Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Fig 1. An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

Typeform Phishing Campaign

OVERVIEW
In recent years, phishing campaign comes in different types and forms. The attackers are known to utilize free online tools and a variety of methods in hope to harvest credentials out from the victims.

On 16 August 2020, a relatively new spear-phishing campaign was detected which appears to utilize a free online tool – Typeform. The attacker created and hosted fake online forms to harvest victims’ credentials.

In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed.

PHISHING DETAILS
Our investigation showed that victims would receive variants of emails, which can contain a URL link or an attachment that would redirect the victim to a phishing page. The phishing pages observed would inform the victim about a document that was sent through OneDrive in a PDF format.

Typeform Phished Email Example

Figure 1 – An example of phished email received

From our investigation, we have seen events where upon a successful phishing attempt, the compromised host would be used to subsequently broadcast the phishing email to all other employee using the organization email domain.

We have also seen events where the victim executed the phished PDF attachment in which the PDF would display a Microsoft labelled document with a “Open in OneDrive” button. Our investigation shows that clicking the button redirects to a phishing subdomain in Typeform with domain names such as

  • “hXXps://document-signonline[dot]typeform[dot]com”
  • ”hXXps://microsofonedrive6575[dot]typeform[dot]com”.
Typefrom Phishing Attachement Example

Figure 2 – An example of the attachment

Further investigations by the team reveals interesting network behaviour. Upon successful access to the phishing site and the user starts filling the phishing form, the page loads the domain ending with the URL parameter “/start-submission”. The phishing form first prompts for the user’s email address and then their password. Once the credentials are filled in, a button is displayed for the user to click on in order to send the inputs and view a document on the website. Clicking the button loads the domain ending with the URL parameter “/complete-submission”. Observing this traffic would represent a complete cycle whereby the victim has accessed and provided the credentials to the phished sites.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs include URL parameters and IP addresses.

The most notable indicator of accessing the phishing page was the sequence of redirections that occur after clicking the initial phishing link. Based on this, we were able to identify potential phishing attempts with higher certainty despite the limited visibility allowed for an MDRP/MSSP like Proficio.

From our investigation, this campaign appears to target by organization rather than random individuals, as we had observed the phishing emails being sent to multiple employees within an organization together in one wave. Even if the emails were blocked, there were no repeated attempts to send the emails to the targets. This campaign does not appear to target any specific industry sector.

PRECAUTIONARY MEASURES
This could have happened to anyone of us that works in any organization whom we would unexpectedly receive phishing email send by reputable or known users that were being compromised. It is advisable to safeguard you and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

WastedLocker Ransomware

OVERVIEW
First discovered in May, WastedLocker ransomware is a relatively new strain from the group known as Evil Corp, which was previously associated with the Dridex banking Trojan and BitPaymer ransomware. This ransomware group was brought to our attention with the recent ransomware attack against Garmin. In our research, we discovered why these targeted attacks are even harder to defend against. Read on to learn what to look for and how to avoid this new strain.

RANSOMWARE DETAILS
WastedLocker attacks start with a drive-by compromise to gain initial entry. The attackers use the SocGholish framework to hack legitimate websites that display fake software update alerts to visitors. Attempting to download these fake alerts will deliver PowerShell scripts onto the user’s device, which subsequently download Cobalt Strike. Cobalt Strike then allows the attackers to gain access, move laterally through the target’s network, and deliver the WastedLocker ransomware to the victim host.

Before deploying the ransomware, the attackers perform the following tasks within the target’s network:

  • Escalates privileges via UAC bypass method
  • Disables Windows Defender
  • Gathers information about victim’s environment
  • Performs credential dumping

WastedLocker attackers have also been observed in previous attacks to utilize living-off-the-land (LOFT) tools to perform tasks. For example, using the Windows Sysinternals tool PsExec to disable Windows Defender, using PowerShell and WMIC to profile the target’s environment.

Upon successful encryption of a victim’s file, the ransomware appends a file extension that is a combination of the target organization’s name and the string “wasted”. In the case of the Garmin attack, the file extension “.garminwasted” was appended to encrypted files. For each encrypted file, the ransomware also creates a ransom note with the same name appended with “_info” at the end of the file extension, such as “.garminwasted_info”.

Example of a ransom note

Figure 1 – Example of a ransom note

Aside from encryption, the WastedLocker ransomware is also capable of deleting Windows shadow copies to wipe backups and file snapshots to make recovery impossible.

The method of payment provided to decrypt WastedLocker is to contact one of the emails listed within the ransom notes. As of now, email addresses that have been used by the attackers are can belong to either ProtonMail, Eclipso, Tutanota, or Airmail.

Unlike many other ransomwares this year, WastedLocker ransomware does not steal victims’ files but simply encrypt them. However, it is worth noting that WastedLocker attacks are highly targeted and ransomware samples used are each customized for the target organization. This means that standard IOCs such as the file hashes of previous samples would not be very helpful or useful in detections.

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place, or at minimum have backups separate from production systems, for your critical files or systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

ABOUT PROFICIO

Proficio’s Managed, Detection and Response (MDR) solution surpasses the capabilities of traditional Managed Security Services Providers (MSSPs). Our MDR service is powered by next-generation cybersecurity technology and our security experts partner with you to become an extension of your team, continuously monitoring and investigating threats from our global networks of security operations centers. Learn More About Proficio’s Services

REFERENCES

  • https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
  • https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/
  • https://www.bleepingcomputer.com/news/security/dozens-of-us-news-sites-hacked-in-wastedlocker-ransomware-attacks/
  • https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
  • https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Phishing in the Wild

OVERVIEW
It’s no secret that phishing is one of the most common types of cyberattacks, both to individuals and organizations. According to the 2020 Verizon Data Breach Investigation Report, one out of four breaches involved phishing. So when Proficio’s Threat Intelligence Team received a client request, asking for assistance with a phishing incident, we conducted a thorough investigation on the specific threat actor. Below we share the key findings from our deep-dive investigation, including the hooks used and key targets for this campaign.

PHISHING CAMPAIGN DETAILS
The threat actor appears to be utilizing compromised user accounts within the targeted organization to send out phishing emails to internal contacts within their mailing list. We observed that such phishing emails sent by the legitimate, but compromised, user accounts would contain a download image that resembles the original PDF download button (Figure 1).

Sample email received

Figure 1 – Sample email received

The Proficio’s Threat Intelligence Team dissected the email received, observing the below PCAP from a simulated access attempt against the download link (Figure 2). While the download button masquerades as an attachment, it appears to be a request URL link. The threat actor employs pretty standard social engineering “hooks” to creates a false sense of urgency with words such as “advise ASAP”. The purpose, of course, is to lure the victim into quickly clicking on the button without thinking too much.

Sample PCAP from email received

Figure 2 – Sample PCAP of email received

Our analysis of the PCAP file (generated upon clicking on the download image seen from the email) reveals a redirect to an external request URL. Simulated access against the external request URL in a controlled environment reveal a redirect to a website with a “CLICK HERE TO VIEW” button. This phishing “hook” resembles a secure document intended for the victim to access.

Simulated access to request URL

Figure 3 – Simulated access to request URL

If a victim clicks on the “CLICK HERE TO VIEW” button, they would be directed to a fake Microsoft login page. When we input fake credentials into the login page, the adversary directs the user to an error page and requests for the credentials to be submitted again. We believe that the second credential request is meant to direct the user to the real Microsoft login page, a setup very similar to those practiced by other phishing campaigns. There are no other redirections observed subsequently.

Fake Microsoft login page

Figure 4 – Fake Microsoft login page

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs includes known domain, IP addresses and unique URL parameter used in this phishing attempt.

Our investigation revealed that this campaign targets organizations rather than random individuals, as we observed that the phishing emails were sent to multiple employees within an organization together in one wave. Our analysis and study of the threat actor’s infrastructure and TTPs reveal that the threat actor conducting the phishing campaign appears to be interested in targeting specific geographic regions. We have identified the presence of several interesting strings such as “AUSTRALIA” and “YANKEE” used by the threat actor in their request URLs to organize their data depending on the geographic region associated with their target.

During our extensive investigations, we discovered the phishing emails were sent to multiple clients containing multiple different phished domains which ends with “/DOCUMENT.html”. Simulated access towards all the discovered sites exhibits the same redirection behaviour. Most of the identified activity was from inbound phishing emails. In most cases, we did not identify any click-through traffic that would indicate a potentially successful phishing attack.

While the threat actor appears to be interested in only a few geographic region, they do not appear to target any specific industry sector. We have identified multiple clients who have received emails from this phishing campaign. The sectors targeted by the threat actor most frequently were:

  • Healthcare
  • Commercial Services
  • Real Estate

We will continue to keep an eye out for other phishing campaigns and intrusions that could be associated with this particular threat actor.

PRECAUTIONARY MEASURES & RECOMMENDATIONS
Phishing remains a popular attack vector because it continues to work very effectively. Anyone could receive phishing emails, and they could be sent by reputable or known users that were unknowingly compromised. It is advisable to take proactive steps to safeguard you and your organization to avoid being the next victim of a phishing attack or credential theft. We would recommend organizations to consider the following measures to protect themselves from phishing attacks.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

Proficio Vulnerability and Advisory Report

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
PURPOSE:
The purpose of this report is to provide vendor specific advisories and vulnerability information that may be relevant to the security of a device(s) deployed within your network environment. Along with information about the vulnerability related issues, Proficio will provide recommended actions to either resolve, mitigate or workaround the vulnerability as provided by the vendor.

Please let us know if you have any questions or concerns about the information below. If you are a current MSS customer, please let us know if you would like assistance with implementation. Submit a change request to prosoc@proficio.com .

ADVISORY DETAILS

Reported Vulnerability

Date: 2020 June 29

Severity: Critical

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

Summary:

When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

Affected Products

GlobalProtect Gateway,

GlobalProtect Portal,

GlobalProtect Clientless VPN,

Authentication and Captive Portal,

PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,

Prisma Access

Work Around

If SAML or SSO is configured; proceed to the recommendation section below.

This article will illustrate the actions to confirm the configuration is present.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP

Affected/Fixed Software

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Details

If SAML or SSO is not configured, no action required.  If SAML or SSO is configured, the proceed to the recommendation section below.

Proficio Recommendation

If SAML or SSO is configured, follow the directions below:

Using a different authentication method and disabling SAML authentication will completely mitigate the issue.

Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:

(a) Ensure that the ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML authentication configuration.

(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.

Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware

DoppelPaymer Ransomware

OVERVIEW
Recently, Proficio’s Threat Intelligence Team has observed a surge in ransomware cases that take advantage of the current COVID-19 situation. In this blog, we will discuss a variant of ransomware named “DoppelPaymer”, which has significantly raised its popularity over the last month, and provide additional details discovered during our research.

RANSOMWARE DETAILS
“DoppelPaymer” is said to be the evolution from “BitPaymer Ransomware”. This strain of ransomware is an enterprise-targeting variant. Based on its history of attacks and the information within the ransom notes, we believe that the threat actor group is targeting English-speaking victims.

While earlier builds of the malware were identified back in April 2019, the first known victims of DoppelPaymer ransomware were seen in June 2019. DoppelPaymer ransomware is likely a variant of BitPaymer Ransomware, where initial ransom notes would contain the string of text “BitPaymer”. The name “DoppelPaymer” was given by researchers to identify this new variant of ransomware found in the wild. Following that, the threat actor appears to have adopted this name and has changed the string of text from “BitPaymer” to “DoppelPaymer” within the ransom notes. Based on the similarities between both ransomware variants, the threat actor groups for DoppelPaymer are suspected to be likely a split from INDRIK SPIDER cybercrime group.

DoppelPaymer ransomware is known to consist of both Dridex and BitPaymer source code. Several other interesting traits that were observed, including:

  • Encryption method 2048-bit RSA + 256-bit AES
  • Encrypted files are renamed with a “.locked” extension
  • Latest version of variants mark data with “.doppeled” appendix
  • Ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker

DoppelPaymer ransomware is usually dropped by the Dridex trojan; however, this ransomware is not limited to one distribution method. Based on our research, the following are some of the distribution methods that have been observed over the year:

  • Insecure RDP configuration
  • Email spam and malicious attachments
  • Deceptive downloads
  • Botnets
  • Exploits
  • Malicious advertisement
  • Web injects
  • Fake updates
  • Repackaged
  • Infected installers

Upon successful infection and encryption of data on the victim’s computer, the victim’s files would be renamed, and a ransom note in text file format could be found within the victim’s system.

Ransom notes sample

Figure 1 Ransom notes

It’s interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly. The victims were requested to download “Tor Browser” and to subsequently type into an address bar provided to access the DoppelPaymer portal.

Accessing Tor link in Ransom Notes Sample

Figure 2 Accessing Tor link found in ransom notes

DoppelPaymer Ransomware Payment Portal Sample

Figure 3 DoppelPaymer Ransomware Payment Portal

After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a “special price”, a unique reference ID used to identify the victim, the ransom amount and a BTC address where the ransom payment can be sent to.

Further research on DoppelPaymer ransomware reveals that, in the earlier days, victims who are not willing to pay the ransom would have their data sold on the darknet. Following the trends from various ransomware groups such as Maze , the DoppelPaymer threat actor group was inspired to launch a public website for use as a shaming platform to victims who are not willing to pay the ransom.

A video demonstration of file encryption can also be seen on YouTube.


PRECAUTIONARY MEASURES
Prevention is always better than a cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of a ransomware attack. We advise using a managed EDR service to better prepare yourself for dealing with a ransomware attack. We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

For the latest information from our Threat Intelligence Team on the DoppelPaymer attacks and other threats, please visit our Twitter Feed.

“Voicemail” Phishing Campaign

OVERVIEW
On February 28th, the Proficio Threat Intelligence Team identified a new spear-phishing campaign that pretends to be sending a voicemail to targeted recipients.

In this blog, we share some of the findings from our deep-dive investigations into the attack activities that we have observed for this campaign.

PHISHING DETAILS
The attack starts with a phishing email pretending to send the recipient a voicemail. The email has a sender address starting with “voice@” and a subject containing text such as “New VM was sent” or “Voice Receiver”. The email contains a URL link which when clicked, redirects the recipient to a phishing page that resembles a Microsoft login page. The victim’s credentials are then stolen when entered and submitted on the fake login page.

An example of a fake Microsoft login page

Figure 1a and 1b

Figure 1 – An example of the fake login page (a) and real (b)

The initial phishing attempt is merely the first step of the adversary’s intrusion attempt. After successfully gaining user login, the threat actor responsible uses the credentials obtained to conduct a targeted spear phishing campaign against other employees within the victim’s organization.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team gathered and researched a number of different IOCs to identify potential access to the phishing sites. The IOCs included email subject strings, known domains, URL parameters and IP addresses. These IOCs were used to kickstart the detection and discovery phase of our threat hunting campaign. We identified several potential victims and performed deep-dive investigations on each potential victims identified.

The most notable and useful indicator we generated was the sequence of redirections that occurred after clicking the initial phishing link. Such activity strongly indicated a successful access attempt to the phishing page by the victim(s), and we were thus able to identify potentially successful phishing attempts with a high level of confidence despite the limited visibility of the dataset at our disposal.

Our investigations indicate that this campaign appears to focus on targeting organizations rather than random individuals, as we observed that the phishing emails were being sent to multiple employees within an organization together in a single wave. The adversary does not appear to be targeting any specific organization as there were no repeated attempts to send the emails to the targets even if the emails were blocked or did not result in a successful click-through.

No specific industry sector was targeted; we identified several victims of this campaign, all from different sectors:

  • Banking and Financial
  • Technology
  • Commercial Services
  • Real Estate
  • Healthcare

All clients that we identified had a successful clickthrough activity of this phishing campaign have been notified. If you would like to know more about this campaign and what we have found, please reach out to your Client Success Manager or Security Advisor.

FUTURE PRECAUTIONARY MEASURES
Such phishing campaigns are not uncommon, and have been heightened in the past month where multiple phishing campaigns are using COVID-19 to lure victims. The use of COVID-19 as a phishing hook has been very effective in generating click-throughs for attackers’ phishing campaigns. To avoid being the next victim of credential theft, you can put into place safeguards to protect yourself and your organization from phishing attacks.

We would recommend the following measures:

  • To improve cybersecurity awareness, educate your employees and users.
  • To prevent malicious content from reaching users and reduce the chance of a possible compromise, apply content filters on email gateways and systems.
  • If any suspicious emails are received, report them to your security team so they can notify other employees in the organization of the threat.
  • Always verify such suspicious emails through a different channel.

Mailto and Mailto-2 Ransomware

OVERVIEW
In October of 2019, a group of relatively new ransomware strains called Mailto and Mailto-2 were found in the wild. These two ransomware types were also known as “Kokoklock” and “Kazkavkovkiz” where the names have been used interchangeably with no clear definitions at this point of time.

This ransomware group gained attention with the recent ransomware attack against the Australian Toll Group. The Australian Toll Group has subsequently disclosed that their network was being attacked by the Mailto ransomware prior to a service disruption and system shut down.

The Proficio Threat Intelligence Team posted information about Toll Group attacks in our Twitter Feed. In this blog, we share some of our findings pertaining to this new ransomware’s behavior in the wild.

RANSOMWARE DETAILS
This type ransomware is relatively new and first surfaced in late 2019, and as such there is limited information available. Mailto ransomware was seen in the wild during the month of September where Mailto-2 ransomware was seen around October. They are recognizable by the extension that is appended to encrypted victims’ files.

There is some evidence that Mailto actors may have utilized techniques such as phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users’ address book to spread malware. At this time, there is no known information on the cyber groups that are responsible for these types of ransomware, nor is there information on the C2 activities on them.

Upon successful infection of the victims’ systems, both variants of ransomware include a personal extension on infected files, a ransom note and a readme text file to instruct victims on how to make the ransom payment. The main visible difference between “Mailto / Kokoklock” and “Mailto-2 / Kazkavkovkiz” is the personal extensions appended onto the encrypted file.

At this time, the only other notable information that distinguishes this ransomware strain from others operating in the wild is that the targets are instructed to communicate with the attacker via an email provided in the ransom notes. Ransom notes associated with this ransomware include two email addresses with the email domains “@cock[dot]li” and “@tutanota[dot]com”. “Tutanota” is a free and open-source, end-to-end encrypted email. “Cock[dot]li” appears to be a free anonymous email service also known as “Cockmail”, which has been seen to be used in multiple malicious activities.

Figure 1 – An example of ransom notes

Beyond the ransom notes, we are also able to differentiate Mailto ransomware based on the file extension appended on the encrypted files. Following the file extension “[dot]mailto”, “Mailto / Kokoklock” ransomware would append six random alphanumerical digits onto the encrypted files while “Mailto-2 / Kazkavkovkiz” ransomware would append four or five random digits onto the encrypted files. While these extensions are the only ones currently seen in the wild, they may vary over time.

Other noticeable differences between both ransomware variants include the following:

  Mailto / Kokoklock Mailto-2 / Kazkavkovkiz
Decryptor tool Netwalker NIL
Encryption Method Suspected Salsa20 Stream Cipher AES
Format of encrypted files .mailto[<email_address>].<6_alphanumerical_random_digits> .mailto[<email_address>].<random_digits>
Readme file format <6_alphanumerical_random_digits>-Readme.txt <random_digits>-Readme.txt
Other behaviour Seen to masquerade as a legitimate program [Sticky password] NIL

 

PRECAUTIONARY MEASURES
Prevention is better than a cure. It is advisable to safeguard your organization to avoid being the next victim of this ransomware attack. We recommend your organization consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection of and prevention from the spread of ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

The Proficio Threat Intelligence Team will continue to monitor developments around this this new ransomware and provide updates as applicable.

Exploits in the Wild for Citrix ADC and Citrix Gateway Vulnerability CVE-2019-19781

OVERVIEW
In December of 2019, the details of a critical vulnerability affecting certain versions of Citrix Application Delivery Controller (formerly known as NetScaler ADC) and Citrix Gateway servers were publicly disclosed.

The Proficio Threat Intelligence Team posted information about the vulnerability and its exploits in our Twitter Feed and issued a security advisory to our clients. In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed in the wild as well as information that we have previously included within our advisory.

VULNERABILITY DETAILS
Citrix’s disclosed a significant amount of information regarding the CVE-2019-19781 vulnerability and exploit on publicly accessible channels. The details provided in their public release makes it easy for any potential attackers to recreate the exploit discovered.

The vulnerability is centered around a vulnerable parameter that allows for directory traversals due to the improper handling of the pathname. Attackers can exploit this vulnerability through crafted directory traversal requests to access sensitive files, create crafted XML files in the vulnerable server, and execute malicious code within those XML files without any authentication, effectively allowing for remote code execution.

This vulnerability is particularly serious because it allows an attacker to effectively obtain remote code execution capabilities on vulnerable devices. The exploit does not require access or knowledge regarding any user accounts and can be performed by any attacker. This makes this attack suitable for automation and mass-scanning, and we have indeed observed increased volumes of such automated attempts and attacks.

There have also been reports of attackers leveraging the exploit of the vulnerability to install malware and backdoors on vulnerable systems, preventing other attackers from exploiting and gaining access to the same system.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected a significant number of different IOCs and IOAs to identify potential exploit attempts. The IOCs and IOAs also include malware activity associated with successful exploit attempts against CVE-2019-19781.

We used reverse-engineering and contextualization techniques to research this vulnerability. By removing non-viable indicators that cannot be used for reliable detection or discovery, we were able to isolate high quality, useful and reliable threat indicators. This is particularly important given the limited visibility allowed for an MDRP/MSSP like Proficio.

Our detection and discovery efforts allowed us to identify a significant number of potentially successful exploit attempts against the vulnerable Citrix systems. This in turn allowed us to drive additional data collection efforts that served as a starting point for more deep-dive investigations for every potentially successful exploit attempt. 

NOTABLE CONCLUSIONS

  1. Patching CVE-2019-19781 does not remove malicious artefacts left by successful exploits.

We have encountered several situations in which we were able to identify malicious post-exploit activity after successful exploit attempts against CVE-2019-19781, even though the vulnerability appears to have been patched. Identifying such activity after the patch is not necessarily an indication that the patch has failed, but a possible indication that malicious artefacts were already left behind by a successful exploit attempt prior to the patch being applied.

Organizations should note that compromised systems cannot be remediated by applying patches that were released to fix the vulnerability. Organizations will need to assess vulnerable systems to identify if any malicious artefacts remain from successful exploit attempts. Rebuilding the exploited system after the patch may be the only way to conclusively remove malicious artefacts from affected systems.

  1. Not all successful exploit attempts were accompanied by post-exploit activity.

The exploits against CVE-2019-19781 are particularly suited for automation, and we have observed a significant increase in automated attacks and mass-scanning activities. Our investigation efforts have shown that in some cases, while we were able to identify that a successful exploit attempt is likely to have taken place, we were not able to identify any kind of post-exploit or suspicious activity from the vulnerable system that could have indicated live threat actor activity beyond automated scanning. Of course, this is no reason for complacency. Vulnerable systems should be patched and assessed as quickly as possible, especially if a successful exploit attempt against CVE-2019-19781 was observed. This assessment is required to positively identify the presence of any malicious artefacts on the vulnerable system. Should any be found, rebuilding the vulnerable system may be the only way to quickly and completely remove them from the affected system.

  1. Security devices at the perimeter are the most useful log source for identifying and investigating successful exploits against CVE-2019-19781.

Having identified and investigated more than a dozen successful exploit attempts against CVE-2019-19781, it is interesting to note that the most useful logs for the investigations came from classic security devices like next-generation firewalls (NGFW) and intrusion detection/prevention systems (IDPS). Logs from such devices played a key role in all our deep-dive investigations and in some cases, happened to also be the only log sources with the requisite visibility for detection, discovery and investigation.

It is also interesting to note that logs from Citrix Netscalers were not particularly useful for the detection, discovery and investigation of exploit attempts against CVE-2019-19781. Of all the incidents in which we were able to positively identify the successful exploit attempts against vulnerable Citrix devices, we only made use of Citrix Netscaler logs in 7.6% of our investigations. Most of the logs that we were working with came from NGFWs and IDPS devices. Organizations affected by CVE-2019-19781 should review their logging configurations to ensure that the log events generated by their devices can be used for detection and discovery efforts. The last thing an organization wants is to realize that their current logging is not usable for the detection and discovery when there is a critical need to do so.

  1. Not all IOCs are created equal – some IOCs are more useful than others.

We made use of a wide range of different IOCs that went through our qualification process. While we are confident in our selection of relevant IOCs, they did not play equal roles when it comes to our detection and discovery efforts. The following IOCs that have proven to be the most relevant and prevalent when it comes to performing deep-dive investigations:

  • /ci.sh
    The filename references an installation script payload for a cryptocurrency miner. The payload creates a download loop for itself as a way to stage a backdoor for later while using cron jobs for persistence.
    Reference
  • 95[.]179[.]163[.]186
    This IP address is known to used to download exploit payloads against CVE-2019-19781. One such payload would be the NOTROBIN malware. The IP address used to point towards the domain (vilarunners[dot]cat).
    Reference
  • 185[.]178[.]45[.]221
    This IP address was used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 62[.]113[.]112[.]33
    This IP address was also used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 45[.]120[.]53[.]214
    Attackers are known to execute a curl command on successfully exploited systems in order to download a malicious shell script from this IP address onto a successfully exploited system.
    Reference

Even with the multitude of detection and discovery methodologies, the best way to deal with a known serious vulnerability is to patch the vulnerability when the patch becomes available. Since the initial disclosure of the vulnerability, Citrix has released patch updates for the impacted versions. After applying the patch fixes by Citrix, affected clients should also make use of the Verification Tool they provide to verify that the mitigation steps and patch fixes are applied correctly. Should the patch fixes provided by Citrix not be a suitable solution, the mitigation steps provided by Citrix alongside the vulnerability disclosure should be followed. Your cybersecurity team should closely follows vendor recommended best practices to ensure you’re patching known vulnerabilities as soon as possible.