A recent blog by Elastic Security Labs details GHOSTENGINE, a crypto miner that leverages an intrusion set (HIDDENSHOVEL) to disable endpoint security solutions (EDRs) on a victim host. While crypto miners may not pose a grave threat to an enterprise, the usage of anti-EDR functions is dangerous and likely to increase in prevalence. In today's cybersecurity landscape, confidence and reliance upon an enterprise endpoint solution are commonplace; this further increases when leveraging XDR capabilities to add network detection functions. While EDR is a critical component of any cybersecurity framework, Network Detection and Response (NDR) solutions play an equally important role as new vulnerabilities emerge.
In this example, GHOSTENGINE leverages various vulnerabilities and exploitation tools to disable components of EDRs to execute crypto mining functions. Once the EDR is rendered ineffective, few security solutions are left to detect and alert the enterprise to the activity. Network detection solutions, like IronNet’s Collective Defense, are designed to detect network anomalies and are unaffected by bypass techniques like those used in this campaign. In most cases, malware needs to communicate externally to command and control (C2) infrastructure for secondary payload downloads, additional instructions, and data exfiltration. All of these are opportunities for an enterprise network solution to detect and alert, regardless of an EDR’s effectiveness.
Threat Intelligence Overview:
» 157 exclusive IronDefense NDR detections able to detect various aspects of GHOSTENGINE Command and Control (C2)
» 5 Collective Defense correlations for GHOSTENGINE Network alerts
» 1 unique indicator discovered by IronRadar fingerprinting the GHOSTENGINE X.509 certificate
Custom Network Detection Rules:
Rule Name | Description |
Outbound Suspicious Powershell Activity | Detects suspicious file downloads via Powershell or direct to IP communications via Powershell |
Outbound CURL to DottedQuad | Detects traffic that is to a dotted quad using curl as a user agent |
IOCs:
93.95.228[.]47 | GHOSTENGINE C2 |
93.184.221[.]240 | GHOSTENGINE C2 |
111.90.143[.]130 | GHOSTENGINE C2 |
As outlined in the Gartner SOC Visibility Triad, an organization should have a combination of EDR, NDR, and SIEM for complete protection and visibility. GHOSTENGINE’s usage of EDR-killing capabilities highlights the importance of multiple layers of protection, enabling one tool to take over when another fails. IronNet’s Collective Defense solution provides organizations with powerful network detections and community correlations to detect activity like this, even when it may be missed by an endpoint tool. As a network tap, requiring no modifications to client machines, IronNet's solution is not vulnerable to client-side bypass techniques. While GHOSTENGINE may be a crypto miner aimed at making money at scale, the next usage of this technique could pose a much greater cyber risk.
_________
Contact us to speak to our team of cybersecurity experts or request a demo to see Collective Defense in action.