CVE-2015-2857: From Disclosure to Weaponization

11 Nov

CVE-2015-2857: From Disclosure to Weaponization

in Blog, Perspectives

by Vinay Pidathala

CVE-2015-2857 is a remote command execution vulnerability in Accellion’s Secure File Transfer Appliance (FTA). Niara was the first to detect this vulnerability being exploited in the wild, resulting in cyber criminals having near complete access to everything on the target appliance. The Accellion FTA is an enterprise-class solution for sharing files internally and externally. Because so much sensitive corporate information (i.e., pricing information, product roadmap, contracts, etc.) passes through this appliance, an exploit of CVE-2015-2857 has serious implications as attackers can steal sensitive corporate information while remaining undetected.

Cyber criminals were also using the exploited Accellion FTA as a beachhead to gain access to the interior of other enterprises. Given that Accellion has a significant presence in the enterprise – it is a leader in Gartner’s “Magic Quadrant for Enterprise File Synchronization and Sharing” and is the seventh largest vendor in the $794M managed file transfer market according to IDC – Niara’s detection of the attack and determination of the Indicators of Compromise (IoC) was an important step in mitigating the impact of this exploit.

The vulnerability exists in Accellion FTA software version FTA_9_11_200 and prior. Though Accellion released updated software on 25 May 2015 to address this issue, the vulnerability persists because not all organizations install software updates immediately upon release. Many, especially large ones, require updates to be tested first and therefore remain vulnerable during testing. This is the Catch-22 of security updates.

Treat the Disease, Not Just the Symptoms
Additionally, simply updating software is not sufficient to stop attackers who have already exploited the vulnerability. That’s akin to accidently leaving the front door to your house wide open before heading off to work, closing it when you get home, and assuming that the bad guys aren’t lurking around – an especially poor assumption if there are many places to hide in your home. With the CVE-2015-2857 vulnerability, what’s also needed in addition to the software update is proof that the Accellion FTA has not already been compromised.

That’s where Niara’s security analytics platform shines. In addition to machine learning-based analytics, Niara also maintains high-fidelity forensics that are retained for a far longer period than what’s possible with traditional security monitoring systems, due in part to Niara’s use of big data technologies. Forensics go all the way down to raw data level, including PCAPs, enabling Niara to provide complete visibility in to the inner workings of the attack made possible by CVE-2015-2857. With Niara, analysts can easily answer key questions about an attack: what came through the front door? What was it doing? Where was it doing it? How was it doing it? This shortens the time for attack remediation. And the in-depth contextual understating enabled by Niara’s high-fidelity forensics allows customers to develop an effective remediation plan, treating the disease rather than the symptom.

How was CVE-2015-2857 exploited?
The figure below summarizes how attackers exploited the vulnerability on the Accellion FTA. Examples of exactly what Niara’s security researchers were able to see from within Niara are available in the associated Niara Threat Advisory.

Accellion-CVE-2015-2857

  • Step 1: The attackers downloaded Kaiten, a well-known IRC backdoor, on the compromised Accellion FTA. The backdoor was used to issue commands to the compromised Accellion FTA from a command and control (C&C) server in Russia. The attackers also downloaded the “LoRD of IRAN HACKERS” backdoor to ensure redundancy – if one channel went down, they’d still be able to control the Accellion FTA through the other.
  • Step 2: The attackers then instructed the Accellion FTA to download a compressed archive file (tws.tar.gz) from a C&C server in Singapore. The downloaded file, which contained all the tools and blueprints for exploiting the vulnerability, was decompressed and unzipped.
  • Step 3: The attackers then made the Accellion FTA conduct port scans of class A networks to identify other Accellion servers on the internet. The versions of these servers were retrieved – those with “0.18” in the returned version string were vulnerable.
  • Step 4: After vulnerable Accellion FTAs were identified, the attackers went on the exploit them, starting with Step 1 above on each of the vulnerable servers.

Niara: A New Frontier in Threat Hunting
Because of integrated forensics, Niara’s security researchers can start with the initial evidence (i.e., the compromised Accellion FTA communicating with an unusual IP address) and perform advanced threat hunting to see exactly what happened in the past. PCAPs that analysts need are never more than a click or two away – and all accessible from within the Niara platform. There is no need for analysts to pivot between multiple siloed systems to get what they need. Having complete network visibility provided invaluable assistance for Niara’s own security researchers to identify the exploit. Without the packet retention capabilities being intertwined with Niara’s analytics, this would not have been possible.

Next Steps for Enterprises
Enterprises using the Accellion FTA should use the below Indicators of Compromise (IoC) to check if the servers were ever compromised.

  • Network IoC
    • IRC Connections to IP’s located in the Russia
    • Noisy port scans on port 443 out to the internet on different class A or class B subnets
    • wget to download archive files from IP addresses not resolved through DNS
  • Endpoint IoC
    • Look for any hidden directories called .tws under /usr/include. There is a chance that these names are different so look at any newly created hidden directories.
    • Presence of a hidden binary called .perl under the /tmp directory. Please note that the attackers do change names often, so look at any suspicious hidden ELF executable.

More detailed information is available in the Niara Threat Advisory on this vulnerability. And if you are using Niara, we’ve created a number of searches that’ll make it a cinch to find any suspicious activity in your network. If you want the syntax for those searches, want to find out more about Niara’s capabilities or want to see a demo of Niara, please contact us.

Tags: Blog, Perspectives