Shauli Zacks
Published on: February 26, 2024
In a recent interview with SafetyDetectives, Daniel dos Santos, the Head of Security Research at Forescout, delved into his journey from learning computer basics in Brazil to leading a team of researchers at Forescout’s Vedere Labs. Forescout, known for its automated cybersecurity solutions, focuses on identifying and protecting all managed and unmanaged connected cyber assets, including IT, IoT, IoMT, and OT. Dos Santos highlighted the threats posed by well-known malware like Agent Tesla RAT and Cobalt Strike, emphasizing their capabilities in information stealing and evasive command-and-control communications. Moreover, he discussed the vulnerability of popular OT protocols such as Modbus and EtherNet/IP due to their lack of basic security features. Dos Santos also shed light on the implications of most Cobalt Strike servers being located in the United States, suggesting they serve as both attractive targets and effective beachheads for launching additional attacks. Lastly, he elaborated on the attractiveness of web applications and remote management protocols to threat actors due to their potential for initial access and exploitation within organizations.
Can you talk about your background and your current role at Forescout?
I grew up in the 90’s and 2000’s in Brazil with a wide variety of interests. I mostly learned about computers and the basics of programming from my father who is a retired electrical engineer and developed the first computer systems for the local power distribution company. That led me to pursue a PhD in computer science and eventually become a security researcher.
My current role at Forescout is Head of Security Research for our research team, Vedere Labs, where I lead a team of researchers in identifying new vulnerabilities and monitoring active threats on connected devices and networks– including the internet of things, operational technology used in critical infrastructure, medical devices, specialized appliances and more. Our team not only focuses on finding vulnerabilities but also deciding where we should look for them and what types of devices will be interesting for the cybersecurity community and the public to learn more about. Ultimately, we aim to help those developing software, protocols, devices, etc. to avoid making the same mistakes we discover in our research.
What are the flagship features offered by Forescout?
Forescout specializes in automated cybersecurity with solutions that continuously identify, protect and help ensure the compliance of all managed and unmanaged connected cyber assets – IT, IoT, IoMT and OT. Our solutions deliver comprehensive capabilities for network security, risk and exposure management, and threat detection and response– with the long-term goal of enabling enterprises to more effectively manage cyber risk and mitigate threats.
I was looking through Forescout’s 2023 Threat Roundup Analysis and saw that the Agent Tesla RAT commands a significant share of observed malicious activity. What makes it a formidable threat? How does Cobalt Strike dominate the command-and-control server landscape?
Although threat actors are always looking for new tools to make their jobs more efficient and effective, they still rely on well-known malware that has been around for a considerable time. Agent Tesla has been used since 2014, has been updated continuously, and is sold via subscription to a malware-as-a-service model, so it is very reliable for attackers. It includes capabilities for information stealing, keylogging, file download, and screenshot capture, for instance, which are often part of phishing campaigns that remain very profitable for threat actors.
Cobalt Strike was created in 2012 as a legal penetration testing software that includes a beacon implant that lives on victim machines – allowing attackers to execute commands, transfer files, and move laterally, among other actions – and a C2 Team Server that controls several victims running the beacons. It has been and continues to be used by several APT groups and many cybercriminals worldwide, partly because it allows them to create C2 communications that are very evasive and difficult to detect over protocols such as DNS and HTTP.
The data highlights that Modbus, Ethernet/IP, Step7, DNP3, and IEC10X are the top targeted OT protocols. How do these protocols relate to industrial automation and the power sector, and why are they particularly vulnerable?
Modbus, EtherNet/IP and Step7 are some of the most popular industrial automation protocols, allowing operational technology devices, such as programmable logic controllers or sensors and actuators, to communicate with computer systems, such as engineering workstations or human-machine interfaces, in a wide range of industries from manufacturing production lines to transportation automation. Modbus was created in 1979 by Schneider Electric to establish client-server communication between automation devices, and it continues to be used worldwide by many device vendors. EtherNet/IP is a leading protocol especially in the United States and is extensively used by major vendors such as Rockwell Automation. Step7 is the proprietary protocol used by Siemens S7 PLCs, known to be the most popular line of programmable logic controllers in the world. DNP3, IEC-101, and IEC-104 are protocols used mainly to control substations in the energy industry, allowing operators to monitor the status of substation equipment and take actions such as opening and closing circuit breakers.
These protocols are vulnerable because they were developed with a legacy concept of perimeter security in mind where it was assumed that anybody who had passed the security perimeter (such as a firewall) and had direct network access to devices should be able to issue commands to them. So, there are often no basic security features such as authentication and encryption built into the protocols.
With most Cobalt Strike servers in the United States, what implications does this have on the global threat landscape?
40% of the command and control (C2) servers we observed are located in the United States. This is partly because the US is the country with the most hosting providers, which can be abused by attackers, as well as the most legitimate devices in homes and businesses, which can be compromised to host malicious infrastructure. Since most attacks also target US companies, a foreign actor hiding a C2 server in the country also serves to make it harder to identify the true origin of an attack.
This suggests that, not only are assets in the United States an attractive target, they are also an effective beachhead for launching additional attacks. Just because an organization hasn’t suffered a data breach does not mean they have not been compromised. While malware samples and families may keep evolving day by day to find ways to exploit these devices, the basic nature of malware remains unchanged. It will be much more productive for defenders to detect and hunt for TTPs and anomalous behavior than to rely solely on file hashes and C2 IPs, which change constantly.
Web applications and remote management protocols were the most attacked service types. Can you elaborate on the specific vulnerabilities or characteristics that make these targets attractive to threat actors?
Web application attacks increased from 26% in 2022 to 28% in 2023, becoming the most attacked service type. Most attacks against these services were either scanning or vulnerability exploitation attempts.
Web application and remote management protocols tend to be attractive to threat actors because they allow for initial access into an organization and can act as gateways to other network devices, valuable business assets and customer data– allowing threat actors to deploy malware, launch attacks, or extract sensitive information.