Kaseya VSA Security Incidence

Overview | Kaseya VSA

On July 2, 2021, right before Americans started their long, Independence Day weekend, hackers once again made their way to the top of the news headlines. This time, the victim of the largest ransomware attack was Kaseya, a technology company that sells its technology to other third-party providers, mainly managed service providers (MSPs).

Speculations have suggested that the attack was yet another supply-chain ransomware attack. Multiple security firms and researchers have concluded that the attackers chose to exploit a zero-day vulnerability rather than tampering Kaseya’s codebase to distribute the malware. REvil/Sodinokibi ransomware threat actors were found to be responsible for the attack, exploiting a zero-day vulnerability to remotely access internet facing Kaseya VSA servers. Using this method, they hacked through less than 40 VSA servers and were able to deploy the ransomware to over a thousand enterprise networks.

What is Kaseya VSA?

Kaseya VSA, the Virtual System/Server Administrator is marketed as an endpoint management and network monitoring system that allows its client to have a unified remote monitoring and management platform. Users can perform functions such as remote controls to end-user computers, discovery and inventory on a client’s infrastructure, patch management to have a centralized system deploying software updates across all endpoints and monitoring and alerting of incident across the network. This makes it a convenient solution for MSPs to remotely manage their customer’s IT infrastructure and provide IT support and cybersecurity services to multiple enterprises. Kaseya VSA is also designed to have administrator rights provided down to all client systems.

In this incidence, an attacker had abused Kaseya VSA’s auto-update function and maliciously pushed the REvil ransomware onto Kaseya’s clients. This allowed the ransomware to reach to more victims, not only affecting Kaseya VSA customers but also the customers of MSPs that are using Kaseya VSA systems.

Kaseya-Timelin

Timeline of how the attack affected MSPs client systems

What Happened?

Various articles and researchers have concluded that attackers leveraged the standard VSA product functionality to deploy ransomware to the endpoint users. The attacker had exploited the zero-day vulnerability currently assigned the CVE-2021-30116 identifier.

The Kaseya zero-day vulnerability was discovered by Dutch Institute for Vulnerability Disclosure [DIVD] researcher Wietse Boonstra in early April, and had been shared with Kaseya prior to its exploitation in these ransomware attacks. Unfortunately, REvil attackers had managed to find the security flaw and attack by exploiting the vulnerability before Kaseya was able to issue or release a patch, resulting in this large-scale ransomware infection.

Given that the incident is currently in the middle of the investigation and patching stage, full details of the zero-day vulnerability “CVE-2021-30116” are currently not disclosed to the public. However, various research suggests that this vulnerability allows a remote non-authenticated attacker to compromise the affected system. To exploit this vulnerability, the attacker sends a specially crafted request to the affected application. Researchers have also concluded that the attacker managed to bypass authentication on the internet facing VSA web panel, exploit an arbitrary file upload, and execute commands via SQL injection on the VSA appliance.

Evidence of an executable code containing actions that would disable existing user sessions, remove IIS logs, and other cleanup activities has also been found. This attack appears to be geographically dispersed and the impact appears to have been restricted to systems running the Kaseya software.

The attack distributed its malicious payload in the form of a “Kaseya VSA agent hot-fix” launching the malicious software update package that targeted customers of MSPs and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. The VSA appliance that had deployed a “Kaseya VSA agent hot-fix” package was observed to have bypassed antivirus solutions using an older and vulnerable version of the Microsoft Defender app, which it used to encrypt local workstations.

After compromising an MSP that utilizes Kaseya VSA, the attackers subsequently disabled the client’s administrative access to their respective Kaseya VSA platform, allowing the attackers to gain administrative access to all endpoints managed by Kaseya VSA. Upon gaining administrative access, the attackers were observed attempting to disable Microsoft Defender Real-Time Monitoring via PowerShell and deploy the ransomware.

REvil Ransomware

Various evidence, such as ransom notes dropped onto the infected systems, revealed that this cyber incident was closely tied with REvil/Sodinikibi ransomware group. The REvil ransomware group had also stepped forward to confirm associations with this attack after claiming the responsibility on its Dark Web leak site.

This is not the first time that the REvil ransomware group had topped news headlines. However, in this attack, REvil’s operators took a different approach in how they negotiate the ransom. REvil attacks can use multiple encrypted file extensions and typically will provide a decryptor that decrypts all encrypted extensions. In this attack, REvil demanded ransom payments made for each individual encrypted file extension found on a victim’s network, as opposed to their usual method of providing one decryptor to decrypt all encrypted file extensions.

The attackers are willing to provide a universal decryptor for victims of the attack, but only under the condition that they are paid $70 million in Bitcoin. The value has reportedly recently been lowered to $50 million.

REvil representatives have also responded to victims during the negotiation stage that in this attack, they had only encrypted networks and nothing more. Based on this information, it was suggested that REvil did not steal any victim’s data, which is typically what they utilize as a factor during the negotiation stage. This also indicates that the ransomware operation did not access the victim’s networks before the attack; however, it is still uncertain as to the extent of damage that was brought to the victim’s environment.

Riding the Waves

It is not a surprise that upon a new zero-day vulnerability disclosure or vulnerability being exploited by a cybercriminal group, other threat actors would take advantage of this opportunity and ride on the waves. Not long after the Kaseya attack, a new malspam campaign was observed containing various subject titles claiming to contain patch for Kaseya vulnerability. The attachment found in this malspam campaign appears to drop Cobalt Strike malware likely targeting users utilizing Kaseya products. Cobalt strike malware attachments appear to be the first malware that was found in the wild exploiting the current Kaseya situation.

MITRE ATT&CK

The following are the MITRE ATT&CK Tactics and Techniques associated with the Kaseya attacks:

Tactics Techniques
Resource Development Obtain Capabilities: Vulnerabilities (T1588.006)
Resource Development Obtain Capabilities: Exploits (T1588.005)
Initial Access Exploit Public-Facing Application (T1190)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Persistence Hijack Execution Flow : DLL Side-Loading (T1574.002)
Defense Evasion Masquerading : Rename system utilities (T1036.003)
Defense Evasion Impair Defences: Disable or Modify Tools (T1562.001)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)
Defense Evasion Indicator Removal on Host: File Deletion (T1070.004)
Defense Evasion Modify Registry (T112)
Defense Evasion Subvert Trust Controls: Code Signing (T1553.002)
Impact Data Encrypted for Impact (T1486)

General Recommendations

Given that the vulnerability is newly discovered, there is still a lot of uncertainty about this attack and how it would affect clients utilizing Kaseya VSA software. As such, it is advised for clients utilizing Kaseya VSA software to have all on-premises VSA Servers to remain offline until further instructions from Kaseya on when it is safe to restore operations when a patch is made available to the public.

We strongly recommend to follow the guidelines by Kaseya, FBI and CISA if you use Kaseya VSA for your IT infrastructure and/or to reach out to your MSP if you are currently leveraging one for any IT-related management.

It is important to note that Proficio does not use Kaseya or any of its products.  If you have questions, please do not hesitate to contact your Customer Success Manager or Security Advisor.

 

DarkSide Ransomware

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example-of-a-Ransom-Note-Darkside-Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

Codecov Breach

OVERVIEW | Codecov Breach

Supply chain attacks are far from new. We previously covered the SolarWinds attack, which may be the biggest software supply chain attack disclosed, as well as the most damaging supply chain attack to users. In more recent news, a new cyber-attack similar to the SolarWinds attack was discovered on a software testing platform – Codecov, which is a supplier of code management and audit solutions.

Codecov first discovered the attack on April 1st, disclosing this to the public on April 15th. However, investigations into the attack suggest that it first occurred months earlier, possibly as far back as January 31st, yet went unnoticed for several months. The adversary was able to gain access to Codecov’s Bash Uploader script using credentials stolen by exploiting an error in Codecov’s Docker image creation process. The adversary then replaced Codecov’s IP address within the Bash Uploader script to the adversary’s own IP address, rerouting the data to send information to the adversary instead of Codecov.

The altered version of the Bash Uploader script could potentially affect the following references from Codecov:

  • Any credentials, tokens, or keys that were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Moving Forward

Proficio’s Threat Intelligence Team has been diligently researching the attack and how it may have affected our clients. There will be a continuous and ongoing effort to help ensure that all our clients are not being compromised by this campaign, through the following:

  • Gathering of IOCs and TTPs of the attack
    • Although no IP addresses of the third-party servers were disclosed to the public, our team is currently researching on the TTPs to potentially identify traffic on data exfiltration attempt
  • Performing threat hunting on potential exfiltration of data associated with campaign against our client SIEMs for the past three months
  • Documenting and investigating any potential incidents
  • Providing updates of threat hunting results to all Client Success Manager and Security Advisors, so they can alert clients, as applicable

General Recommendations

Given that the breach is newly discovered, there is still a lot of uncertainty as to how much damage it can bring to victim systems. As such, we always recommend our clients to keep the systems, and in this case, the scripts patched and up to date.

Clients that utilize Codecov as a service are strongly advised to run through Codecov’s recommendation and guidelines. For any Proficio clients who are unsure about logs investigations, please reach out to your assigned Client Success Manager or Security Advisors for the next steps.

Reference link

  • https://about.codecov.io/security-update/
  • https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
  • https://www.reuters.com/technology/us-investigators-probing-breach-san-francisco-code-testing-company-firm-2021-04-16/
  • https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
  • https://www.zdnet.com/article/codecov-breach-impacted-hundreds-of-customer-networks/
  • https://latesthackingnews.com/2021/04/26/codecov-breach-following-supply-chain-attack-affected-hundreds-of-networks/

Hafnium – Microsoft Exchange Server 0-Day Vulnerability

OVERVIEW | 0-day

As early as January 6, 2021, multiple Microsoft Exchange 0-day vulnerabilities had been publicly disclosed. These 0-day vulnerabilities were found to be actively exploited by the threat group Hafnium. This appears to be a nation-state attack that is currently targeting as many as 30,000 organizations in the United States and hundreds of thousands worldwide. Based on the current pool of targeted victims, these attacks do not appear to be targeting any specific sectors or countries.

Per BleepingComputer, there are four 0-day vulnerabilities that were being exploited:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Microsoft released patches for the exploited vulnerabilities on March 2, 2021. A PowerShell script called “Test-ProxyLogon.ps1” was also published by Microsoft to run against the Microsoft Exchange Servers for indicators of compromise. At this time, multiple groups of threat actors (other than the Hafnium group) were also known to be exploiting these vulnerabilities to compromised Microsoft Exchange Servers.

Hafnium Attack Details

These attacks began with reconnaissance on vulnerabilities against the potential servers from the adversary. For Hafnium, following the reconnaissance to gain initial access, they dropped webshells onto the affected servers. Based on our research, webshells dropped onto the victim’s servers were mainly variants related to China Chopper-like Webshell scripts.

The adversary was observed to have deployed these webshell scripts within web directory folders to establish persistence within the systems. The team also observed unusual HTTP POST requests of single letter or generically named Javascript files being used as part of the exploit attempt. CrowdStrike has decoded a sample of such scripts returning initial commands being passed to a dropped webshell. SetObject for OABVirtualDirectory commands were being used to point to the malicious JavaScripts. These webshells potentially allow attackers to perform malicious actions or steal data from the compromise servers.

Post exploitation activity such downloading PowerCat from GitHub was observed from this attack. PowerCat is used to connect to a remote server and open connections to the remote server. Activities such as utilization of exchange PowerShell snap-ins were observed to export mailbox data and stolen files were also observed to be compressed prior to exfiltration.

Stronger Together

Proficio’s Threat Intelligence team is continually researching and collecting IOCs with regards to these attacks. We continue to gather the latest IOCs available and many clients have also been providing additional Exchange logs and malicious artifacts, which we have used to find additional indicators to help in our threat hunting. With the indicators gathered, the team is able to quickly identify positive hits such as dropped files in client’s server.

Other than the public IOCs and additional indicators found by the team, we are also looking at other TTPs such as potential download traffic of PowerCat, large data transfers, access to file sharing sites and other unusual traffic that could help to identify the threat. This is an ongoing effort to help identify clients that may have been compromised and ensure our clients are not being targeted.

Precautionary Measures

Prevention is always better than cure. Given these exploits are still actively seen in the wild, we recommend organizations perform patching or upgrades to any on-premise Exchange environments to help mitigate the risk of successful exploit attempts; for those that have been exploited or are unsure of whether their servers have been compromised from these vulnerabilities prior to the patch, we strongly recommend investigating Microsoft Exchange Servers using Microsoft published PowerShell scripts that will scan for any indicators of compromise within the servers. Patch recommendation and PowerShell scripts provided by Microsoft team can be found here:

  • https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

For any concerned Proficio clients, please reach out to your assigned Client Success Manager or Security Advisors.

Reference links

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations

https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Phishing in the Wild II

OVERVIEW
Phishing events are commonly seen in the public so the Proficio’s threat intelligence team often receives opportunities to research different type of phishing activities. On the 13th November 2020, a client had requested for assistance on a phishing incidence that had occurred within their environment.

In this blog, we share some of the findings from our own deep-dive investigations into the HTM spear-phishing email campaigns.

PHISHING DETAILS
In this type of phishing attempt, the adversary would send a spear-phishing email with a HTM (.htm) file attach containing a URL link to the victim. Based on the team’s investigation of the incident that was reported, upon clicking on the phishing link it would redirect the victim to a phishing page which was hosted on another domain.

In this incidence, the phishing link was observed to be hosted on the domain “bayleafinternational[.]com” and upon clicking, the page would be redirected to the domain “laikipianorthtvc[.]ac[.]ke”. However, by 18th November 2020, the redirected phishing domain was taken down so instead of the first observed site “laikipianorthtvc[.]ac[.]ke”, it would redirect the user towards the domain “altia[.]in”. A Whois lookup (Figure 1) was performed on the first redirected link “laikipianorthtvc[.]ac[.]ke” and based on the updated date, it is suggested that this site was likely to taken down on 16th November 2020.

Sample phishing domain

Figure 1 – Sample phishing domain

The team further investigated the redirected phishing link. Simulating access of the phishing domain would display a phishing page that resembles a Microsoft login page (Figure 2). Upon entering the credentials, we noticed that the phishing site would redirect the victim to a URL on the same domain with a URL path containing “/complete?ss=2”. In this incidence that we were investigating, the user was redirected to the request URL “hxxps://altia[.]in/complete?ss=2”. A HTTP POST request could also be identified upon submitting the credentials (Figure 3).

Redirected fake login page

Figure 2 – Redirected fake login page

Test access with response code

Figure 3 – Test access with response code

Similar phishing activities were also found in the wild, with our research suggesting that this phishing campaign appears to have started as far back as 1st September 2020; it is likely this phishing campaign is still ongoing. We have noticed that multiple domains were being used in this phishing campaign, but some of the used and older pages have since been taken down.

Comparing the phishing activities observed with those seen in the wild, aside from the same fake Microsoft login page used, the phishing links appears to share similar naming formats as follows:

  • Initial URL from email
    • <domain>/<base64-encoded victim’s email address>
  • Redirected phishing page
    • < phishing domain>/?ss=2&ea=<victim email address>&session=<session ID>
  • Redirected complete page
    • <phishing domain>/complete?ss=2

MITRE ATT&CK FRAMWORK
The following framework is produced based on the investigated incidence:

Tactics  Techniques  Use 
Reconnaissance [TA0043]  Phishing for Information: Spearphishing Link [T1598.003] The phishing email contains a HTM file with a phishing link that leads to a fake login page used to steal credentials
Defense Evasion [TA0005]  Masquerading: Match legitimate name or location [T1036.005] The phishing email contains the use of a htm files with the file name containing the client’s domain.
Initial access [TA0001]  Phishing: Spearphishing Link [T1566.002] The adversaries utilize spear phishing emails and redirect victims to credential harvesting sites.

 

PRECAUTIONARY MEASURES
Anyone can fall victim to a phishing attack. Cybercriminals offer try and catch unsuspecting individuals by sending a phishing email from a reputable or known users that they wouldn’t expect to be compromised. It is advisable to safeguard yourself and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
    • Remind users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • If your organization is expecting legitimate emails from the senders, filter by email subjects and quarantine emails sent from those compromised senders to anyone outside of an expected recipient list.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials.
  • Make use of network segmentation alongside the zero-trust model.

Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Figure 1 – An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

Typeform Phishing Campaign

OVERVIEW
In recent years, phishing campaign comes in different types and forms. The attackers are known to utilize free online tools and a variety of methods in hope to harvest credentials out from the victims.

On 16 August 2020, a relatively new spear-phishing campaign was detected which appears to utilize a free online tool – Typeform. The attacker created and hosted fake online forms to harvest victims’ credentials.

In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed.

PHISHING DETAILS
Our investigation showed that victims would receive variants of emails, which can contain a URL link or an attachment that would redirect the victim to a phishing page. The phishing pages observed would inform the victim about a document that was sent through OneDrive in a PDF format.

Typeform Phished Email Example

Figure 1 – An example of phished email received

From our investigation, we have seen events where upon a successful phishing attempt, the compromised host would be used to subsequently broadcast the phishing email to all other employee using the organization email domain.

We have also seen events where the victim executed the phished PDF attachment in which the PDF would display a Microsoft labelled document with a “Open in OneDrive” button. Our investigation shows that clicking the button redirects to a phishing subdomain in Typeform with domain names such as

  • “hXXps://document-signonline[dot]typeform[dot]com”
  • ”hXXps://microsofonedrive6575[dot]typeform[dot]com”.
Typefrom Phishing Attachement Example

Figure 2 – An example of the attachment

Further investigations by the team reveals interesting network behaviour. Upon successful access to the phishing site and the user starts filling the phishing form, the page loads the domain ending with the URL parameter “/start-submission”. The phishing form first prompts for the user’s email address and then their password. Once the credentials are filled in, a button is displayed for the user to click on in order to send the inputs and view a document on the website. Clicking the button loads the domain ending with the URL parameter “/complete-submission”. Observing this traffic would represent a complete cycle whereby the victim has accessed and provided the credentials to the phished sites.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs include URL parameters and IP addresses.

The most notable indicator of accessing the phishing page was the sequence of redirections that occur after clicking the initial phishing link. Based on this, we were able to identify potential phishing attempts with higher certainty despite the limited visibility allowed for an MDRP/MSSP like Proficio.

From our investigation, this campaign appears to target by organization rather than random individuals, as we had observed the phishing emails being sent to multiple employees within an organization together in one wave. Even if the emails were blocked, there were no repeated attempts to send the emails to the targets. This campaign does not appear to target any specific industry sector.

PRECAUTIONARY MEASURES
This could have happened to anyone of us that works in any organization whom we would unexpectedly receive phishing email send by reputable or known users that were being compromised. It is advisable to safeguard you and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

Proficio Vulnerability and Advisory Report

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
PURPOSE:
The purpose of this report is to provide vendor specific advisories and vulnerability information that may be relevant to the security of a device(s) deployed within your network environment. Along with information about the vulnerability related issues, Proficio will provide recommended actions to either resolve, mitigate or workaround the vulnerability as provided by the vendor.

Please let us know if you have any questions or concerns about the information below. If you are a current MSS customer, please let us know if you would like assistance with implementation. Submit a change request to prosoc@proficio.com .

ADVISORY DETAILS

Reported Vulnerability

Date: 2020 June 29

Severity: Critical

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

Summary:

When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

Affected Products

GlobalProtect Gateway,

GlobalProtect Portal,

GlobalProtect Clientless VPN,

Authentication and Captive Portal,

PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,

Prisma Access

Work Around

If SAML or SSO is configured; proceed to the recommendation section below.

This article will illustrate the actions to confirm the configuration is present.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP

Affected/Fixed Software

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Details

If SAML or SSO is not configured, no action required.  If SAML or SSO is configured, the proceed to the recommendation section below.

Proficio Recommendation

If SAML or SSO is configured, follow the directions below:

Using a different authentication method and disabling SAML authentication will completely mitigate the issue.

Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:

(a) Ensure that the ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML authentication configuration.

(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.

Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware

DoppelPaymer Ransomware

OVERVIEW
Recently, Proficio’s Threat Intelligence Team has observed a surge in ransomware cases that take advantage of the current COVID-19 situation. In this blog, we will discuss a variant of ransomware named “DoppelPaymer”, which has significantly raised its popularity over the last month, and provide additional details discovered during our research.

RANSOMWARE DETAILS
“DoppelPaymer” is said to be the evolution from “BitPaymer Ransomware”. This strain of ransomware is an enterprise-targeting variant. Based on its history of attacks and the information within the ransom notes, we believe that the threat actor group is targeting English-speaking victims.

While earlier builds of the malware were identified back in April 2019, the first known victims of DoppelPaymer ransomware were seen in June 2019. DoppelPaymer ransomware is likely a variant of BitPaymer Ransomware, where initial ransom notes would contain the string of text “BitPaymer”. The name “DoppelPaymer” was given by researchers to identify this new variant of ransomware found in the wild. Following that, the threat actor appears to have adopted this name and has changed the string of text from “BitPaymer” to “DoppelPaymer” within the ransom notes. Based on the similarities between both ransomware variants, the threat actor groups for DoppelPaymer are suspected to be likely a split from INDRIK SPIDER cybercrime group.

DoppelPaymer ransomware is known to consist of both Dridex and BitPaymer source code. Several other interesting traits that were observed, including:

  • Encryption method 2048-bit RSA + 256-bit AES
  • Encrypted files are renamed with a “.locked” extension
  • Latest version of variants mark data with “.doppeled” appendix
  • Ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker

DoppelPaymer ransomware is usually dropped by the Dridex trojan; however, this ransomware is not limited to one distribution method. Based on our research, the following are some of the distribution methods that have been observed over the year:

  • Insecure RDP configuration
  • Email spam and malicious attachments
  • Deceptive downloads
  • Botnets
  • Exploits
  • Malicious advertisement
  • Web injects
  • Fake updates
  • Repackaged
  • Infected installers

Upon successful infection and encryption of data on the victim’s computer, the victim’s files would be renamed, and a ransom note in text file format could be found within the victim’s system.

Ransom notes sample

Figure 1 Ransom notes

It’s interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly. The victims were requested to download “Tor Browser” and to subsequently type into an address bar provided to access the DoppelPaymer portal.

Accessing Tor link in Ransom Notes Sample

Figure 2 Accessing Tor link found in ransom notes

DoppelPaymer Ransomware Payment Portal Sample

Figure 3 DoppelPaymer Ransomware Payment Portal

After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a “special price”, a unique reference ID used to identify the victim, the ransom amount and a BTC address where the ransom payment can be sent to.

Further research on DoppelPaymer ransomware reveals that, in the earlier days, victims who are not willing to pay the ransom would have their data sold on the darknet. Following the trends from various ransomware groups such as Maze , the DoppelPaymer threat actor group was inspired to launch a public website for use as a shaming platform to victims who are not willing to pay the ransom.

A video demonstration of file encryption can also be seen on YouTube.


PRECAUTIONARY MEASURES
Prevention is always better than a cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of a ransomware attack. We advise using a managed EDR service to better prepare yourself for dealing with a ransomware attack. We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

For the latest information from our Threat Intelligence Team on the DoppelPaymer attacks and other threats, please visit our Twitter Feed.