MEGA Exfiltration – Detection Engineering Investigation
Published:

In the fast-paced world of cybersecurity, our dedicated Incident Response Team, cyber security analysts, and threat hunters tirelessly work to safeguard the digital landscape. In this blog post, we’re excited to share our latest insights and updates on a crucial Sigma rule, offering a glimpse into our ongoing efforts to combat emerging threats and enhance our clients’ defenses.
MEGA is a file transfer service that has been abused by multiple threat actors to exfiltrate data in double-extortion ransomware attacks. Sensitive data exfiltration occurs in the late stage of an incident, but not necessarily too late as it gives defenders an opportunity to stop the attack before ransomware is deployed.
Starting point is basic detection engineering investigation
This investigation started with a visit to sigmasearchengine.com to search for existing rules. There are two rules based on process execution of known file transfer applications:
windows/process_creation/proc_creation_win_renamed_megasync.yml
windows/process_creation/proc_creation_win_pua_rclone_execution.yml
These are excellent in environments where process telemetry is available, and for threat actors who use off-the-shelf software. As for detection in network telemetry, there are two rules based on DNS queries:
windows/dns_query/dns_query_win_mega_nz.yml
windows/builtin/dns_client/win_dns_client_mega_nz.yml
The rules have flaws
One flaw these rules have in common is that they don’t distinguish between files being uploaded or downloaded, which can lead to alert fatigue in some environments. So how can we expand upon these rules to specifically detect when files are uploaded?
Analysts from Arista Networks have published an excellent analysis of MEGA file transfers showing that subdomains of userstorage.mega.co.nz are used for both uploads and downloads, so that’s our starting point for a detection rule.
How to increase coverage in the rules
In a best-case scenario your network appliance will log the destination hostname in the firewall event, but that’s not always the case. To increase coverage, we’ll also identify IP address ranges that are used by MEGA and include these in our detection rule. There are several ways to do this, we chose to use a VirusTotal query and export the resulting DNS records:
entity:domain domain:*.userstorage.mega.co.nz
Finally, let’s only select sessions where a relatively large number of bytes have been transmitted. For example, FortiGate NGFW logs this in a field called sentbyte, whereas Cisco ASA logs it as InitiatorBytes. In our internal CIM standard that normalizes logs from multiple vendors, this field is called bytes_out.
This leaves us with the following Sigma detection rule:
https://github.com/SamuraiMDR/sigma-rules/blob/main/rules/firewall/mega_exfiltration.yml
New Sigma rule to apply
title: MEGA Exfiltration
id: af71437b-430e-4aad-bbf8-b787c426dc7d
description: Large upload towards MEGA, may indicate exfiltration of data
references:
– https://arista.my.site.com/AristaCommunity/s/article/Forensic-Investigation-of-the-MEGAcmd-Client#Comm_Kna_ka02I000000brf8QAA_92
status: stable
author: NTT Security – Patrik Olson
date: 2024/02/16
modified: 2024/03/04
logsource:
category: firewall
detection:
selection_mega:
– dest_ip:
– “2a0b:e40:1:*”
– “2a0b:e41:1:*”
– “2a0b:e42:1:*”
– “2a0b:e43:1:*”
– “2a0b:e44:1:*”
– “2a0b:e45:1:*”
– “2a09:a380:*”
– “31.216.145.*”
– “31.216.148.*”
– “69.30.89.*”
– “89.44.168.*”
– “94.24.36.*”
– “94.24.37.*”
– “103.99.35.*”
– “162.208.16.*”
– “185.206.24.*”
– “185.206.25.*”
– “185.206.26.*”
– “185.206.27.*”
– “2001:67c:1998:*”
– “2001:678:25c:*”
– “2001:df1:e7c0:*”
– “66.181.163.241”
– “122.56.56.205”
– “122.56.56.207”
– “2403:9800:c020::13”
– “2403:9800:c020::14”
– “2405:5700:1:381::4”
– dest_host|endswith: “userstorage.mega.co.nz”
– app_name:
– “Mega” # Fortinet, Cisco, Zscaler
– “mega-base” # Palo Alto
selection_large_upload:
bytes_out|gt: 10000000 # 10MB
condition: all of selection_*
falsepositives:
– Non-sensitive file sharing
level: high
tags:
– attack.exfiltration
– attack.t1567
Our urgent recommendation
To play Whac-a-Mole by blocking the use of commonly abused file transfer services will not stop a motivated threat actor. And as threat actors move to more reputable services, blocking them will be more likely to hinder employees from performing their tasks. Instead, our recommendation is to have the technical capacity to detect data exfiltration and a team in place who can respond to it.
Are you unsure if your business is safe and protected from cybercriminals? Let’s talk.
By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.