FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff
Article Id 192753
Description

This article describes how to use FortiDeceptor Decoys & Deception Lures (SMB, CACHE CRED, RDP, SSH) to detect activities related to The vSphere Client (HTML5) remote code execution vulnerability. VMware vSphere is the name of VMware's server virtualization product. It's formerly known as VMware Infrastructure, and it consists of ESXi, a Type 1 hypervisor, vCenter Server, and a few other important features to ensure virtual servers are up and running.

VMware vCenter servers play a central role in enterprise networks focusing on the private and public data centers. Malicious access to the underlying operating system that hosts the vCenter Server will allow the threat actor full access to the servers managed by this vCenter

Due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server., see the Fortinet blog post:
https://www.fortiguard.com/updates/epvuln

VMware specifically calls out ransomware groups as being adept at leveraging flaws like this post-compromise after having gained access to a network via other means such as spearphishing

Cyber Deception Against cyber attacks that try to leverage CVE-2021-21985 & CVE-2021-21986 :

1.      FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. Network decoys like Linux/windows endpoints & servers, WEB & DB & GIT application, IoT/OT, and many more.

2.      FortiDeceptor customization module generates a real VMware vCenter Server decoy template and deploys it in the customer data center. The ability to deploy a Decoy that runs a real VMware vCenter software will expand the attack surface for any malware or threat actor that will try to leverage the CVE-2021-21985 & CVE-2021-21986 vulnerabilities. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack.

3.      FortiDeceptor generates and deploys Deception Lures like fake network drive and fake user & pass across every endpoint/server in your network based on the network decoys deployment.

4.      To exploit this vulnerability, an attacker would need to be able to access the vCenter Server over port 443. Even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network. The idea behind using Deception lures is to expand the attack surface and reduce the Dwell time.

5.      Deception lures will detect the threat actor early in the kill chain and before trying to attack the VMware vCenter Server by placing the following Deception Lures on the network endpoint that the threat actor will use to attack the VMware vCenter Server. The Deception lure to deploy are:

a.      SMB Deception Lure will generate a fake network drive with fake files. This network drive will deceive the threat actor while using windows commands like "NET." This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.

b.      Cache Credentials Deception Lure will deploy fake user & password to the endpoint & Server. This fake user & password will deceive the threat actor while using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.

RDP Deception Lure will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy that runs the VMware vCenter Server software. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
Scope

The Deception Decoys & lures against the Vmware CVE-2021-21985 & CVE-2021-21986 attacks can be used in FortiDeceptor V.3.3 and above.


Solution

Cyber Deception Against Vmware CVE-2021-21985 & CVE-2021-21986 attacks:

1.      Configure network segments under the "Deployment Network" section that FortiDeceptor will use to deploy network decoys. (due to the nature of the attack, verify that you cover the data center segments where VMware vCenter Server located)

2.      Use the "Customization" feature to deploy windows2016/2019 Decoy that runs SQL DB and the VMware vCenter Server software. (see this video for technical instruction on how to use the customization module-> https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization )

3.      Deploy network Decoys (template & custom) across the network VLANs segments that are configured under the "Deployment Network" section.

4.      Download the Deception lure package from the Decoy configuration section

5.      Deploy the Deception lure package across your endpoint using the A/D Logon script. Keep in mind that the Deception lure package is an "Agent-Less" technology. (see FortiDeceptor Admin guide - > https://docs.fortinet.com/document/fortideceptor/3.3.1/administration-guide/821523/deploying-tokens-... )

6.      To verify the Deception lure package deployment, please run the command "net use" on any endpoint that is part of the domain. You should see the network drive map configuration in place or access the windows credentials manager to verify that the fake credentials exist.

7.      Once a threat actor or malware penetrated the network and infected the endpoint, any interaction with Deception Decoy & lure will trigger a real-time alert.

8.      FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s



Contributors