Subject: Nsocks Botnet Activity
Tactics: TA0011 Command and Control, TA0001 Initial Access
Technique: T1071 Application Layer Protocol, T1190 Exploit Public-Facing Application
Procedure:
The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.
Vulnerability: EAV0005 When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Engagement Opportunity:
- Exploits Vulnerability: Vulnerable and Misconfigured Application
- Engagement Opportunity: Deploy honeypots mimicking vulnerable VMWare Horizon servers to attract and analyze Nsocks botnet activity. Capture C2 traffic to understand the botnet’s capabilities, infrastructure, and potentially identify the operators.
Threat Actor: Cybercriminals (likely operating as an organized group)
Threat Objective:
Financial gain through DDoS-for-hire services, credential theft, and potentially other malicious activities.
Deception Opportunity:
Create decoy servers with fake credentials and data to lure the botnet into exfiltrating worthless information, wasting their resources and potentially exposing their exfiltration methods and infrastructure.
Sensor Data Placement: Application
Observable Level: Core to Adversary-Brought Tool
Scoring Rationale:
The custom C2 protocol used by Nsocks is unique to this botnet, making it a strong indicator of compromise. However, the protocol itself can be modified by the attackers, thus scoring it as “Core to Adversary-Brought Tool.” Network-level monitoring is required to capture this traffic.
Link to Report: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/
Link to Report II.:
Additional Comments:
The Nsocks botnet exemplifies the threat posed by unpatched vulnerabilities in public-facing applications. Organizations must prioritize patching and vulnerability management to minimize their exposure to such threats.
Possible elements: Deception-as-a-Service (DaaS) Platform
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Nsocks Botnet Attack Graph
[1]: Initial Access - Exploit Public-Facing Application - Exploit CVE-2021-21972 in VMWare Horizon server (Core to Pre-Existing Tool)[2]: Command and Control - Application Layer Protocol - Communicate with C2 server using custom TCP protocol (Core to Adversary-Brought Tool)[3]: Execution - Command and Scripting Interpreter - Execute commands received from C2 server (Core to Pre-Existing Tool)
1 --> 2 (Vulnerable and Misconfigured Application)2 --> 3 (Lack of Network Monitoring)
# Pseudocode Standard
# Function Format:# function [Tactic]_[Technique]([Input]):# [Procedure]# return [Output]
# Nsocks Botnet Pseudocode
function Initial_Access_Exploit_Public_Facing_Application(target_server):# Exploit CVE-2021-21972 in VMWare Horizon server# Establish connection to C2 serverreturn C2_communication_module
function Command_and_Control_Application_Layer_Protocol(C2_communication_module):# Communicate with C2 server using custom TCP protocol# Receive commands: download files, launch DDoS attacks, steal credentialsreturn command
function Execution_Command_and_Scripting_Interpreter(command):# Execute received command using available tools (e.g., PowerShell, cmd)return result