Overview
Since mid-2022, there has been a notable rise in Advanced Persistent Threat (APT) activities along the shores of Nigeria. Recent data from supporting Security Operations Centers (SOC) and Managed Security Service Providers (MSSP) has revealed concerning trends that organizations must be aware of to safeguard their assets.
Key Findings
Active Scanning of Targets:
A server was discovered containing active scan results utilizing Nuclei, specifically targeting banking institutions, government entities, and various private organizations in Nigeria.
Exploitable Data:
A data dump from the server revealed readily available information that could be leveraged for exploitation, highlighting the urgency for enhanced security measures.
Compromised Internet-Facing Assets:
There has been a significant increase in the compromise of internet-facing assets with malware. These compromised machines are then used to target other vulnerable systems across the wider internet, indicating that the initial attacks are emanating from Nigeria.
Emergence of New Malware:
Recently, malware was identified on servers provisioned by a telecom service provider. This malware was new and went undetected by Windows Defender and other mainstream Endpoint Detection and Response (EDR) solutions.
Static analysis of the malware showed it contained a layered scanner designed to identify vulnerable RDP and SMB ports on the internet, while consuming substantial resources from the host systems.
Runtime.EXE Analysis
Runtime.exe seems to be a worm that infects servers and scans the internet for other computers to infect.
Indicators of compromise
c:\windows\ida.dll
c:\windows\logs\ipr.dll
c:\windows\logs\rangex.dll
c:\windows\system\exclude.dll
c:\windows\system\key.dll
c:\windows\system\servers.dll
c:\windows\system\usr.dll
c:\windows\system\usx.dll
The binary also contains a few variable names that also show how the program works.
open_445_good , open_445_list , excludecidr , excludeip , portscan ,psutil , win32api , win32event
The first two variables seem to store a list of ips with open 445 ports and another list for 445 ports that are viable for the next step.
The next two seem to be for excluding ips from the next step, probably based on which ips contain 'good' 445 ports
The next seems to be PortScan which it uses to scan en-masse (This is a bit confusing as the code also contain references to masscan) which does basically the same thing portscan does
Brute Force Attacks:
Compromised hosts had their RDP services brute-forced, allowing threat groups to gain initial access to the machines.
Recommendations
Enhance Network Visibility: Implement robust monitoring solutions to increase visibility into network traffic and detect anomalies that may indicate compromise.
Regular Vulnerability Assessments: Conduct frequent assessments of internet-facing assets to identify and remediate vulnerabilities, particularly focusing on RDP and SMB services.
Implement Strong Authentication: Utilize multi-factor authentication (MFA) and strong password policies to mitigate the risk of brute force attacks on RDP services.
Update Security Solutions: Ensure that all security solutions, including EDRs, are up to date and capable of detecting the latest threats. Consider using advanced threat detection tools that provide deeper insights into potential vulnerabilities.
Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and effective response to any detected threats.
By staying vigilant and proactive, organizations can better protect themselves against the evolving landscape of cyber threats in Nigeria and beyond.
++