?

How to Mitigate Anchor DNS Threat

A new tool called Anchor_DNS is being used to execute ransomware attacks targeted at the healthcare and public health sectors. Here are specific technical steps you can take to keep your organization safe.

October 30, 2020 6 minute read

Malicious cyber actors are utilizing a new tool called Anchor_DNS to execute ransomware attacks targeted at the healthcare and public health sectors. 

The threat is so severe that Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the U.S. Department of Health and Human Services (HHS) in late October issued a joint cybersecurity advisory calling it a backdoor for bad actors that can lead to ransomware attacks, data theft and the disruption of healthcare services.

Threat actors are already using Anchor_DNS to cause major disruption to U.S. hospitals and health systems. 

Here's what you need to know about Anchor_DNS and specific technical steps you can take to mitigate this malicious new threat. 

What is Anchor_DNS?

Anchor_DNS allows for sending and receiving data from infected endpoints using Domain Name System (DNS) tunneling. Utilizing this method allows attackers access to systems from command and control (C2) servers over DNS. 

The method has been observed conducting a full range of activities to include the deployment of ransomware such as Ryuk.

Indicators of Compromise (IOCs)

After execution, the malware copies itself as an executable named with eight random characters (example: lmnopqrs.exe) and occasionally generates anchorDiag.txt into one of the following directories:

  • C:\Windows
  • C:\Windows\SysWOW64\
  • C:\Users\<username>\AppData\Roaming\

A scheduled task is used to maintain persistence once an endpoint has been infected and typically uses a common naming convention (example: Task autoupdate#16876). 

The naming convention is made up of a random folder in %APPDATA% and the text autoupdate# followed by five random numbers.

Additionally, this malware uses self-deletion techniques using one of the following command line strings:

  • cmd.exe /c timeout 3 && del C:\Users\<username>\<malware_sample>
  • cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\<username>\<malware_sample_location>\"

Four domains are associated with Anchor_DNS:

  1. kostunivo.com
  2. chishir.com
  3. mangoclone.com
  4. onixcellent.com

Historically, the following C2 servers have been used:

  • 23.95.97.59
  • 51.254.25.115
  • 193.183.98.66
  • 91.217.137.37

Mitigation strategies

As noted in the joint cybersecurity advisory, the Ryuk ransomware has been deployed utilizing Anchor_DNS and other tools that operate in similar fashion. 

To mitigate this threat, begin by blocking the malicious domains and IP addresses, notably for DNS traffic at the network and/or host-based firewall level. DNS blocking can also be achieved leveraging capabilities such as Cisco Umbrella or a Palo Alto DNS Security subscription.

Additionally, we recommend searching the enterprise for the IOCS above using any tools available.  Ideally the organization should stop the attacker’s method as early in the process as possible, in this case the approach begins with the Anchor_DNS tool. 

Threat hunting for Anchor_DNS using Tanium

If you have Tanium Threat Response, here is what you should do to mitigate the threat as quickly as possible. 

After putting network or host-based DNS blocks in place, the organization can start looking for signs of a compromise using the IOCs mentioned previously. Begin by searching for some of the files mentioned. Unfortunately, the executable is randomized which inhibits a simple search for all artifacts. However, anchorDiag.txt may yield some IOC results. In Tanium Interact, the following question can be asked: 

  • Get Index Query File Exists[0,*,anchorDiag.txt,*,*,*,*,*] from all machines

The existence of this file would imply that the Anchor toolset has ran on the returned system and should  warrant further investigation.

Next, focus on scheduled tasks. Scheduled tasks were mentioned as a means of creating persistence for the victims computer,  The scheduled tasks are contained in a random folder under %APPDATA% followed by ‘autoupdate#’ and five random digits. 

The organization can use the ‘Scheduled Tasks’ sensor leveraging the following regular expression to find matching tasks: 

  • Get Computer Name and IP Address from all machines with Scheduled Tasks matches "^.*autoupdate#\d{5}.*$"

The resulting systems will have scheduled tasks matching the pattern from the advisory and should be investigated further.

Finally, focus on the self-deletion technique noted in the bulletin. The organization can create a Tanium Threat Response Signal. The command line uses a very generic command structure for deletion.  However, it is unlikely that this structure is widely used in applications and/or administrative scripts. 

The Tanium Threat Response module can be leveraged to locate execution of self-deletion commands. In the Threat Response Intel screen, addscreenadd a new Signal, use a name that makes sense for your environment, for example AA20-302A – Anchor_DNS – Self-Deletion.  

Paste the text shown below into the text editor and press Submit:

  • process.command_line contains 'cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\\Users\\' or process.command_line contains 'cmd.exe /c timeout 3 && del C:\\Users\\'

A second Signal can be created, AA20-302A – Anchor_DNS – C2 DNS and Connections, using the following text block: 

  • network.address is '91.217.137.37' OR network.address is '51.254.25.115' OR network.address is '23.95.97.59' OR network.address is '87.98.175.85' OR network.address is '193.183.98.66' OR network.dns_query contains 'kostunivo.com' OR network.dns_query contains 'chishir.com' OR network.dns_query contains 'mangoclone.com' OR network.dns_query contains 'onixcellent.com'

After the intel is created, the organization can run a quick scan from the intel page to collect any results. Any results should be investigated, but keep in mind it is possible for applications and/or administrative scripts to use some of these techniques (tuning may be required for best results).

When the quick scans come back satisfactory, these signals can be added into your regular Threat Response profiles for continuous monitoring for these indicators.

Continued defense and path forward

Please take the time to read and interpret the joint cybersecurity advisory. Our intent is to help expedite threat hunting. 

Also, remember regular best practices activities such as patching, backups, restoration testing, removing end user local admin, monitoring, training and user awareness are highly recommended as proactive protection measures.

To formulate a more comprehensive defense, organizations should leverage a framework such as the MITRE ATT&CK framework to monitor suspicious techniques and activities.  

Leveraging these frameworks can be difficult and often times overwhelm analysts with alerts. WWT has developed a 10-day Tanium Threat Response QuickStart to enable security teams to get an expedited start on alert tuning with Threat Response.

Additionally, we have a 30-day Tanium Threat Response consulting service which expands on out-of-the-box functionality and starts to build out custom signals for detecting techniques in the MITRE ATT&CK framework.

Our cybersecurity experts are ready to assist. Please contact us to set up a meeting to discuss steps you can take to combat Anchor_DNS and related ransomware activity. 

Share this

Comments