Working in FireEye Managed Defense presents an interesting perspective into some of the most advanced threats. Our service meshes a team of experts with a powerful technology stack. We combine host- and network-based forensic technologies with highly experienced and skilled analysts, incident responders, and reverse engineers around the clock and across the globe. The foundation of Managed Defense is our partnership with our customers to detect evil and contain compromise. We work together to investigate the compromise, determine a remediation strategy, extract intelligence, and deploy new intelligence into our operations. This ability to leverage expertise to create intelligence and apply it consistently to the endpoint and to network traffic enables our team to adapt and respond quickly. In the face of a campaign like Operation Clandestine Fox, it ensures our clients are protected from even the most advanced attacker groups.

The last 10 days have shown us once again why our mission of defeating the adversary is so critical. On Friday, April 25, we discovered a new IE 0-day exploited as part of a campaign later dubbed Operation Clandestine Fox. In this post, we present an inside look into the discovery and exploitation of this vulnerability and how we were able to help not only the original Managed Defense customer but also others.

The Initial Detection

This story begins on April 25, when a group of our analysts working with a Managed Defense client detected an active APT backdoor using one of the many indicators of compromise (IOCs) we check for within Managed Defense

At first glance, it might have been reasonable to characterize the initial compromise as fairly typical. We knew at the time that the attackers had been able to deploy at least one backdoor, and were communicating interactively with it to escalate the attack. After containing the host, the usual questions emerged:

• How was the machine compromised?
• Was the scope of the compromise limited to a single host?
• What did the attackers accomplish?
• Who was the Threat Actor behind the attack?

That evening, a deeper analysis of the host revealed that the backdoor was resident only in memory and communicating out to remote attacker infrastructure. While we had seen similar malware variants, analysis of JavaScript and Flash objects from this host indicated that we were possibly at the forefront of discovering a previously unknown vulnerability being exploited.

Evaluating the malware and the tactics employed pointed to a threat group that we had seen before. This group had been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.

Expanding Detection Across Managed Defense

The new 0-day was, of course, the big news. But just as important to our Managed Defense customers were lesser-known details that we tend to dig up every day on threats big and small.

For instance, during the early stages of investigation, we produced evidence of the targeted spear phishing campaign that served as the initial attack vector. The campaign morphed four times, altering the content and remote locations of the payloads. Not only were we able to help our initial client detect and contain the threat, but continuously updating our applied intelligence led to other detections of the same campaign elsewhere.

Immediately after we deployed host-based indicators for the first-stage backdoor as well as network-based indicators for the command and control (C2) channels, we found a compromise at two additional Managed Defense customers. This meant we could pivot quickly into a focused investigation and response for our other customers – all of this in a matter of hours.

The analysis performed within the first few hours allowed our team to deploy these network-based indicators across the globe and ensure that we were positioned between our customers and their adversaries to detect the attack early in the attack lifecycle. Not long after, as an added countermeasure, we further augmented our detection capability by deploying host-based indicators specifically focused on rapidly surfacing additional variants of the first-stage backdoor. All told, we built new intelligence around the phishing emails, the backdoors used, use of the 0-day exploit, and evidence of backdoor installation via an in-memory mutex. This is handy as memory-only enterprise sweeps are much faster than filesystem ones.

Within 24 hours, we had gathered and reviewed results from nearly a million endpoints across the Managed Defense customer base. The additional activity we observed solidified our theory that at least one APT threat actor group was broadly and aggressively targeting an array of key industries, including aerospace, energy, financial, and the federal sector.

We published all of the intelligence we could glean as the investigation progressed so our customers could have insight on the threat actor and their tactics. This also supported customers discussing the threat with their peer groups to help drive the ultimate goal of protection, remediation and recovery.

Our work here resulted in new detection capabilities to find compromise through the attack lifecycle, ranging from initial targeting to successful exploitation and subsequent escalation through the establishment of more persistent backdoors. Thanks to our rapid deployment of relevant intelligence across our platform and the quick action of our clients, the eleven Managed Defense clients targeted by this campaign were all able to successfully contain the compromises at the initial stage, preventing further attacker activity within client environments.

Looking Back (and Forward)

Given the relative ubiquity of the vulnerability and the scope of the opportunity presented to attackers, we were unsurprised to see the attackers carry on through the week of April 28th. The Managed Defense team continued to work with our customers in a few ways:

• We continued to monitor our customers’ global infrastructure 24×7 for related activity;
• Over the course of 7 days, we published compromise reports that described related attacker activity at a dozen unique enterprises, spanning multiple industries;
• We were easily able to pivot into Incident Response where necessary and applied additional horsepower to analyze a variety of forensic artifacts and accelerate response time;
• We published additional intelligence to our customers so that each team could augment their own legacy detection capabilities and potentially prevent compromise.

With Microsoft’s recent patch release, we’ve already witnessed a shift in attacker activity, including a substantial decrease in phishing activity. This once wide-open door is closing shut, but we know our adversaries’ unrelenting search for new attack surfaces undoubtedly continues. For those of us in Managed Defense, events like those detailed above are common occurrences, but they nonetheless serve as inspiring reminders of the gravity of our mission: to help protect our clients from skilled and determined adversaries. The best analysts in the industry, a global deployment of detection technology, superior threat intelligence, and an ability to rapidly escalate and deploy that new intelligence, when combined with the close partnerships we have with our clients ensures we are well prepared for the inevitable next round of attacks.