TekStream Security Bulletin: TellYouThePass Ransomware
By Julian Bermudez, Senior Splunk Consultant
Introduction
On June 8th, 2024, the TellYouThePass ransomware gang began exploiting the recently patched CVE-2024-4577.
This vulnerability for remote code execution in PHP has been exploited to deliver webshells and execute encryptor payloads on exposed devices.
Imperva researchers have determined that the bug is using the Windows mshta.exe binary to execute arbitrary PHP code to run malicious HTML app files.
In short, it has been stated that the vulnerability can be seen being exploited with the following chain of events:
- The Windows mshta.exe binary contains a VBScript that loads a .NET variant of the ransomware into memory.
- The malware then fires off an HTTP request to what is perceived to be a CSS resource but is actually a command-and-control server that encrypts files on the target host.
- The final step is to place a README ransom note with instructions on how to recover data.
Additional details can be found here: BleepingComputer Post about the PHP Exploit
Mitigation Strategies
The vulnerability has been acknowledged by WatchTowr Labs and they have suggested various mitigation steps to prevent its exploitation.
These steps include:
- Immediately patching PHP installations with the patched versions 8.1.29, 8.2.20, and 8.3.8.
- For servers that cannot be quickly upgraded, there are temporary mitigation steps that can be taken such as alerting Apache rewrite rules or disabling the PHP-CGI feature. Steps for this potential remediation can be found here: Remediation Steps
This is not a blog post to fully explain or give recommendations on remediating the vulnerability, this has been discussed at length by various resources such as:
DEVCORE blog post about CVE-2024-4577
Detection with Splunk
So far, we have seen many good detection options and would like to present a few more specific cases using everyone’s favorite SIEM Splunk.
The goal here is to aggregate the detections to maximize your chances of detecting this critical attack. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the CVE-2024-4577 vulnerability being exploited. Here at TekStream, we have several security engineers that are intimate with cybersecurity knowledge and especially the logs of our clients.
We go through the various steps in CVE-2024-4577 vulnerability exploitation and detection. With this format, we are providing a more generic data model “tstats” command. This is taking advantage of the data model to quickly find data that may match our IOC list. We then provide examples of a more specific search that will add context to the first find. There will be a wide variety of specific searches as each client has their own specific technologies. To get help building detection for your specific client, fill in the form below and get access to our Splunk/security expertise.
Note: The follow-up of the initial access attack is normally the execution of a specific script that establishes a connection to a rogue server. Detecting this part is not covered in this blog post. Reach out to TekStream by filling out the form below if you’d like specific guidance on that aspect.
The following detection steps mirror the stages and TTP-related indicators used in the attack:
- Detect initial malicious file spawning: mshta.exe
- Search for potential beaconing web traffic containing specific parameters.
- Detect ancillary signs of malicious script activity: VBScript
- Persistent malicious file install.
- Detect data exfiltration.
- Scan for related known malicious IPs.
- Scan for related known malicious web domain.
SPL
LEVERAGING ENDPOINT DATA TO SEARCH FOR MALICIOUS FILES (EDR, AV, OS, etc.)
| tstats `summariesonly` latest(_time) as _time,
latest(Filesystem.file_create_time) as file_create_time,
latest(Filesystem.file_modify_time) as file_modify_time,
latest(Filesystem.file_access_time) as file_access_time, values(Filesystem.dest) as
dest, values(Filesystem.action) as action, values(Filesystem.file_name) as
file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path)
as file_path, values(Filesystem.file_size) as file_size from
datamodel="Endpoint"."Filesystem" where (Filesystem.file_name = "* mshta.exe"
OR Filesystem.file_name = "* d.hta") by Filesystem.src | fields _time, dest, action,
file_name, file_hash, file_path, file_size, file_create_time, file_modify_time,
file_access_time | fieldformat Time = strftime(_time,"%m/%d/%Y %T")
LEVERAGING ENDPOINT DATA TO SEARCH FOR MALICIOUS HASH (EDR, AV, OS, etc.)
| tstats `summariesonly` latest(_time) as _time, values(Processes.user) as user,
values(Processes.process) as process, latest(Processes.parent_process) as
parent_process, latest(Processes.parent_process_exec) as parent_process_exec,
latest(Processes.parent_process_guid) as parent_process_guid,
latest(Processes.parent_process_id) as parent_process_id,
latest(Processes.parent_process_path) as parent_process_path,
latest(Processes.process_path) as process_path, latest(Processes.process_exec)
as process_exec, latest(Processes.process_guid) as process_guid,
latest(Processes.process_id) as process_id, latest(Processes.process_hash) as
process_hash from datamodel="Endpoint"."Processes" where
(Processes.process_hash IN(
“9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53”,
“5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618”,
“95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3”)
by Processes.dest, Processes.process_name, Processes.parent_process_name |
head 10000 | `drop_dm_object_name("Processes")` | fields _time, dest, user,
process_name, process, process_hash, process_path, process_exec, process_id,
process_guid, parent_process, parent_process_name, parent_process_path,
parent_process_exec, parent_process_guid, parent_process_id
LEVERAGING NETWORK TRAFFIC DATA TO DETECT MALICIOUS CONNECTIONS (Firewall, IDS/IPS, DNS, etc.)
| tstats `summariesonly` values(_time) as _time, sum("All_Traffic.bytes") as bytes,
values("All_Traffic.src_port") as src_port, values("All_Traffic.transport") as
transport, values("All_Traffic.dest_port") as dest_port from
datamodel="Network_Traffic"."All_Traffic", values("All_Traffic.action") as action
where All_Traffic.src="88.218.76.13” AND All_Traffic.action !=blocked AND
All_Traffic.dest_category !=internal AND All_Traffic.bytes > 1000 by "All_Traffic.dest" , "All_Traffic.user", "All_Traffic.src", _time span=1h
| rename "All_Traffic.dest" as dest, "All_Traffic.user" as user, "All_Traffic.src" as
src
| table_time, action, src, src_port, dest, transport, dest_port, user, bytes
| fieldformat Time = strftime(_time,"%m/%d/%Y %T")
LEVERAGING AUTH DATA TO ATTEMPT TO DETECT UNAUTHORIZED ACCESS (OS, MFA/SSO, application, etc.)
| tstats `summariesonly` latest(_time) as _time,
values(Authentication.src_user_id) as src_user_id,
values(Authentication.src_user_role) as src_user_role,
values(Authentication.user_id) as user_id, values(Authentication.user_role) as
user_role, values(Authentication.vendor_account) as vendor_account,
values(Authentication.authentication_method) as authentication_method from
datamodel="Authentication"."Authentication" where
(Authentication.src="88.218.76.13" OR Authentication.dest="88.218.76.13") by
"Authentication.action", "Authentication.app", "Authentication.src",
"Authentication.src_user", "Authentication.dest", "Authentication.user"
| head 10000
| `drop_dm_object_name("Authentication")`
| fields _time, action, app, src, src_user, src_user_id, src_user_role, dest, user,
user_id, user_role, vendor_account, authentication_method
LEVERAGING WEB DATA TO DETECT MALICIOUS URLs (Firewall, Proxy, DNS, etc.)
Note: replace hxxp with http when searching. This search shows hxxp to prevent an accidental click.
| tstats `summariesonly` sum("Web.bytes") as
bytes,values("Web.http_content_type") as
http_content_type,values("Web.http_method") as
http_method,values("Web.http_user_agent") as
http_user_agent,values("Web.status") as status from datamodel="Web"."Web"
where Web.url IN (“hxxp://88.218.76.13/dd3.hta”) by "Web.src", "Web.dest",
"Web.user", "Web.http_referrer", "Web.url", _time |
`drop_dm_object_name("Web")` | fields _time src, dest, user, http_referrer, url,
http_content_type, http_method, http_user_agent, status, bytes | eval ip_pair =
src . " - " . dest | stats values(_time) as Time values(ip_pair) AS src_dest,
values(user) as user, values(http_referrer) as http_referrer,
values(http_user_agent) as http_user_agent, values(http_method) as
http_method, values(status) as status, values(bytes) as bytes count by url|
fieldformat Time = strftime(Time,"%m/%d/%Y %T")
IoCs
URL: hxxp:/88.218.76[.]13/dd3.hta
C2 IP: 88.218.76[.]13
Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
Bitcoin Wallet address: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l
Conclusion
Ideally, you could make scheduled searches like what is shown above with lookup tables for matching more specific and new detections. These can be set to run on a continuous schedule to ensure the monitoring of your assets from new vulnerabilities. For questions on how to build such a process that is dynamic and customizable for your environment, ask one of our consultants by filling in the form below. Also, subscribe to the TekStream blog to catch the next monthly security bulletin and apply the latest detections to protect your systems. Happy Splunking!
References
Articles referenced and used for this Blog Post:
- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/new-tellyouthepass-ransomware-variant-discovered
Disclaimer
The approaches recommended herein have not been tested broadly across the TekStream customer base. They are preliminary in nature and come without any certification of efficacy.
Purpose of TekStream Security Bulletins
With the TekStream Security Bulletin, we are presenting some specific detection use cases using everyone’s favorite SIEM, Splunk. We’ve cherry-picked vulnerabilities that are not only intriguing but also directly impactful for our valued clients. These vulnerabilities were chosen based on a multitude of factors, ranging from the technology in the crosshairs to the specific sectors being targeted. This is not a blog post to fully explain or give recommendations on remediating the vulnerability or exploit – this has been discussed at length by various resources. The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit these vulnerabilities. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the vulnerability being exploited. Here at TekStream, we have an amazing team of cybersecurity engineers armed with a deep knowledge of logs and the secrets they hold, ready to fortify your cyber resiliency.