Palo Alto Networks reported that threat actors have exploited a DLL side-loading vulnerability in its Cortex XDR Dump Service Tool (cy[.]exe) to successfully deploy Rorschach, an advanced ransomware strain with one of the fastest encryption speeds ever seen among ransomware variants.
This playbook retrieves and updates an XDR incident, enriches the alerts to create the incident, and triggers a subplaybook for each type of alert enriched. Furthermore, incident severity updates accordingly.
Detecting Malware
Discovering and investigating malware attacks requires security teams to access data from multiple sources, requiring analysts to switch screens frequently and complete repetitive tasks manually. Cortex XDR Investigation and Response Pack automates this workflow for faster responses against sophisticated attacks.
As soon as a new XDR incident is identified, its playbook retrieves device control violation reports to identify infected endpoints and notify analysts. Next it executes a light incident handling playbook which employs set rules for enrichment, investigation and indicator hunting before finally assessing severity using evidence collected during its investigations.
If an incident is determined to be false positive, alerts will be turned off and investigation closed. If it turns out to be malicious, however, playbook responses will be executed to isolate affected endpoints and block associated connections; as well as searching Cortex XSOAR for similar incidents linked to current one so analyst can decide whether they want to close current incident as duplicate or continue investigating further.
Rorschach ransomware variant is an example of this type of threat, considered “one of the fastest observed ransomware by encryption speed,” deployed via Dynamic Link Library (DLL) sideloading from Palo Alto Networks Cortex XDR Dump Service Tool – a signed commercial security product – to load malicious DLLs that provide persistence and evasion capabilities.
Rorschach ransomware stands out among others due to several technical features that distinguish it. It was capable of self-replication, clearing event logs on target hosts and employing direct syscalls – something not commonly found among other strains of ransomware.
Check Point Research and Incident Response Team researchers were fortunate to discover this ransomware variant, notifying Palo Alto Networks about a DLL side-loading vulnerability used in its attack. Furthermore, Palo Alto Networks confirmed that only versions 7.7 or later of XDR Agent with content update version 240 detect and block this ransomware; older versions do not include the relevant Behavioral Threat Protection module required to detect it.
Detecting Port Scanners
Port scanner detection is an integral step in protecting your network against attackers who aim to gain additional privileges, gain access to more systems on the network, steal data or vandalize systems and data. Cortex XDR’s detection engine is constantly updated so as to stay informed of new attacks targeting government bodies as well as protect against potential espionage attacks targeting civilians.
Exploration Phase Threat actors use scanning tools to gain information about your network during this phase. They could be searching for open ports, services running on those ports, exploit vulnerabilities or looking for potential attack vectors. Cortex XDR’s multiple layers of protection prevent these activities, with alerts triggered at each ATT&CK Kill Chain stage; alerts include both static analysis (like blocking files based on reputation or scanning for static signatures) and behavioral threat protection which observes activity runtime.
Cortex XDR Malware Prevention module protects against attacks that exploit flaws in operating system functions by using policies that block specific OS functions like echo, timestamp and address mask requests. Anti Webshell Protection also keeps threat actors from dropping and executing commands via Webshells on target hosts.
Cortex XDR’s BTP engine will analyze packet contents to identify whether an incoming connection to an vulnerable port represents a scan or exploit attempt, using its evaluation of ICMP responses as indicators to decide if an open, closed, filtered firewalled port or one inactive state exists; additionally it will check whether its header indicates a NULL, FIN or Xmas scan attempt.
Cortex XDR will prevent attempts to dump LSASS memory using Windows NtCreateProcessEx by analyzing its parameters and detecting attempts to access the parent process – an integral component of dumped LSASS memory dumping. Once identified, Cortex XDR intercepts and stops execution of this process thus protecting sensitive data on target systems from being dumped out.
Detecting Cloud Cryptomining
Cortex XDR’s machine learning utilizes all available endpoint, network and public cloud data to detect cryptomining activities on cloud compute resources in your business environment and detect threats such as targeted attacks, insider abuse and compromised endpoints that require remediation. Cortex XDR uses these insights to safeguard your organization against cybermining activity that threatens it with targeted attacks such as targeted cyber attacks against internal data files as well as compromised endpoints, thus safeguarding against targeted attacks against specific businesses or endpoints and remediating compromised endpoints quickly.
Cortex XDR Dump Service Tool’s detection playbook automatically investigates and responds to Cortex XDR alerts that contain indicators related to cryptocurrency mining dll dumping activity, typically by cryptominers. Dumping of mining dlls occurs in process memory as an easy way to conceal mining activities.
If an XDR alert contains keywords “Unusual heavy allocation of compute resources – potential mining activity”, and its severity rating is medium or higher, a playbook will run and search Cortex XSOAR to see if similar incidents exist that can be closed out as duplicate alerts.
Once the DLL has been thoroughly examined, the associated XDR incident is updated with details of its findings and an alert summary presented to an analyst provides additional details such as the number of hosts, users and total cloud compute resources utilized during its analysis.
The XDR Alert Summary widget provides an overview of an incident, with filterable severity options, sortable categories (severity, name or date) and export capability to Excel for further review and export to linked XDR incidents.
Cortex XDR stands out from signature-based endpoint security products by intercepting malicious files at their earliest stages and altering their code, to stop attacks before they reach endpoints. Integrating events and logs from PAN-OS next generation firewall, Prism Access, GlobalProtect Prism Cloud as well as third party sources like identity providers, Syslog servers DHCP servers NetFlow this allows analysts in security operations centers to focus on more pressing investigations without an alarm overload of alerts occupying too much of their time.
Detecting Other Malware
Check Point researchers have reported that Rorschach ransomware variant is one of the fastest-acting ransomware strains ever seen, according to their researchers. Encrypting files at lightning speed using a hybrid cryptography scheme that combines curve25519 and eSTREAM cipher hc-128 algorithms combined with effective thread scheduling; attackers behind this strain also used DLL side-loading techniques that exploit components from Palo Alto Network’s Cortex XDR security solution in their attacks against this strain.
Cortex XDR defends against this ransomware strain by employing multiple layers of defense, such as static analysis (blocking files based on reputation), scanning for dynamic signatures, different machine learning modules and checking heuristic signatures. Furthermore, behavioral threat protection uses runtime file analysis to identify suspicious files in real time and block malicious activities.
Cortex XDR Alerts Handling playbook runs a loop through a list of alerts to identify their category: Malware, Port Scan or Cloud Cryptomining. If a malware alert is identified as such, Malware Investigation sub-playbook will run; for port scan or cloud cryptomining incidents the Port Scan – Adjusted and Cloud Cryptomining sub-playbooks respectively will activate. Otherwise the main playbook continues investigating by hunting malware associated with alerts across an organization.
If an XDR incident is identified, the Query XDR Endpoint Device Control Violations playbook searches for malware on the device in question before taking appropriate action. It can be configured to accept hostname, IP address or endpoint ID of an incidental endpoint and search across networks for alerts related to this event.
Palo Alto Networks has verified that Cortex XDR agents running version CU-240 released over two years ago can detect and prevent this type of DLL sideloading technique, with subsequent versions due to be released next week detecting further this type of attack. Therefore, this DLL side-loading issue does not present our customers with a product vulnerability; please refer to Palo Alto Networks security advisory for further information.
