Skip to content

MEGA Exfiltration – Detection Engineering Investigation  


Published:

In the fast-paced world of cybersecurity, our dedicated Incident Response Team, cyber security analysts, and threat hunters tirelessly work to safeguard the digital landscape. In this blog post, we’re excited to share our latest insights and updates on a crucial Sigma rule, offering a glimpse into our ongoing efforts to combat emerging threats and enhance our clients’ defenses.

MEGA is a file transfer service that has been abused by multiple threat actors to exfiltrate data in double-extortion ransomware attacks. Sensitive data exfiltration occurs in the late stage of an incident, but not necessarily too late as it gives defenders an opportunity to stop the attack before ransomware is deployed. 

Starting point is basic detection engineering investigation 

This investigation started with a visit to sigmasearchengine.com to search for existing rules. There are two rules based on process execution of known file transfer applications: 

windows/process_creation/proc_creation_win_renamed_megasync.yml 

windows/process_creation/proc_creation_win_pua_rclone_execution.yml 

These are excellent in environments where process telemetry is available, and for threat actors who use off-the-shelf software. As for detection in network telemetry, there are two rules based on DNS queries: 

windows/dns_query/dns_query_win_mega_nz.yml 

windows/builtin/dns_client/win_dns_client_mega_nz.yml 

The rules have flaws 

One flaw these rules have in common is that they don’t distinguish between files being uploaded or downloaded, which can lead to alert fatigue in some environments. So how can we expand upon these rules to specifically detect when files are uploaded? 

Analysts from Arista Networks have published an excellent analysis of MEGA file transfers showing that subdomains of userstorage.mega.co.nz are used for both uploads and downloads, so that’s our starting point for a detection rule. 

How to increase coverage in the rules 

In a best-case scenario your network appliance will log the destination hostname in the firewall event, but that’s not always the case. To increase coverage, we’ll also identify IP address ranges that are used by MEGA and include these in our detection rule. There are several ways to do this, we chose to use a VirusTotal query and export the resulting DNS records: 

entity:domain domain:*.userstorage.mega.co.nz  

Finally, let’s only select sessions where a relatively large number of bytes have been transmitted. For example, FortiGate NGFW logs this in a field called sentbyte, whereas Cisco ASA logs it as InitiatorBytes. In our internal CIM standard that normalizes logs from multiple vendors, this field is called bytes_out. 

This leaves us with the following Sigma detection rule:  

https://github.com/SamuraiMDR/sigma-rules/blob/main/rules/firewall/mega_exfiltration.yml

New Sigma rule to apply  

title: MEGA Exfiltration 
id: af71437b-430e-4aad-bbf8-b787c426dc7d 
description: Large upload towards MEGA, may indicate exfiltration of data 
references: 
  – https://arista.my.site.com/AristaCommunity/s/article/Forensic-Investigation-of-the-MEGAcmd-Client#Comm_Kna_ka02I000000brf8QAA_92 
status: stable 
author: NTT Security – Patrik Olson 
date: 2024/02/16 
modified: 2024/03/04 
logsource: 
  category: firewall 
detection: 
  selection_mega: 
    – dest_ip: 
      – “2a0b:e40:1:*” 
      – “2a0b:e41:1:*” 
      – “2a0b:e42:1:*” 
      – “2a0b:e43:1:*” 
      – “2a0b:e44:1:*” 
      – “2a0b:e45:1:*” 
      – “2a09:a380:*” 
      – “31.216.145.*” 
      – “31.216.148.*” 
      – “69.30.89.*” 
      – “89.44.168.*” 
      – “94.24.36.*” 
      – “94.24.37.*” 
      – “103.99.35.*” 
      – “162.208.16.*” 
      – “185.206.24.*” 
      – “185.206.25.*” 
      – “185.206.26.*” 
      – “185.206.27.*” 
      – “2001:67c:1998:*” 
      – “2001:678:25c:*” 
      – “2001:df1:e7c0:*” 
      – “66.181.163.241” 
      – “122.56.56.205” 
      – “122.56.56.207” 
      – “2403:9800:c020::13” 
      – “2403:9800:c020::14” 
      – “2405:5700:1:381::4” 
    – dest_host|endswith: “userstorage.mega.co.nz” 
    – app_name: 
      – “Mega” # Fortinet, Cisco, Zscaler 
      – “mega-base” # Palo Alto 
  selection_large_upload: 
    bytes_out|gt: 10000000 # 10MB 
  condition: all of selection_* 
falsepositives: 
  – Non-sensitive file sharing 
level: high 
tags: 
  – attack.exfiltration 
  – attack.t1567 

Our urgent recommendation

To play Whac-a-Mole by blocking the use of commonly abused file transfer services will not stop a motivated threat actor. And as threat actors move to more reputable services, blocking them will be more likely to hinder employees from performing their tasks. Instead, our recommendation is to have the technical capacity to detect data exfiltration and a team in place who can respond to it.

Are you unsure if your business is safe and protected from cybercriminals? Let’s talk. 

By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.