Vectra Response to CVE-2019-0708

On 2019/May/14, Microsoft released details regarding a security vulnerability (CVE-2019-0708) which prompted the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. The company states that this this vulnerability is pre-authentication and does not require user interaction, making it a candidate for worm-like malware similar to the EternalBlue ransomware attacks of 2017.

As with any potential compromise, it is important to remember that the attack is more than just exploitation. This approach allows you to potentially identify use of the vulnerability without a signature or direct identification. Vulnerable systems still need to be found via reconnaissance (ex: Port Sweep, RDP Recon), use the exploit and move laterally (ex: Suspicious Remote Desktop, Automated Replication), and depending on the attack style externally controlled (ex: External Remote Access, Tor Activity). Our team of analysts would like to share the following workflow to help detect discovery of exploitable machines as well as provide a way to search for any hosts that may be infected using Cognito:

To identify reconnaissance targeted against Microsoft terminal services (port 3389) we can use the following logic to build a query in Cognito Detect to search for matching detections: Port Sweep detection for tcp:3389 OR Internal Darknet Scan detection for tcp:3389 OR RDP Recon detection

To build such a query:
1. On the 'Detections' page in Cognito Detect, click the 'Advanced' search option to the right of the search window
2. Clear the existing advanced search, and replace with the following:

detection.is_triaged:false AND detection.state:"active" AND ((detection.detection_type:"Internal Darknet Scan" OR "Port Sweep") AND detection.grouped_details.dst_ports:3389 OR detection.detection_type:"RDP Recon")

This query will return individual reconnaissance detections targeting port 3389. Clicking on the 'HOST' column header will allow you to visually identify hosts that are performing more than one of these behaviors.

Alternatively, we can use similar logic to build a query for the 'Hosts' page that will return hosts that are performing these actions. Due to how detection summary information is indexed on the 'Hosts' page, some hosts may be returned that have triaged detections, or other information related to port 3389. The returned set of hosts should be closely scrutinized against the intent of the query as detection summary information is coalesced from the host's detections.

To build such a query:
1. On the 'Hosts' page Cognito Detect, click the 'Advanced' search option to the right of the search window
2. Clear the existing advanced search, and replace with the following:

host.state:"active" AND ((host.detection_summaries.detection_type:"Port Sweep" OR host.detection_summaries.detection_type:"Internal Darknet Scan") AND host.detection_summaries.summary.dst_ports:3389 OR host.detection_summaries.detection_type:"RDP Recon")

This query will return a host centric view of hosts targeting behavior on port 3389.

Using Cognito Recall or Cognito Stream it is recommended to identify any traffic to publicly facing RDP servers. This information would be available in the RDP metadata stream. The query in Cognito Recall would look like the following:

local_orig:false AND local_resp:true

While Cognito Detect will alert on internal suspicious remote desktop connection, all internal RDP traffic could be reviewed with Cognito Recall or Stream by searching for RDP traffic with both a local origin and response. The Cognito Recall query would look like the following:

local_orig:true AND local_resp:true

If you have any questions or need assistance please do not hesitate to reach out to or reach out to your Customer Success Manager.

Was this article helpful?
0 out of 0 found this helpful

Download PDF


Article is closed for comments.