Where data is home
Where Data is Home

Follina Exploit: Compromising Domain Controller Via Rdp Session

Personal Safety Tips
By Editor
Defending Against Malware
0 35

The Follina exploit has emerged as a significant threat, allowing threat actors to compromise domain controllers through Remote Desktop Protocol (RDP) sessions. This exploit involves the installation of various tools, such as NetSupport, Atera Agent, and Cobalt Strike, on targeted systems. By leveraging the CVE-2022-30190 vulnerability, attackers employ a malicious Word document to download Qbot DLL files through base64-encoded content. Subsequently, the Qbot DLL is executed using regsvr32.exe, while Windows utilities like whoami, net.exe, and nslookup are spawned. The attackers establish persistence by creating scheduled tasks and executing nltest.exe and AdFind through an injected Cobalt Strike process. Moreover, they install the Atera Remote Management tool on the domain controller and conduct a port scan throughout the network. Access to sensitive documents is facilitated via RDP, with Qbot requesting access rights for credential mining. The exploit involves the hijacking of email threads and utilizes TA570 for initial delivery. Furthermore, process hollowing is employed to inject malware into explorer.exe, and the Atera RMM agent is installed and activated on the domain controller, providing the attackers with remote administration tools for accessing the environment.

Key Takeaways

  • Follina exploit allowed threat actors to compromise the domain controller via an RDP session.
  • The exploit involved installing NetSupport, Atera Agent, and Cobalt Strike on targeted systems, exploiting CVE-2022-30190 using a malicious Word document, and executing Qbot DLL files through regsvr32.exe.
  • Qbot used various techniques for persistence, including creating scheduled tasks, executing nltest.exe and AdFind through injected Cobalt Strike process, and installing Atera Remote Management tool on the domain controller.
  • Qbot payload URLs were used to download Qbot libraries, and Qbot utilized process hollowing and information-stealing modules.

Overview

The Follina exploit is a method used by threat actors to compromise the domain controller via an RDP session, wherein they install malicious software and execute various commands to gain unauthorized access to sensitive information and control over the network. The implications and consequences of compromising a domain controller are significant, as it can lead to the compromise of the entire network and the exposure of sensitive data. It can result in financial losses, reputational damage, and legal consequences for the affected organization. To secure RDP sessions on domain controllers, it is important to follow best practices such as implementing strong passwords, enabling multi-factor authentication, regularly updating and patching systems, monitoring and logging RDP sessions, and restricting access to authorized personnel. These measures can help prevent unauthorized access and mitigate the risks associated with the compromise of a domain controller.

Attack Method

By employing a method that leverages Remote Desktop Protocol (RDP), hackers are able to successfully infiltrate the domain controller. RDP vulnerabilities serve as the entry point for these malicious actors, allowing them to exploit weaknesses in the system’s security. Once inside, they can gain unauthorized access to the domain controller and compromise its functionality. This attack method highlights the importance of addressing RDP vulnerabilities and implementing robust security measures to protect domain controllers. Organizations need to be vigilant in monitoring and patching RDP vulnerabilities to prevent unauthorized access and potential compromise of their domain controllers. By staying proactive and implementing strong security practices, organizations can mitigate the risk of falling victim to these types of attacks.

Technical Analysis

Through a comprehensive technical analysis, the intricacies of the infiltration method used by hackers to gain unauthorized access to the domain controller can be better understood. The exploit techniques employed in the Follina exploit involved the installation of NetSupport, Atera Agent, and Cobalt Strike on targeted systems. The hackers exploited CVE-2022-30190 by utilizing a malicious Word document and employed base64-encoded content to download Qbot DLL files. The Qbot DLL was then executed through regsvr32.exe. Additionally, the attackers utilized various Windows utilities such as whoami, net.exe, and nslookup to further their malicious activities. The malware behavior exhibited by the Qbot payload included the creation of scheduled tasks for persistence, execution of nltest.exe and AdFind through injected Cobalt Strike processes, and the installation of the Atera Remote Management tool on the domain controller. These actions allowed the hackers to conduct a port scan and enable access to sensitive documents through RDP.

Payload URLs

Utilizing three unique URLs, the Qbot payload downloaded Qbot libraries for further malicious activities. These URLs, namely http://104.36.229.139/$(random)[:]dat, http://85.239.55.228/$(random)[:]dat, and http://185.234.247.119/$(random)[:]dat, served as distribution channels for the malware. The Qbot payload leveraged these URLs to retrieve the necessary libraries and execute its malicious functions. This method allowed the threat actors to maintain control over the compromised systems and carry out various malicious activities. It is important for analysts to utilize effective analysis tools to track and monitor these URLs, as they play a significant role in the malware distribution process. By understanding the patterns and techniques employed in the distribution of Qbot libraries, security professionals can enhance their ability to detect and mitigate such threats.

Prevention Measures

To prevent the distribution of Qbot libraries and mitigate the associated risks, implementing effective security measures is crucial. One important measure is implementing network segmentation, which involves dividing the network into smaller, isolated segments. This helps contain the spread of malware and restrict unauthorized access to critical systems. Additionally, strengthening RDP security measures is essential. This can include enabling strong password policies, implementing multi-factor authentication, and regularly updating RDP software to patch any known vulnerabilities. It is also recommended to monitor and log RDP activity to detect any suspicious behavior. By implementing these measures, organizations can significantly reduce the risk of compromising the domain controller via RDP session and protect their network from potential exploits like the Follina exploit.

Frequently Asked Questions

How can organizations detect if their domain controller has been compromised through the Follina exploit?

Organizations can detect if their domain controller has been compromised through the Follina exploit by implementing robust security measures such as network monitoring, intrusion detection systems, and endpoint protection. Regular vulnerability assessments and patch management can also help prevent the Follina exploit.

What are the potential consequences for organizations if their domain controller is compromised through the Follina exploit?

The potential consequences for organizations if their domain controller is compromised through the Follina exploit include unauthorized access to sensitive data, loss of control over network resources, disruption of operations, and possible financial and reputational damage. Detection methods are crucial for identifying and mitigating the impact of such compromises.

Are there any specific industries or sectors that are more likely to be targeted by the Follina exploit?

The likelihood of being targeted by the Follina exploit is not specific to any particular industry or sector. However, small businesses may be more vulnerable due to limited resources for cybersecurity measures and lack of cybersecurity awareness training.

Are there any known indicators of compromise (IOCs) associated with the Follina exploit that organizations should be aware of?

Known indicators of compromise (IOCs) associated with the Follina exploit include the installation of NetSupport, Atera Agent, and Cobalt Strike, exploitation of CVE-2022-30190, execution of Qbot DLL files, and the presence of scheduled tasks for persistence. Organizations should be aware of these IOCs and take appropriate mitigation steps to prevent and detect the exploitation. While the specific consequences of the Follina exploit may vary, they can potentially include unauthorized access to sensitive documents, credential mining, and information theft. It is important for organizations to implement robust security measures, such as patching vulnerabilities, monitoring network activity, and employing strong access controls, to mitigate the risks associated with this exploit. While the Follina exploit can potentially target any industry, organizations in sectors that handle sensitive information, such as finance, healthcare, and government, are particularly at risk.

What steps can organizations take to mitigate the risk of falling victim to the Follina exploit and protect their domain controllers?

Organizations can mitigate the risk of falling victim to the Follina exploit by taking several steps. These include regularly patching and updating systems, ensuring strong network segmentation, implementing multi-factor authentication, and conducting regular security audits and assessments. These measures are crucial for maintaining a secure environment.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More