1、 Overview on the afternoon of December 14, 2018, Tencent security threats Intelligence Center detected a sudden outbreak of a Trojan horse spread through the "driver life" series software upgrade channel, with 100000 users under attack in just two hours. The virus will distribute malicious code through cloud control, including collecting user information, mining, etc., and at the same time, it will spread through the "eternal blue" high-risk vulnerability. Tencent's Yujian Threat Intelligence Center immediately notified the external situation of the virus and issued a detailed technical analysis report. On the evening of December 14, 2018, after receiving the event warning from Tencent Yujian threat center, driver life company attached great importance to the event, contacted Tencent security Yujian threat information center for the first time, and informed that at the time of the outbreak of the Trojan horse, relevant technical personnel of driver life company were building in foreign tourism groups, so it was highly suspected that the event was the upgrade server of driver life company was hacked As a result of the customer attack, Tencent enterprise security emergency response center is requested to assist in tracing the cause of the accident.
On the evening of December 14, 2018, after receiving the event warning from Tencent Yujian threat center, driver life company attached great importance to the event, contacted Tencent security Yujian threat information center for the first time, and informed that at the time of the outbreak of the Trojan horse, relevant technical personnel of driver life company were building in foreign tourism groups, so it was highly suspected that the event was the upgrade server of driver life company was hacked As a result of the customer attack, Tencent enterprise security emergency response center is requested to assist in tracing the cause of the accident.
At the same time, driver life company reported the incident to Shenzhen police, issued an emergency statement and took corresponding measures.
On December 16, 2018, the relevant technical personnel of driverless company gave up the group construction and returned to China in an emergency. Tencent enterprise security emergency response center was also invited to send security engineers to assist driverless company in tracing the source of this hacking incident that night. After all night analysis and investigation, it is finally determined that the incident is a well planned directional attack event. The intruder took more than one month to attack by using the upgrade program of life series software, so as to achieve the illegal purposes of building Botnet, installing cloud control Trojan horse, networking mining, etc. Fortunately, the attacker's purpose is to install the cloud control Trojan to collect computer information and control the chicken computer to mine Monroe coins. If the attacker uses this channel to spread the blackmail virus, it will have the same disastrous consequences as last year's wannacry outbreak. Shortly after the attack, it was intercepted and killed by the Threat Intelligence Center of Tencent. In the end, the incident did not expand further, and the attacker failed to succeed. 2、 After in-depth analysis of the upgrade process and components that drive life series software, we found that the relevant processes are as follows (take life calendar as an example):
Fortunately, the attacker's purpose is to install the cloud control Trojan to collect computer information and control the chicken computer to mine Monroe coins. If the attacker uses this channel to spread the blackmail virus, it will have the same disastrous consequences as last year's wannacry outbreak. Shortly after the attack, it was intercepted and killed by the Threat Intelligence Center of Tencent. In the end, the incident did not expand further, and the attacker failed to succeed.
After installation, a service named "wtsvc" will be set. After the service is started, the DLL files such as updatehelper.dll and checkupdate.dll will be loaded:
At the beginning of upgrade, updatehelper.dll specifies that the upgrade process is dtlupg.exe, the upgrade address is globalupdate.updrv.com, the port is 4040, and the configuration parameter is update.xml:
The upgrade address globalupdate.updrv.com can be identified as the driver company through domain name registration query.
The domain name points to IP 103.56.77.23:
Checkupdate.dll will be responsible for splicing update.xml and starting dtlupg.exe as a parameter. XML contains the URL address, IP address, hash and other information of the update file:
In this attack, the relevant configuration information is replaced:
As the driver life series software did not verify the relevant configuration information in the upgrade, the Trojan was downloaded and executed.
According to the above analysis, we guess that 103.56.77.23 server may be attacked by hackers, thus issuing malicious upgrade configuration files, resulting in users downloading and executing Trojan programs. 3、 Tencent security experts were invited to audit the server log to trace the truth of the incident. On December 16, 2018, the relevant technicians of the driver life company (hereinafter referred to as company d) gave up the group construction and returned to China in an emergency. At the invitation of D company, Tencent enterprise safety emergency response center sent safety engineers to assist D company in tracing the source of the incident that night. According to the previous analysis, we started to focus on the 103.56.77.23 server. 1. In view of the only clues at present, the two sides communicated in the early stage and sorted out the relevant processes and doubts. The specific information is as follows: 1) except for a small number of on duty personnel of company D, including technical posts such as development, operation and maintenance, the group began to go abroad for group construction on December 13; 2) the upgrade server 103.56.77.23 has set remote login restrictions, allowing only specific IP login operations; 3) 103.56.77.2 3. The upgrade configuration of the machine is controlled by the service "DTL? Softupdateservice". The update.xml sent to the client consists of two parts of data: upgrade URL control domain name (such as DTL. Update. Updrv. Com) and sub path (written in SQL database). The following figure shows the configuration serverconfig.xml responsible for upgrading on the 103.56.77.23 machine. The SQL database login IP and password are stored in the dbfilepath field in clear text. Therefore, after logging in to this server, you can master the SQL account at the same time.
1. In view of the only clues at present, the two sides conducted preliminary communication and sorted out the relevant processes and doubts. The specific information is as follows:
1) Apart from a small number of on duty personnel of company D, including technical posts such as development, operation and maintenance, the group construction abroad began on December 13;
2) The upgrade server 103.56.77.23 has set the remote login limit and only allows specific IP login operations;
3) 103.56.77.23 the upgrade configuration of the machine is controlled by the service "DTL [softupdateservice". The update.xml distributed to the client consists of two parts of data: upgrade URL control domain name (such as DTL. Update. Updrv. Com) and sub path (written in SQL database).
The following figure shows the upgrade configuration serverconfig.xml on the 103.56.77.23 machine, where
4) 103.56.77.23 during the period of 12.13-12.15, the server and SQL database had abnormal login and operation. During this period, the relevant developers were all established in foreign groups. The abnormal addition and deletion of SQL database in the period of 14:15-18:00 on December 14 coincides with the virus time of 14:30-18:30 in the upgrade channel of driver life detected by the computer Threat Intelligence Center; 5) some remote desktop software is allowed to be used in company D, which can't exclude the login of 103.56.77.23 server after the intranet machine is remotely controlled temporarily; 6) the specific abnormal login machine can't be confirmed At the source, it is known that the clue is the login source computer name "user-pc", but not the machine used by daily operation and maintenance management personnel; 7) Company D will regularly modify the administrator account number of server 103.56.77.23 as a random password, and only one operation and maintenance engineer has the password. 2. According to the relevant clues from the early communication, we decided to conduct a detailed audit on the upgrade server (103.56.77.23) and the system log related to the login of the upgrade server. The process is as follows: 1) on the day of the event on December 14, the "DTL software service" service on this machine was tried to restart several times from 14:19, and started stably after 14:32, suspected operators After debugging and modifying the effect, the test and utilization are successful.
5) D. some remote desktop software is allowed to be used in the company, and it can not be excluded to log in 103.56.77.23 server after the intranet machine is remotely controlled;
6) It is impossible to confirm the specific abnormal login machine source. The known clue is the login source computer name "user-pc", but it is not the machine used by daily operation and maintenance management personnel;
7) Company D will regularly change the administrator account number of server 103.56.77.23 to random password, and only one operation and maintenance engineer has the password.
2. According to the relevant clues obtained from the early communication, we decided to conduct a detailed audit on the upgrade server (103.56.77.23) and the system log related to the login of the upgrade server. The process is as follows:
1) On the day of the incident on December 14, the "DTL softupdateservice" service on this machine was restarted many times from 14:19, and started stably after 14:32. It was tested and utilized successfully after the suspected operator debugged and modified the effect.
2) If you continue to trace the machine upward, you can find that there is a record of successful login of "user-pc" using the administrator account on the machine on December 4, but there is no password explosion and other attempts, but the direct login is successful.
3) Going forward, on November 15, "user-pc" used an operation and maintenance account zexx to log in, which was confirmed to be operated by non operation and maintenance personnel.
4) Because we couldn't confirm the "user-pc" machine, we decided to give priority to checking the common office machine a of the operation and maintenance personnel. We found that as early as 11.13 a month ago, the machine was tried to blow up by the SMB of the intranet machine (192.168. XX. 208), but it didn't succeed directly. It is worth noting that when 192.168.xx.208 tried to blow up SMB, it used the Pinyin of four D company employees as user names, including one employee who has left for about half a year, all of which are backstage development, operation and maintenance. In the process of blasting, from the beginning to the end of blasting, the blasting time is very short and the blasting times are very few (20 +), so we guess that the password dictionary of blasting is very limited, reflecting that the attacker is familiar with these employee information.
It is worth noting that when 192.168.xx.208 tried to blow up SMB, it used the Pinyin of four D company employees as user names, including one employee who has left for about half a year, all of which are backstage development, operation and maintenance. In the process of blasting, from the beginning to the end of blasting, the blasting time is very short and the blasting times are very few (20 +), so we guess that the password dictionary of blasting is very limited, reflecting that the attacker is familiar with these employee information.
From other intranet machines, on November 13, machine 192.168.xx.208 launched SMB blasting for all machines in 192 intranet section, among which machine 192.168.xx.155 was successfully blasted by SMB. 5) 192.168.xx.208 is a compiler deployed in other places. It traces back from the machine log. On November 12, machine 192.168.xx.222 once logged in 192.168.xx.208, and the login source computer is "user-pc". So far, the tracing process shows the dawn.
5) 192.168.xx.208 is a compiler deployed in other places. It traces back from the machine log. On November 12, machine 192.168.xx.222 once logged in 192.168.xx.208, and the login source computer is "user-pc". So far, the tracing process shows the dawn.
6) It is further learned that 192.168.xx.222 is the operation and maintenance springboard of company D. in order to prevent malicious login attempts, company D has modified the default port of remote desktop. At the same time, it is learned that in order to facilitate daily use, the administrator password of the springboard machine is the same as that of 192.168.xx.208192.168.xx.155 and other machines. That is to say, if someone has mastered the administrator password of the springboard machine of company D, in theory, they can control multiple other machines on the intranet through the springboard machine. 7) By analyzing the login record of the springboard machine, the suspicious login source 95.211.168.228 (Netherlands) appeared on November 12. Company D has no business personnel in the Netherlands, and at the same time, it finds out the abnormal login record from other countries (84.39.112.58). It is basically confirmed that the attacker hides the trace through the agent. At the same time, the abnormal login record of the springboard machine is highly consistent with that of the server 103.56.77.23 after 12.4.
7) By analyzing the login record of the springboard machine, the suspicious login source 95.211.168.228 (Netherlands) appeared on November 12. Company D has no business personnel in the Netherlands, and at the same time, it finds out the abnormal login record from other countries (84.39.112.58). It is basically confirmed that the attacker hides the trace through the agent. At the same time, the abnormal login record of the springboard machine is highly consistent with that of the server 103.56.77.23 after 12.4.
8) 192.168.xx.155 is also a daily machine used by the operation and maintenance personnel. When following up this machine, we found that the operation and maintenance personnel recorded the account password of the upgrade server 103.56.77.23 in the document under the working directory for the convenience of work.
3. Based on the above analysis, we think that the whole attack chain can be basically restored. The following is the killchain (attack chain) of the whole attack event we sorted out: 1) preliminary preparation: the attacker collects D company's information, including the office exit IP, the development and operation and maintenance post staff roster, some server intranet IP, and may sniff to confirm the modified remote desktop port. 2) Implementation of intrusion: 10:53 on November 12: the Internet machine logs in to the springboard machine (222) and compiler machine (208) through the agent. 3) Horizontal movement: 11.13: from 9:00, SMB blasting was issued to 192 network segments, and the name of operation and maintenance post staff (liuxx, suxx, chenxx, zexx) was used as account name, with the main goal of zexx, and the target machine (155) was found; at 17:17 on 11.15, "user-pc" logged in to upgrade server 103.56.77.23 using zexx account; at 17:01 on 12.4, "user-pc" (84.39.112 . 58) log in to the upgrade server 103.56.77.23 using the administrator account; 4) prepare for attack: 12.5: the imitative download domain name ackng.com used in this attack is registered. 5) Launch attack: at 14:22 on December 13, "user-pc" (84.39.112.58), log in to the upgrade server 103.56.77.23 using the administrator account again, suspected to analyze the login server configuration scheme; at 14:15 on December 14, "user-pc" Log in to upgrade server 103.56.77.23, backup and modify serverconfig.xml file, insert malicious download link entry after logging in SQL database, and delete the inserted entry at about 18:00 of the same day;
1) Preliminary preparation: the attacker collects company D's information, including the office exit IP, the development of the operation and maintenance post staff roster, some server intranet IP, and may sniff to confirm the modified remote desktop port.
2) Implementation of intrusion: 10:53 on November 12: the Internet machine logs in to the springboard machine (222) and compiler machine (208) through the agent.
3) Horizontal movement: 11.13: from 9:00, SMB blasting was issued to 192 network segments, and the name of operation and maintenance post staff (liuxx, suxx, chenxx, zexx) was used as account name, with the main goal of zexx, and the target machine (155) was found; at 17:17 on 11.15, "user-pc" logged in to upgrade server 103.56.77.23 using zexx account; at 17:01 on 12.4, "user-pc" (84.39.112 . 58) log in to upgrade server 103.56.77.23 with administrator account;
4) Prepare for attack: 12.5: the imitative download domain name ackng.com used in this attack is registered.
5) Launch attack: at 14:22 on December 13, "user-pc" (84.39.112.58), log in to the upgrade server 103.56.77.23 using the administrator account again, suspected to analyze the configuration scheme of the login server;
At 14:15 on December 14, "user-pc" logs in to upgrade server 103.56.77.23, backs up and modifies serverconfig.xml file, inserts malicious download link entries after logging in SQL database, and deletes the inserted entries at about 18:00 on the same day;
6) Mutilation: at 17:12 on December 15, the attacker logged in 103.56.77.23 again, deleted all kinds of operation records, and restored the serverconfig.xml file.
At this point, the whole attack ended. The timeline of this event is as follows:
4、 After reviewing the network directed attack, we believe that company D has exposed the following weaknesses in the control of the entire intranet machine and server:
1. The server and the office network are not effectively isolated; 2. The authority control management of the springboard machine is not strict enough; 3. The server configuration information is stored in the related configuration file in clear text; 4. The internal lack of log audit; 5. The security awareness of the internal staff of the enterprise is insufficient: the server login account information is stored in clear text; multiple machines use the same password. 5、 Summing up the attack is a well prepared targeted attack against company D, the attacker has a lot of relevant internal information of the company, such as the name and position information of the internal personnel of company D; the account password of the springboard machine (unknown channel leakage); upgrade server configuration strategy; and even the company's group construction plan.
After the attacker lurks in the intranet for up to one month, when D company's relevant technical personnel go abroad to build a group, they launch an attack action: modify the configuration file and issue the Trojan horse program. Different from most of the previous apt attacks in order to steal sensitive information and destroy key facilities, this attack is obviously a typical case of virus disseminators seeking economic benefits. The attacker tried to use D company's series of software to attack the supply chain and build a botnet to make continuous profits.
Different from most of the previous apt attacks in order to steal sensitive information and destroy key facilities, this attack is obviously a typical case of virus disseminators seeking economic benefits. The attacker tried to use D company's series of software to attack the supply chain and build a botnet to make continuous profits.
According to the monitoring data of Tencent Yujian Threat Intelligence Center, the attack spread to 10W users in just two hours. Although the attacker took the initiative to restore the relevant configuration after 4 hours, the Trojan spread through the eternal blue vulnerability, forming a continuous spread. Under the early warning of Tencent Security Threat Intelligence Center, the attack finally blocked the further spread of the situation under the relevant measures of D company, such as canceling the trip of group construction, quickly stopping DNS resolution of updrv.com server, upgrading server upgrade components, etc., but the incident still caused obvious harm to users.
Under the early warning of Tencent Security Threat Intelligence Center, the attack finally blocked the further spread of the situation under the relevant measures of D company, such as canceling the trip of group construction, quickly stopping DNS resolution of updrv.com server, upgrading server upgrade components, etc., but the incident still caused obvious harm to users.
We hereby call on Internet software enterprises to attach great importance to the construction of internal network security system, take the initiative to investigate and deal with security risks, introduce compliance audit process in the stage of software product development, testing and delivery, and avoid similar security accidents again. At the same time, for the majority of users, please be sure to upgrade the system in time and install anti-virus software to prevent malicious virus attacks. Note: due to the sensitive parts found in the follow-up process, the analysis process has been omitted. 6、 Security suggestions: 1. Enterprise users should do a good job in the isolation of the intranet, and enhance the security awareness of the internal staff of the enterprise, and do not store extremely sensitive account information in the local system or cloud service; 2. The server should use high-strength password, not use weak password, to prevent hackers from brute force cracking; 3. Enterprise users are recommended to deploy Tencent advanced threat detection system to prevent Protect against possible hacker attacks. Yujie advanced threat detection system is a unique Threat Intelligence and malicious detection model system based on Tencent anti-virus laboratory's security capability and Tencent's massive data in the cloud and end;
Note: due to the sensitive parts found in the follow-up process, the analysis process has been omitted.
2. The server uses high-strength password, do not use weak password, to prevent hackers from brute force cracking;
3. It is recommended that enterprise users deploy Tencent's advanced threat detection system to defend against possible hacker attacks. Yujie advanced threat detection system is a unique Threat Intelligence and malicious detection model system based on Tencent anti-virus laboratory's security capability and Tencent's massive data in the cloud and end;
4. It is recommended that enterprise users use Tencent Yudian terminal security management system. Tencent Yudian has built-in full network vulnerability repair and virus defense functions, which can help enterprise users reduce the risk of virus Trojan invasion.
5. For personal users, it is recommended to use Tencent computer Butler to intercept virus attacks.
Understand Tencent's enterprise level security products
Tencent Yujian Threat Intelligence Center invites all heroes to join us