Taming ProjectSauron’s Evil Eye From Compromising Domain Controllers

Posted by Avi Kama on Aug 18, 2016 10:58:46 AM
Find me on:

evileye-blog.jpgIn the past few days we all learned of the latest advanced cyber espionage spyware, ProjectSauron. An in-depth analysis was published by Kaspersky Lab, and found it to be one of the most advanced cyber-warfare malware ever made. The malware was named ProjectSauron after reference to the evil dark lord of Lord of the Rings was found embedded in the code.

The attack vector used by this spyware is pretty unique, and highlights concerns about a few aspects of the day-to-day uses of a Domain Controller (DC). 

From the article, published by Kaspersky:

“ProjectSauron registers its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter. This feature is typically used by system administrators

This way, the ProjectSauron passive backdoor module starts every time any domain, local user, or administrator logs in or changes a password, and promptly harvests the passwords in plaintext.”

That’s right - plaintext passwords! Whenever anyone logs in using a password, the eye of ProjectSauron watches. After a few days pass, ProjectSauron will have enough password power to conquer every endpoint and server in the network, simply by logging in. As in strategic warfare, the high-ground is preferred. In an organizational network, that high-ground is servers that are never shut down, and which users authenticate with (DC, SQL server, SharePoint, etc.). These make for a great base of operations for further expansion.

The makers knew, of course, that not everyone logs in with a password.  Some networks deploy smart cards, or other means of authentication, which will not go through the password filter on the DC. That’s why ProjectSauron also uses another DC maneuver:

“In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network.”

This is the Group Policy Object (GPO) - widely used by administrator to execute maintenance tasks on login. Almost every network I have ever encountered has used these, with varying degrees of security (of course, you probably shouldn’t place a plaintext administrator password in the GPO). ProjectSauron used this behavior, and its control of the DC, to spread into endpoints whenever users logged in to their machines.

Controlling the DC obviously gives an attacker excellent visibility, and exposes many avenues for further expansion across the network. But how did ProjectSauron get there? How did the spyware get installed on the DC? It couldn’t have used any of its credentials before having them.

“Unfortunately we haven’t found any zero-day exploit embedded in the body of any of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances.”

As I mentioned in a previous blog post, the compromise is commonly used as a single act that is expected as attackers like to keep the zero-day weaknesses undiscovered and only use them when absolutely necessary. A lot of effort was put into exploiting other means of spreading the malware, so that when the it is identified, the zero-day weakness is not. While that piece of software probably cost a lot to make, still the underlying vulnerability used to enable its deployment is much more precious.

Dealing with the initial entry point into the network is not trivial. These types of attacks are very difficult to detect and usually require creative vectors for a successful compromise. But that’s just part of the story. Once you make it into the network, there is a whole new story, and that’s where the attackers might be caught and stopped. By accurately characterizing user behavior, especially those of domain administrators, the actions of APT malware like ProjectSauron can be prevented anytime anomalous behavior of users is detected.

Topics: APT, ProjectSauron, User and Entity Behavior Analytics, Domain Controller