FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff
Article Id 225446
Description

This article describes how to use FortiDeceptor Deception Decoys and Lure to detect activities related to Microsoft Exchange CVE-2021-34473-SSRF and CVE-2022-41082 vulnerabilities that allow RCE against Microsoft Exchange servers.


For more information on the vulnerabilities being exploited, see the FortiGuard Lab Threat Signal Report:
https://fortiguard.fortinet.com/outbreak-alert/msexchange-autodiscover-rce

 

Cyber Deception Against CVE-2021-34473-SSRF and CVE-2022-41082:

The CVE-2021-34473-SSRF and CVE-2022-41082 vulnerabilities use several RCE (remote code execution) exploits against the Microsoft Exchange server and run a web shell backdoor to move further inside the network.

 

The RCE (remote code execution) exploits allow the attacker writing web shells to execute malicious activities like injecting malicious DLLs into the memory, dropping suspicious files on the attacked servers, and executing these files through WMIC.

 

Using the combination of Deception Decoys in the network focusing on the DMZ and data center segments ('crown jewels') and Deception lures deployed across servers and endpoints will discover the attack in the reconnaissance phase.

 

1) A threat actor that uses RCE (remote code execution) exploits and runs a web shell on the exchange server to collect intelligence from the server and network around to move laterally.

 

2) Collecting intelligence using dumping credentials, file access, and network scanning (passive/active) will provide a mixed mode of real and fake network information.

 

3) Fake information can be like fake cache credentials, fake files, fake network drives, fake network connections, and more.

 

4) Using any of the fake data against the network will detect the threat actor and trigger a real-time alert to automate a threat mitigation response to block or isolate the threat actor.

Scope

FortiDeceptor V.3.X / V.4.X – Deception Decoys and Lures- full network deployment.

Solution

Cyber Deception Against Any Ransomware:

1) Deploy servers Decoys across the DMZ (exchange segment) and data center ('crown jewels') segments (exchange backend) and the endpoints network segments.

Decoys like Windows and Linux endpoint/server, DB servers, Web Servers, ERP, POS, GIT.

 

(It is possible to use the gold image to deploy custom decoys that will be identical to your environment and have them join to the domain).

 

3) FortiDeceptor will generate a set of Deception Lures based on the  Decoys deployment with the ability to customize them to be identical to the environment.

 

4) Verify that FortiDeceptor generates a deception lure package with the following Deception Lures, RDP, SMB (fake user and fake network drive), Cached Credentials, Fake Network Connection, and SSH.

 

5) FortiDeceptor enforces the use of a real domain user/s for the cache credentials Lure as a threat actor will check the user identity against the A/D before using it for lateral movement.

 

Create a user with Logon Restrictions. See this Link for help:

https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/ )

 

6) Download the Deception lure package from the Decoy configuration section.

 

7) Deploy the Deception lure package across the servers and endpoints using the A/D Logon script. Keep in mind that the Deception lure package is an 'Agent-Less' technology. (see FortiDeceptor Admin guide).

 

8) To verify the Deception lure package deployment, run the command 'net use' on any endpoint that is part of the domain, and the network drive map configuration should be in place. 

It is also possible to open the Windows Credential Manager and verify that the fake save passwords exist.

 

9) FortiDeceptor technology will detect the threat actor when the threat actor will use fake data against the network for lateral movement.

Part of the Deception components will detect the attacker even during the intelligence-gathering phase, like accessing a fake network drive share from the web shell.

 

10) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat actor.

 

FortiDeceptor is Part of the Fortinet Security Fabric:

FortiDeceptor is natively integrated with FortiGate, FortiEDR, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.

 

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware:

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s

Contributors