Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

GRIZZLY STEPPE Detection with SecurityCenter

Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page.

Governments and businesses around the world are always potential targets for spear phishing campaigns and APTs like GRIZZLY STEPPE. On December 29, 2016 the U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report (JAR-16-20296) which included technical details about activity tied to exploitation and the eventual compromise of systems within the United States. The U.S. government is referring to this malicious cyber threat as GRIZZLY STEPPE. The Joint Analysis Report includes GRIZZLY STEPPE indicators of compromise such as a YARA rule and suspicious IP addresses and DNS names. Global organizations must be vigilant about detecting these latest indicators of compromise. SecurityCenter® can easily scan for these indicators and alert on any detections.

How does GRIZZLY STEPPE work?

GRIZZLY STEPPE follows a familiar attack pattern. It targets unsuspecting users with a spear phishing campaign, enticing them to click on a malicious link. As soon as the link is clicked, malicious code is delivered and executed, establishing persistent remote access to that system via a Remote Access Tool (RAT), typically in the form of a web shell.

Once a persistent connection has been established, the next step usually involves escalating privileges and enumerating Active Directory accounts, leading to all sorts of nefarious activity.

Indicators of compromise

The Joint Analysis Report released by DHS and FBI included many Indicators of Compromise (IOCs) which organizations can use to assess if their systems have been compromised. The chief indicator among them is a YARA rule which detects a PHP web shell which was used as part of the GRIZZLY STEPPE campaign.

Here’s the YARA rule :

rule PAS_TOOL_PHP_WEB_KIT
{
meta:
   description = "PAS TOOL PHP WEB KIT FOUND" 
strings:
   $php = "<?php"
   $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ 
   $strreplace = "(str_replace("
   $md5 = ".substr(md5(strrev("
   $gzinflate = "gzinflate"
   $cookie = "_COOKIE"
   $isset = "isset"
condition:
   (filesize > 20KB and filesize < 22KB) and
   #cookie == 2 and
   #isset == 3 and
   all of them
}

Tenable’s YARA pattern detection

Last year Tenable released SecurityCenter functionality to look for malicious files based on textual and binary patterns as defined by a YARA rule. You can use this functionality to detect the malicious PAS PHP web shell identified in the Joint Analysis Report on Windows systems. Here is a sample scan based on the GRIZZLY STEPPE YARA rule:

Create a Yara scan policy

  1. Click Scans -> Policies -> Add.
  2. Select Malware Scan.
  3. Enter a scan name.
  4. Click Malware and enable File System Scanning.
  5. Select the desired Directories and upload the Yara Rules File.
  6. Click Submit.
  7. Create and run a scan using the new policy.

YARA scan in SecurityCenter

You can also run a similar YARA scan in Nessus®. Refer to Threat Hunting with YARA and Nessus for instructions on creating a YARA scan in Nessus®.

Suspicious IP/DNS event analysis with SecurityCenter

In addition to the YARA rule, the Joint Analysis Report also included IP addresses and DNS names tied to malicious actors related to the GRIZZLY STEPPE campaign. While many false positives have been reported with these IP addresses and DNS names, you may still want to scan for them or use new more reliable sources if they become available. Using SecurityCenter, you can define a custom Watchlist asset list to look for any events within your organization which are tied to these suspicious IP addresses as follows:

Create a new asset list

  1. Click Assets -> Add -> Custom -> Watchlist.
  2. Create a file containing the IP addresses.
  3. Assign a name to the asset list, such as Grizzly Steppe IPs.
  4. Click Submit.

Analyze events

  1. Click Analysis -> Events.
  2. Configure Event Analysis to include Destination Asset and Source Asset.
  3. Select Grizzly Steppe IPs as the asset to watch.
  4. Select a timeframe of events to monitor.
  5. Click Apply All, and review the events.

SecurityCenter Event Analysis



Follow similar steps to create assets for malicious DNS names, with the caveat that you may get many false positives.

In addition to Watchlists, you can also add custom IPs, URLs or domains to the built-in threat detection in LCE®. This is done by creating custom files in the LCE plugins directory. Refer to the Tenable Community Discussion for more details.

Protecting your systems

Review activity to and from any suspicious IP addresses related to GRIZZLY STEPPE, especially if it appears to be performing a vulnerability scan. For any public facing Windows systems, run a scan with the YARA signature listed above and review any activity that might indicate a compromise.



Thanks to Rich Walchuck, John Chirhart and Andrew Flick for their contributions to this blog.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training