How malware f***ed around and found out
Intro and Background
I’ve been waiting a long time to review Blackpoint Cyber. My day job has been a customer of BPC for years and it has always been a product that makes me feel warm and fuzzy inside. However, despite a few “isolations” of machines over the years, and a bunch of 365 alerts, we never had what I call “The Big One” (henceforth “TBO”). You know the one I mean; the one that results in maximum clench and watching your career flash before your eyes. I swore to myself I would not write this review until we either fell victim to TBO or I saw them really stop TBO. It happened yesterday and I have survived to tell the tale.
Disclaimer: I am in no way affiliated with BPC other than working for an organization that utilizes their services. I don’t work for BPC, I don’t take money from them. You’ll notice this site has no ads. It isn’t a revenue source for me because I think it’s important to share this knowledge with the entire MSP community for their benefit. If you’re just here for hashes to put in your block list, I respect that too – skip to “The Important Stuff”
We sat through no less than 20 SoC/SIEM sales presentations when we were shopping MDR and they all pretty much boiled down to alert spam of varying degrees. They use different methods to get to that end result, but really it all ends up being an actionable alert in the end that you or your staff needs to do something about. Who you go with determines the amount of noise you deal with. We were using Vijilan at the time, so the bar was quite low (as an aside, Vijilan sucks ass – if you arrived here looking for a review of Vijilan, one isn’t necessary – it’s bad). We just couldn’t get anyone in front of us that felt genuine or felt like they wanted to talk about the technology itself. It was just your generic personable sales drones squawking buzzwords and making you sign up for an hour long webinar just to see pricing. I’m an engineer, I want to see cool shit, use cool shit, build cool shit. SaaS sales calls deplete my serotonin faster than the Halo TV series (two for one bonus review).
Enter Blackpoint Cyber. At the time BPC was smaller than the competition (except fucking Vijilan – did I mention they suck ass?), but have since grown tremendously, as have we. Meeting the BPC sales engineer on our first call, from minute one they projected a completely different vibe than anyone else had. They didn’t pretend to have the biggest subscriber platform or the best alert suppression algorithm, and they didn’t try to sell me a friendship or a PR/social media presence. Instead they sold me on cold hard technical competency and a no bullshit approach. Oh and they were doing something no one else was at the time – not only would they alert to things, they’d actually action the alerts and stop the threat themselves.
I am, above all, a cynic when it comes to vendors. I’ve been sold the proverbial bridge too often early in my career to count and I’m not letting another vendor goon me in front of the whole internet. The day has come. I (wrongly) feel un-goonable, so I’m going to tell you about TBO and how BPC saved my entire ass.
The Important Stuff
SHA1 Hashes Seen:
272eb0419ba759e94002afdd6a85f3d1f888cd4c
e3cdef6e6466a39eb7583498f58130fd6cdf47cc
eeddd9488561c8384b23664151a1b69bb6a3d820
Executable Name:
xenilik_cr1.exe
Executable Location:
C:\ProgramData\xenilik_cr1.exe
C&C Servers and Ports:
91.199.212.52:80
23.106.215.123:443
Vector: Executable delivered via link clicked (origin TBD)
Active protections in place:
Ironscales
Defender for 365 P1
SentinelOne Control
BP SNAP MDR
QuickPass
How we suspect it went down
User clicked a link and the executable downloaded in Edge and autoran silently. After escalating privilege and gaining persistence, the executable reached out to the initial C&C server via port 80 and tried to download a payload. The initial payload appears to have downloaded (1522 bytes) as communication then switched to port 443 for the remainder of the process life.
The malware then enumerated devices in AD and began trying to mount admin shares using the credential hash it stole from the initially compromised user. It successfully mounted an admin share on a server this user has access to, laterally spread to this server, and found a DA hash cached from work done earlier in the day. The lateral spread triggered a Sentinel One alert to our internal security team via Slack and one of them immediately picked up the phone and called Blackpoint, who was already calling my cell themselves.
Once it had the DA hash it attempted to mount admin shares on ~25 other machines. It was at this point that Blackpoint isolated any machine within line of sight of the initially compromised machine. That would end up amounting to about 40 isolated machines total at the end of the event, with three being wiped out of an abundance of caution.
Post-Containment Experience
We’d find out later that BPC had isolated the domain controllers and core infrastructure at the initial sign of trouble, far before any phone calls in either direction, which ended up starving the lateral spread and protecting the integrity of AD. Coupled with their complete control of the situation and ability to direct us to do things like block C&C at the edge, disable accounts, and put hands on machines, I don’t feel like we dodged a bullet. I feel like a badass group of professional blue teamers just saved my entire ass. The people on the phone from BPC never seemed unsure or hesitant. They acted with purpose and intent without waiting for permission, and that is why they are worth every dime. They aren’t just the security alarm, they’re the guards and the cleanup crew too.
My eager security engineer who called BPC on the first alert found himself on the phone for the next 8 hours, working with the tech on site and BPC to remove isolation and clear each machine individually. We still had stragglers to clean up today, but BPC was on the phone with my team again taking care of it. There are a couple remote machines that will have to make a journey to us to be cleared, but overall objectively minimal impact. We have great backups and DR in Azure for this client. Even if every machine had been compromised, the impact to the data itself would have been minimal, if any. That doesn’t mean I ever want to test that theory, though.
I’ll call this a win. Infrastructure is intact. Three laptops got wiped. Most importantly, this experience validated my trust in BPC to be the watchers on the firewall (I’m so sorry please don’t flame me).