Cybersecurity Incident Involves LevelBlue's MDR Security Operations Center
/ 4 min read
Quick take - A cybersecurity incident involving LevelBlue’s Managed Detection and Response (MDR) Security Operations Center highlighted the necessity of monitoring persistence mechanisms, as a customer was alerted to a potentially unwanted application that exploited registry keys and scheduled tasks to maintain unauthorized access to their system.
Fast Facts
- A cybersecurity incident at LevelBlue’s MDR SOC emphasized the need for monitoring persistence mechanisms, particularly Windows Autorun registry keys.
- A significant alarm was triggered by a potentially unwanted application (PUA) posing as a PDF conversion tool, which established double-layer persistence through Scheduled Tasks and registry modifications.
- The investigation revealed suspicious behavior, including a command line option indicating concealment attempts and a non-legitimate loading pathway for a Chrome extension.
- OSINT tools flagged the application as potentially malicious, leading to the discovery of anomalous behavior linked to the MSI installer and its publisher, Eclipse Media Inc.
- The incident underscored the importance of vigilant monitoring of scheduled tasks and registry keys, as well as the use of expert analysis and OSINT tools to protect against emerging threats.
Cybersecurity Incident Highlights Importance of Monitoring Persistence Mechanisms
A recent cybersecurity incident involving LevelBlue’s Managed Detection and Response (MDR) Security Operations Center (SOC) has brought attention to the importance of monitoring persistence mechanisms in cybersecurity.
Alarm Triggered by Windows Autorun Registry Key
A customer of LevelBlue experienced a significant alarm triggered by a Windows Autorun registry key. This key was associated with persistence mechanisms, which are crucial for maintaining access to systems across restarts and updates. Persistence methods are key indicators that cybersecurity teams must monitor. Common techniques include AutoStart Execution of programs during system boot or logon, known as T1547, and the abuse of scheduled task functions, referred to as T1053.
The alarm was traced to a potentially unwanted application (PUA) masquerading as a PDF conversion tool. This application established a double layer of persistence by creating Scheduled Tasks and modifying Autorun registry keys. It executed disguised JavaScript as a Chrome browser extension.
Investigation Reveals Malicious Activity
Open-source intelligence (OSINT) tools flagged the application as either a PUA or potentially malicious. Analysts identified a suspicious registry key named “ChromeBrowserAutoLaunch.” Initially, it was believed to auto-launch Chrome with a browser extension. However, the analysis revealed concerning elements, including a command line option “–no-startup-window,” which often indicates attempts to conceal operations.
Further scrutiny showed that the extension’s loading pathway was not from the legitimate Chrome Web Store. No verifiable extension named “Extension Optimizer” was found during OSINT queries. The abuse of browser extensions, known as T1176, is a known tactic linked to infostealing, adware, and browser hijacking.
An event search revealed that the registry key was added by a node.exe process, which operated from a suspicious AppData folder labeled “PDFFlex.” The use of node.exe to load the extension manually raised additional alarms.
Recommendations and Ongoing Monitoring
The investigation uncovered details about the application’s MSI installer, including its version, publisher, and a scheduled task that executed “node.exe update.js –check-update,” contributing to the persistence on the endpoint. OSINT searches for the MSI file “FreePDF_49402039.msi” and its publisher, PDFFlex.io, returned no verifiable information. A Whois search indicated that the domain was not registered.
A web search concerning the application version resulted in a verdict of “malicious activity” from the sandbox tool ANY.RUN. The SHA256 file hash linked to the application was flagged as potentially malicious by various security vendors, confirmed by the analyst using SentinelOne Deep Visibility. The MSI file was signed by “Eclipse Media Inc,” which later became significant in related incidents.
The investigation suggested that the presence of the “PDFFlex” application was undesirable due to its anomalous behavior and persistence. The analyst recommended reimaging the affected endpoint or removing all associated folders, scheduled tasks, and registry keys.
Another endpoint was found exhibiting similar persistence indicators under the name “PDFTool,” which was also unauthorized. The MSI file hash for “PDFTool” was subsequently added to the SentinelOne Cloud global blocklist, resulting in further alerts.
It emerged that a different customer had previously included a hash-based exclusion for a similarly named MSI file signed by “Eclipse Media Inc.” Thanks to the LevelBlue team’s knowledge of the signer and their recent analyses, they were able to alert the customer to potential risks, leading to the removal of the exclusion and the addition of a blocklist action for the alternate hash.
This incident highlights the critical need for vigilant monitoring and alerting on scheduled task and Autorun registry key creations. Expert analysis, alongside the use of OSINT and sandboxing tools, is vital for safeguarding customer environments against emerging threats.
Original Source: Read the Full Article Here
