Welcome to 2024: A Year in Review with Akamai Hunt

In this blog post, we delve into the top five cyber incidents we encountered last year, including the critical vulnerabilities we found within our clients' environments and the lessons we learned.

Working closely with Akamai Hunt, our SecOps team uncovered a significant cybersecurity incident linked to the WannaMine campaign. WannaMine is a known threat involving a cryptojacking bot designed to illicitly harness computational resources for cryptocurrency mining across financial services and beyond.

The bot's exploitation of the well-known and highly critical Eternal Blue vulnerability (CVE-2017-0144) within the Windows Operating System made this discovery particularly concerning. We identified the presence of this malicious file on one of our customer's assets and saw it had been active for an astonishing three months.

Although the customer had an endpoint detection and response (EDR) agent in place on the affected system, their security operations center (SOC) still failed to detect this threat. This incident underscores the challenges in effective threat detection and response, even with EDR solutions.

Akamai Hunt played a pivotal role in uncovering and addressing this issue. Even with only a portion of Akamai Hunt's capabilities enabled, we were able to promptly flag the suspicious activity. We immediately alerted the customer, leading to the isolation and quarantine of the compromised asset to limit the threat’s potential impact. 

In the aftermath of this incident, our security experts initiated an Akamai Hunt proof of concept with the customer. This collaborative effort aimed to strengthen their security measures and leverage Akamai Hunt's capabilities to effectively navigate the evolving landscape of cybersecurity threats.

The notorious tool known as Mimikatz was executed in a customer’s environment. Mimikatz is renowned for its ability to extract passwords stored in memory within Microsoft Windows systems, making it a tool of choice for both malicious hackers and security professionals when dealing with sensitive credentials.

The Akamai Hunt team swiftly initiated an exhaustive investigation to assess the situation. During the investigation, several indicators pointed toward the possibility that this event might be related to the execution of the attack simulation tool known as Cymulate:

• The user responsible for the process execution was identified as ***********\svccymagent

• The asset involved in the incident was labeled as CYM*.******

While these signs seemed to suggest a legitimate and planned execution of Cymulate, it is essential to note that this marked the first instance of Mimikatz being observed within this particular environment. In light of this unique occurrence, the Akamai team issued an alert. The primary objective of this alert was to inform the customer about the presence of Mimikatz and confirm that the execution of Cymulate was indeed legitimate and anticipated within their environment.

On July 24, 2023, the cybersecurity community witnessed the emergence of a critical vulnerability in AMD Zen 2 CPUs, known as Zenbleed. This alarming flaw allowed for potential unauthorized access to sensitive data processed by these CPUs, presenting a significant security threat across systems, web applications, and cloud platforms. The vulnerability affected not only individual software applications, but the entire operating system running on any system equipped with the affected processors.

The Zenbleed vulnerability had a broad and severe impact. It enabled unauthorized access to memory spaces across different processes within the same container or virtual machine (VM). More alarmingly, it extended its reach to allow such access among distinct machines hosted on the same vulnerable server. 

A particularly troubling aspect of Zenbleed was its potential for remote exploitation via JavaScript embedded in a website. This made the vulnerability not only dangerous but also easily exploitable by cloud platform attackers with minimal physical access requirements — furthering the importance of safeguarding internet traffic against attack surfaces.

To counter this threat, a BIOS update was released as a primary mitigation strategy. This update was crucial in securing systems against Zenbleed. Alternatively, in environments where immediate BIOS updates were not feasible, experts recommended segmenting or isolating the entire vulnerable host. This approach minimized the risk of unauthorized access, though it might not have been as effective as a BIOS update.

Recognizing the urgency, the Akamai Hunt team quickly identified the vulnerable assets within our customers' environments. This detection process involved an Insight query specifically designed to locate the vulnerable AMD Zen 2 CPUs. The query also categorized assets into VMs and non-VMs, acknowledging that VMs could potentially face greater exposure to the vulnerability.

Emphasizing proactive customer protection and transparency, the Akamai Hunt team compiled and dispatched detailed reports to all customers, regardless of whether their assets were identified as vulnerable. These reports, delivered within 24 hours of the vulnerability's disclosure, included comprehensive information on the vulnerability, mitigation strategies, and the specific status of each customer’s assets. In total, the team identified 383 vulnerable assets across 14 different customer environments, showcasing Akamai Hunt’s effectiveness and thoroughness in addressing this critical cybersecurity challenge.

The Akamai Hunt team discovered a customer security breach after identifying a sensitive internal file hosted on a publicly accessible platform. This file, a Python executable designed for backing up Cisco network device configurations to a CSV file, contained hardcoded administrative credentials for a user within the company's active directory.

The Python executable was located on an internal asset. The exposed credentials were intended for Cisco network device access, and the file was publicly available on online cloud computing platforms such as VirusTotal and Hybrid Analysis online sandboxes. The Akamai Hunt team successfully decompiled the executable and extracted plaintext credentials.

The leakage of these credentials threatened a complete network compromise. If unauthorized parties downloaded and decompiled the script, they could gain access to network devices, leading to privilege escalation across the entire network. Our team provided the user with the following recommendations to address this risk:

• Immediate password changes. We swiftly changed both login and enabled passwords for all affected network devices and ensured that the user updated their active directory password.

• Secure network device management. We implemented a secure device management system and assigned unique passwords to each network device.

• Educational campaign. We launched an employee awareness campaign regarding the risks associated with uploading sensitive files to public websites and emphasized proper credential management.

• Best practices for credentials. We advocated against hardcoding credentials into scripts and promoted secure storage accessible only by service accounts.

• Urgent contact. We encouraged immediate contact with the security team for guidance and further actions.

The Akamai Hunt team’s goal was to identify the incident, communicate with the affected parties, and initiate password change procedures. The team also conducted a comprehensive audit with this customer to prevent similar incidents in the future.

When a data processing company faced a cyberattack, they sought assistance from various vendors. Although Akamai Hunt is not primarily an incident response (IR) service, the team agreed to aid the customer in this crisis.

The situation began with alarms from EDR systems that were specifically targeting unmanaged assets (those without security agents) in Akamai Guardicore Segmentation’s network. Responding promptly, the Akamai Hunt team engaged with the affected company’s security team. Our team advised expanding the installation of security agents and swiftly integrated the customer into the Akamai Hunt platform for enhanced monitoring and response.

In just a few hours, Akamai Hunt's skilled team uncovered several compromised assets that had escaped the customer's notice. These assets were running a service named BTOBTO, which is notorious for facilitating lateral movement within networks. As the investigation deepened, Akamai Hunt identified the use of Cobalt Strike binaries, a tool often utilized by attackers, alongside other software designed to disable Windows firewall API security.

Additionally, Akamai Hunt scrutinized user commands and discovered a suspicious user executing the command “vssadmin delete shadows /all.” This command is commonly used by ransomware to erase backups, heightening the severity of the situation. The team also detected a widespread installation of “psexec” across the data center. Recognizing the potential for a more extensive attack, Akamai Hunt urgently alerted the security team.

Furthermore, Akamai Hunt guided the customer to implement block rules against all malicious indicators of compromise (IOCs) identified in the attack. The team also provided scheduled Insight queries to the customer for immediate action against any newly compromised assets based on known IOCs.

Despite the involvement of at least two more professional IR teams from top vendors, Akamai Hunt's performance was notably faster and more effective in identifying the attackers. Their efforts were so impactful that the customer chose to install more than 600 additional agents. 

The customer expressed deep appreciation for the invaluable assistance provided by Akamai Guardicore Segmentation and the Akamai Hunt team during this critical incident. The ongoing discussions to expand the contract are a testament to the trust and confidence earned by the Akamai Hunt team in their exemplary handling of this challenging situation.

Over the past year, we introduced several cutting-edge techniques and alerts to significantly enhance security. Use cases include:

• Essential detection. A cornerstone for identifying malicious commands on Windows and Linux machines, this alert excels at pinpointing sequences of commands that reveal adversary behavior during different attack phases from reconnaissance to pre-ransomware to exfiltration.

• Holistic threat detection. The alert offers comprehensive coverage by identifying a wide array of potential malicious activities, making it invaluable for recognizing and mitigating threats across the diverse stages of an attack.

• Rapid response. The swift detection and alerting of malicious commands empower security teams to react promptly to potential threats, halting further compromise and safeguarding critical data.

• Lateral movement identification. This alert helps detect processes that display anomalous spreading behavior, a key element in identifying lateral movement within networks. Lateral movement is a favored tactic of attackers to expand reach and potentially compromise multiple systems within an organization.

• Harnessing machine learning. By leveraging machine learning models trained on historical data and network process interactions, this alert identifies rapidly propagating processes across various systems that signal potential malware spread or lateral movement.

• Timely action. The timely identification of anomalies and initiation of investigations are pivotal in preventing further compromise and averting potential ​​security breaches.

• A significant threat. The Zerologon vulnerability (CVE-2020-1472) is highlighted as a major threat to networks because of its potential to grant attackers domain admin privileges, rendering it a critical security concern.

• Widespread exploitation. The alert underscores the widespread exploitation of the Zerologon vulnerability by adversaries. It triggers security events after changes in computer accounts and authentication failures that are followed by successful logins, indicating potential exploitation.

• Immediate impact. Successful exploitation of Zerologon allows attackers to execute code on the domain controller, granting them extensive control over the network.

• Critical mitigation. The alert's capability to detect Zerologon exploitation attempts and promptly notify customers is pivotal in preventing potential security breaches.

• Wide vulnerability coverage. This alert addresses a critical vulnerability (CVE-2023-38831) in WinRAR, which threat actors actively exploit. The vulnerability affected WinRAR versions earlier than 6.23, posing a significant risk to organizations that rely on this software.

• High severity. Associated with a high-severity vulnerability, this alert highlights the ease with which attackers could execute code by having users view a file within a ZIP archive, magnifying risk and potential damage.

• Relevant recent incidents. The alert mentions government-backed actors who exploit this vulnerability, indicating its real-world relevance and active use by threat actors.

• Timely detection. The Akamai Hunt threat hunting service's ability to detect attempts to exploit this high-severity vulnerability plays a critical role in preventing potential breaches and data loss.

• Security priority. This alert is of paramount importance as it’s tailored to detect compromised user accounts and insider threats, which are some of the most significant security risks in network environments.

• Behavioral baseline analysis. By leveraging advanced machine learning algorithms, the system creates a comprehensive behavioral baseline for each user. This baseline encapsulates typical actions, access patterns, and interaction with network resources.

• Granular anomaly detection. The alert closely monitors real-time user activity, paying particular attention to irregularities in connection patterns, data access behavior, and any attempts at unauthorized privilege escalation. This granular approach ensures the detection of subtle and potentially malicious deviations.

• Swift response mechanism. When unusual behavior is detected, the alert triggers immediate responses, facilitating rapid investigation and mitigation efforts. Timeliness is crucial for containing security threats before they cause significant damage.

• Holistic network security enhancement. By effectively identifying anomalies in user behavior, this alert system significantly bolsters a network’s overall security posture, safeguarding against unauthorized access, data breaches, and insider threats.