associated with attackers who’ve just gained access to a host. While an IT administrator may run any of these commands, it’s very unusual for all of these commands to be run at the same time.

Childproc_name:whoami.exe and childproc_name:quser.exe and childproc_name:net.exe and childproc_name:systeminfo.exe and childproc_name:find.exe and childproc_name:dsquery.exe and childproc_name:reg.exe and childproc_name:ipconfig.exe

Run Key Added With Suspicious Value:

This watchlist looks for a Run key being added to the registry which points to an executable stored in an unusual location.

cmdline:"reg add" cmdline:"currentversion\Run" (cmdline:"Appdata" or cmdline:"temp" or cmdline:"programdata" or cmdline:”system32”)

Powershell writing binary to disk

This watchlist looks for powershell writing binaries to disk.

Process_name:powershell.exe is_executable_image_filewrite:"true"

APN files writing unsigned executable

This watchlist looks for files signed by APN that write unsigned and invalidly signed binaries to disk.

digsig_publisher:APN -digsig_result_filewrite:Signed

APN files launching unsigned executable

This watchlist looks for files signed by APN that launch unsigned and invalidly signed binaries.

digsig_publisher:APN -digsig_result_child:Signed

How to stop the attack with Cb Defense

All malware types (Known malware, suspect malware, and potentially unwanted programs) should be blocked from running with “tries to run or is running” “deny” rules. To block later stages of the attack we recommend powershell.exe and not-listed applications be prevented from reading the memory of other processes and PowerShell is prevented from executing code from memory buffers. If particular applications are found to be involved in similar incidents, they should be added to the company blacklist by hash.

Ways to mitigate this beyond our products

Check your environment for APN binaries with the filename apnmcp.exe, and examine any files that apnmcp.exe might have written to disk. If you have tools with the ability to connect network activity to specific processes, examine apnmcp.exe and its child process network activity.  The indicators to look for are in the table below

But keep in mind that it’s easy for an attacker to change IPs and hashes. Carefully consider any running processes and their relevant behavior. Reduce risk by banning or removing PUP/PUA from your environment.