Posts

A Discussion Around The Challenges Todays Security Officers Face | A Cyber Chat with EVOTEK – Full Episode

From budget cuts to cyberattacks, today’s CISOs must continuously stay on their toes to keep their organizations protected. On this episode of Cyber Chats, industry veterans Brad Taylor, Proficio’s CEO, and Macy Dennis, EVOTEK Chief Security Officer, sit down to discuss the challenges many Security Officers face.

This includes the increasingly complex ransomware attacks and best practices for being prepared for a cyber incident. Tune in to see what tips they provide to help keep your organization secure.

Kaseya VSA Security Incidence

Overview | Kaseya VSA

On July 2, 2021, right before Americans started their long, Independence Day weekend, hackers once again made their way to the top of the news headlines. This time, the victim of the largest ransomware attack was Kaseya, a technology company that sells its technology to other third-party providers, mainly managed service providers (MSPs).

Speculations have suggested that the attack was yet another supply-chain ransomware attack. Multiple security firms and researchers have concluded that the attackers chose to exploit a zero-day vulnerability rather than tampering Kaseya’s codebase to distribute the malware. REvil/Sodinokibi ransomware threat actors were found to be responsible for the attack, exploiting a zero-day vulnerability to remotely access internet facing Kaseya VSA servers. Using this method, they hacked through less than 40 VSA servers and were able to deploy the ransomware to over a thousand enterprise networks.

What is Kaseya VSA?

Kaseya VSA, the Virtual System/Server Administrator is marketed as an endpoint management and network monitoring system that allows its client to have a unified remote monitoring and management platform. Users can perform functions such as remote controls to end-user computers, discovery and inventory on a client’s infrastructure, patch management to have a centralized system deploying software updates across all endpoints and monitoring and alerting of incident across the network. This makes it a convenient solution for MSPs to remotely manage their customer’s IT infrastructure and provide IT support and cybersecurity services to multiple enterprises. Kaseya VSA is also designed to have administrator rights provided down to all client systems.

In this incidence, an attacker had abused Kaseya VSA’s auto-update function and maliciously pushed the REvil ransomware onto Kaseya’s clients. This allowed the ransomware to reach to more victims, not only affecting Kaseya VSA customers but also the customers of MSPs that are using Kaseya VSA systems.

Kaseya-Timelin

Timeline of how the attack affected MSPs client systems

What Happened?

Various articles and researchers have concluded that attackers leveraged the standard VSA product functionality to deploy ransomware to the endpoint users. The attacker had exploited the zero-day vulnerability currently assigned the CVE-2021-30116 identifier.

The Kaseya zero-day vulnerability was discovered by Dutch Institute for Vulnerability Disclosure [DIVD] researcher Wietse Boonstra in early April, and had been shared with Kaseya prior to its exploitation in these ransomware attacks. Unfortunately, REvil attackers had managed to find the security flaw and attack by exploiting the vulnerability before Kaseya was able to issue or release a patch, resulting in this large-scale ransomware infection.

Given that the incident is currently in the middle of the investigation and patching stage, full details of the zero-day vulnerability “CVE-2021-30116” are currently not disclosed to the public. However, various research suggests that this vulnerability allows a remote non-authenticated attacker to compromise the affected system. To exploit this vulnerability, the attacker sends a specially crafted request to the affected application. Researchers have also concluded that the attacker managed to bypass authentication on the internet facing VSA web panel, exploit an arbitrary file upload, and execute commands via SQL injection on the VSA appliance.

Evidence of an executable code containing actions that would disable existing user sessions, remove IIS logs, and other cleanup activities has also been found. This attack appears to be geographically dispersed and the impact appears to have been restricted to systems running the Kaseya software.

The attack distributed its malicious payload in the form of a “Kaseya VSA agent hot-fix” launching the malicious software update package that targeted customers of MSPs and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. The VSA appliance that had deployed a “Kaseya VSA agent hot-fix” package was observed to have bypassed antivirus solutions using an older and vulnerable version of the Microsoft Defender app, which it used to encrypt local workstations.

After compromising an MSP that utilizes Kaseya VSA, the attackers subsequently disabled the client’s administrative access to their respective Kaseya VSA platform, allowing the attackers to gain administrative access to all endpoints managed by Kaseya VSA. Upon gaining administrative access, the attackers were observed attempting to disable Microsoft Defender Real-Time Monitoring via PowerShell and deploy the ransomware.

REvil Ransomware

Various evidence, such as ransom notes dropped onto the infected systems, revealed that this cyber incident was closely tied with REvil/Sodinikibi ransomware group. The REvil ransomware group had also stepped forward to confirm associations with this attack after claiming the responsibility on its Dark Web leak site.

This is not the first time that the REvil ransomware group had topped news headlines. However, in this attack, REvil’s operators took a different approach in how they negotiate the ransom. REvil attacks can use multiple encrypted file extensions and typically will provide a decryptor that decrypts all encrypted extensions. In this attack, REvil demanded ransom payments made for each individual encrypted file extension found on a victim’s network, as opposed to their usual method of providing one decryptor to decrypt all encrypted file extensions.

The attackers are willing to provide a universal decryptor for victims of the attack, but only under the condition that they are paid $70 million in Bitcoin. The value has reportedly recently been lowered to $50 million.

REvil representatives have also responded to victims during the negotiation stage that in this attack, they had only encrypted networks and nothing more. Based on this information, it was suggested that REvil did not steal any victim’s data, which is typically what they utilize as a factor during the negotiation stage. This also indicates that the ransomware operation did not access the victim’s networks before the attack; however, it is still uncertain as to the extent of damage that was brought to the victim’s environment.

Riding the Waves

It is not a surprise that upon a new zero-day vulnerability disclosure or vulnerability being exploited by a cybercriminal group, other threat actors would take advantage of this opportunity and ride on the waves. Not long after the Kaseya attack, a new malspam campaign was observed containing various subject titles claiming to contain patch for Kaseya vulnerability. The attachment found in this malspam campaign appears to drop Cobalt Strike malware likely targeting users utilizing Kaseya products. Cobalt strike malware attachments appear to be the first malware that was found in the wild exploiting the current Kaseya situation.

MITRE ATT&CK

The following are the MITRE ATT&CK Tactics and Techniques associated with the Kaseya attacks:

Tactics Techniques
Resource Development Obtain Capabilities: Vulnerabilities (T1588.006)
Resource Development Obtain Capabilities: Exploits (T1588.005)
Initial Access Exploit Public-Facing Application (T1190)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Persistence Hijack Execution Flow : DLL Side-Loading (T1574.002)
Defense Evasion Masquerading : Rename system utilities (T1036.003)
Defense Evasion Impair Defences: Disable or Modify Tools (T1562.001)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)
Defense Evasion Indicator Removal on Host: File Deletion (T1070.004)
Defense Evasion Modify Registry (T112)
Defense Evasion Subvert Trust Controls: Code Signing (T1553.002)
Impact Data Encrypted for Impact (T1486)

General Recommendations

Given that the vulnerability is newly discovered, there is still a lot of uncertainty about this attack and how it would affect clients utilizing Kaseya VSA software. As such, it is advised for clients utilizing Kaseya VSA software to have all on-premises VSA Servers to remain offline until further instructions from Kaseya on when it is safe to restore operations when a patch is made available to the public.

We strongly recommend to follow the guidelines by Kaseya, FBI and CISA if you use Kaseya VSA for your IT infrastructure and/or to reach out to your MSP if you are currently leveraging one for any IT-related management.

It is important to note that Proficio does not use Kaseya or any of its products.  If you have questions, please do not hesitate to contact your Customer Success Manager or Security Advisor.

 

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

DarkSide Ransomware

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example-of-a-Ransom-Note-Darkside-Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

How Organizations Protect Against Ransomware | A chat with CrowdStrike – Full Episode

While ransomware remains one of the biggest cyberthreats, there are steps that cybersecurity teams can take to keep themselves better protected. Threat intelligence experts, Ardan Toh of Proficio and Scott Jarkoff of CrowdStrike, share their thoughts on how organizations can stay safe.

One of the most frequent targets are the healthcare industry, especially with all the research around COVID-19. Scott and Ardan discuss why they’re commonly the victims and how Nation State actors have played more of a role in recent years. But how has this evolved in recent years? Tune in to find out!

Phishing in the Wild II

OVERVIEW
Phishing events are commonly seen in the public so the Proficio’s threat intelligence team often receives opportunities to research different type of phishing activities. On the 13th November 2020, a client had requested for assistance on a phishing incidence that had occurred within their environment.

In this blog, we share some of the findings from our own deep-dive investigations into the HTM spear-phishing email campaigns.

PHISHING DETAILS
In this type of phishing attempt, the adversary would send a spear-phishing email with a HTM (.htm) file attach containing a URL link to the victim. Based on the team’s investigation of the incident that was reported, upon clicking on the phishing link it would redirect the victim to a phishing page which was hosted on another domain.

In this incidence, the phishing link was observed to be hosted on the domain “bayleafinternational[.]com” and upon clicking, the page would be redirected to the domain “laikipianorthtvc[.]ac[.]ke”. However, by 18th November 2020, the redirected phishing domain was taken down so instead of the first observed site “laikipianorthtvc[.]ac[.]ke”, it would redirect the user towards the domain “altia[.]in”. A Whois lookup (Figure 1) was performed on the first redirected link “laikipianorthtvc[.]ac[.]ke” and based on the updated date, it is suggested that this site was likely to taken down on 16th November 2020.

Sample phishing domain

Figure 1 – Sample phishing domain

The team further investigated the redirected phishing link. Simulating access of the phishing domain would display a phishing page that resembles a Microsoft login page (Figure 2). Upon entering the credentials, we noticed that the phishing site would redirect the victim to a URL on the same domain with a URL path containing “/complete?ss=2”. In this incidence that we were investigating, the user was redirected to the request URL “hxxps://altia[.]in/complete?ss=2”. A HTTP POST request could also be identified upon submitting the credentials (Figure 3).

Redirected fake login page

Figure 2 – Redirected fake login page

Test access with response code

Figure 3 – Test access with response code

Similar phishing activities were also found in the wild, with our research suggesting that this phishing campaign appears to have started as far back as 1st September 2020; it is likely this phishing campaign is still ongoing. We have noticed that multiple domains were being used in this phishing campaign, but some of the used and older pages have since been taken down.

Comparing the phishing activities observed with those seen in the wild, aside from the same fake Microsoft login page used, the phishing links appears to share similar naming formats as follows:

  • Initial URL from email
    • <domain>/<base64-encoded victim’s email address>
  • Redirected phishing page
    • < phishing domain>/?ss=2&ea=<victim email address>&session=<session ID>
  • Redirected complete page
    • <phishing domain>/complete?ss=2

MITRE ATT&CK FRAMWORK
The following framework is produced based on the investigated incidence:

Tactics  Techniques  Use 
Reconnaissance [TA0043]  Phishing for Information: Spearphishing Link [T1598.003] The phishing email contains a HTM file with a phishing link that leads to a fake login page used to steal credentials
Defense Evasion [TA0005]  Masquerading: Match legitimate name or location [T1036.005] The phishing email contains the use of a htm files with the file name containing the client’s domain.
Initial access [TA0001]  Phishing: Spearphishing Link [T1566.002] The adversaries utilize spear phishing emails and redirect victims to credential harvesting sites.

 

PRECAUTIONARY MEASURES
Anyone can fall victim to a phishing attack. Cybercriminals offer try and catch unsuspecting individuals by sending a phishing email from a reputable or known users that they wouldn’t expect to be compromised. It is advisable to safeguard yourself and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
    • Remind users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • If your organization is expecting legitimate emails from the senders, filter by email subjects and quarantine emails sent from those compromised senders to anyone outside of an expected recipient list.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials.
  • Make use of network segmentation alongside the zero-trust model.

Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Figure 1 – An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware