Kaseya VSA Security Breach

Overview | Kaseya VSA

On July 2, 2021, right before Americans started their long, Independence Day weekend, hackers once again made their way to the top of the news headlines. This time, the victim of the largest ransomware attack was Kaseya, a technology company that sells its technology to other third-party providers, mainly managed service providers (MSPs).

Speculations have suggested that the attack was yet another supply-chain ransomware attack. Multiple security firms and researchers have concluded that the attackers chose to exploit a zero-day vulnerability rather than tampering Kaseya’s codebase to distribute the malware. REvil/Sodinokibi ransomware threat actors were found to be responsible for the attack, exploiting a zero-day vulnerability to remotely access internet facing Kaseya VSA servers. Using this method, they hacked through less than 40 VSA servers and were able to deploy the ransomware to over a thousand enterprise networks.

What is Kaseya VSA?

Kaseya VSA, the Virtual System/Server Administrator is marketed as an endpoint management and network monitoring system that allows its client to have a unified remote monitoring and management platform. Users can perform functions such as remote controls to end-user computers, discovery and inventory on a client’s infrastructure, patch management to have a centralized system deploying software updates across all endpoints and monitoring and alerting of incident across the network. This makes it a convenient solution for MSPs to remotely manage their customer’s IT infrastructure and provide IT support and cybersecurity services to multiple enterprises. Kaseya VSA is also designed to have administrator rights provided down to all client systems.

In this incidence, an attacker had abused Kaseya VSA’s auto-update function and maliciously pushed the REvil ransomware onto Kaseya’s clients. This allowed the ransomware to reach to more victims, not only affecting Kaseya VSA customers but also the customers of MSPs that are using Kaseya VSA systems.

Kaseya Ransomware Timeline

Timeline of how the attack affected MSPs client systems

What Happened?

Various articles and researchers have concluded that attackers leveraged the standard VSA product functionality to deploy ransomware to the endpoint users. The attacker had exploited the zero-day vulnerability currently assigned the CVE-2021-30116 identifier.

The Kaseya zero-day vulnerability was discovered by Dutch Institute for Vulnerability Disclosure [DIVD] researcher Wietse Boonstra in early April, and had been shared with Kaseya prior to its exploitation in these ransomware attacks. Unfortunately, REvil attackers had managed to find the security flaw and attack by exploiting the vulnerability before Kaseya was able to issue or release a patch, resulting in this large-scale ransomware infection.

Given that the incident is currently in the middle of the investigation and patching stage, full details of the zero-day vulnerability “CVE-2021-30116” are currently not disclosed to the public. However, various research suggests that this vulnerability allows a remote non-authenticated attacker to compromise the affected system. To exploit this vulnerability, the attacker sends a specially crafted request to the affected application. Researchers have also concluded that the attacker managed to bypass authentication on the internet facing VSA web panel, exploit an arbitrary file upload, and execute commands via SQL injection on the VSA appliance.

Evidence of an executable code containing actions that would disable existing user sessions, remove IIS logs, and other cleanup activities has also been found. This attack appears to be geographically dispersed and the impact appears to have been restricted to systems running the Kaseya software.

The attack distributed its malicious payload in the form of a “Kaseya VSA agent hot-fix” launching the malicious software update package that targeted customers of MSPs and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. The VSA appliance that had deployed a “Kaseya VSA agent hot-fix” package was observed to have bypassed antivirus solutions using an older and vulnerable version of the Microsoft Defender app, which it used to encrypt local workstations.

After compromising an MSP that utilizes Kaseya VSA, the attackers subsequently disabled the client’s administrative access to their respective Kaseya VSA platform, allowing the attackers to gain administrative access to all endpoints managed by Kaseya VSA. Upon gaining administrative access, the attackers were observed attempting to disable Microsoft Defender Real-Time Monitoring via PowerShell and deploy the ransomware.

REvil Ransomware

Various evidence, such as ransom notes dropped onto the infected systems, revealed that this cyber incident was closely tied with REvil/Sodinikibi ransomware group. The REvil ransomware group had also stepped forward to confirm associations with this attack after claiming the responsibility on its Dark Web leak site.

This is not the first time that the REvil ransomware group had topped news headlines. However, in this attack, REvil’s operators took a different approach in how they negotiate the ransom. REvil attacks can use multiple encrypted file extensions and typically will provide a decryptor that decrypts all encrypted extensions. In this attack, REvil demanded ransom payments made for each individual encrypted file extension found on a victim’s network, as opposed to their usual method of providing one decryptor to decrypt all encrypted file extensions.

The attackers are willing to provide a universal decryptor for victims of the attack, but only under the condition that they are paid $70 million in Bitcoin. The value has reportedly recently been lowered to $50 million.

REvil representatives have also responded to victims during the negotiation stage that in this attack, they had only encrypted networks and nothing more. Based on this information, it was suggested that REvil did not steal any victim’s data, which is typically what they utilize as a factor during the negotiation stage. This also indicates that the ransomware operation did not access the victim’s networks before the attack; however, it is still uncertain as to the extent of damage that was brought to the victim’s environment.

Riding the Waves

It is not a surprise that upon a new zero-day vulnerability disclosure or vulnerability being exploited by a cybercriminal group, other threat actors would take advantage of this opportunity and ride on the waves. Not long after the Kaseya attack, a new malspam campaign was observed containing various subject titles claiming to contain patch for Kaseya vulnerability. The attachment found in this malspam campaign appears to drop Cobalt Strike malware likely targeting users utilizing Kaseya products. Cobalt strike malware attachments appear to be the first malware that was found in the wild exploiting the current Kaseya situation.

MITRE ATT&CK

The following are the MITRE ATT&CK Tactics and Techniques associated with the Kaseya attacks:

Tactics Techniques
Resource Development Obtain Capabilities: Vulnerabilities (T1588.006)
Resource Development Obtain Capabilities: Exploits (T1588.005)
Initial Access Exploit Public-Facing Application (T1190)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Persistence Hijack Execution Flow : DLL Side-Loading (T1574.002)
Defense Evasion Masquerading : Rename system utilities (T1036.003)
Defense Evasion Impair Defences: Disable or Modify Tools (T1562.001)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)
Defense Evasion Indicator Removal on Host: File Deletion (T1070.004)
Defense Evasion Modify Registry (T112)
Defense Evasion Subvert Trust Controls: Code Signing (T1553.002)
Impact Data Encrypted for Impact (T1486)

General Recommendations

Given that the vulnerability is newly discovered, there is still a lot of uncertainty about this attack and how it would affect clients utilizing Kaseya VSA software. As such, it is advised for clients utilizing Kaseya VSA software to have all on-premises VSA Servers to remain offline until further instructions from Kaseya on when it is safe to restore operations when a patch is made available to the public.

We strongly recommend to follow the guidelines by Kaseya, FBI and CISA if you use Kaseya VSA for your IT infrastructure and/or to reach out to your MSP if you are currently leveraging one for any IT-related management.

It is important to note that Proficio does not use Kaseya or any of its products.  If you have questions, please do not hesitate to contact your Customer Success Manager or Security Advisor.

 

DarkSide Ransomware

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example of a Ransom Note Darkside Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

Codecov Breach

OVERVIEW | Codecov Breach

Supply chain attacks are far from new. We previously covered the SolarWinds attack, which may be the biggest software supply chain attack disclosed, as well as the most damaging supply chain attack to users. In more recent news, a new cyber-attack similar to the SolarWinds attack was discovered on a software testing platform – Codecov, which is a supplier of code management and audit solutions.

Codecov first discovered the attack on April 1st, disclosing this to the public on April 15th. However, investigations into the attack suggest that it first occurred months earlier, possibly as far back as January 31st, yet went unnoticed for several months. The adversary was able to gain access to Codecov’s Bash Uploader script using credentials stolen by exploiting an error in Codecov’s Docker image creation process. The adversary then replaced Codecov’s IP address within the Bash Uploader script to the adversary’s own IP address, rerouting the data to send information to the adversary instead of Codecov.

The altered version of the Bash Uploader script could potentially affect the following references from Codecov:

  • Any credentials, tokens, or keys that were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Moving Forward

Proficio’s Threat Intelligence Team has been diligently researching the attack and how it may have affected our clients. There will be a continuous and ongoing effort to help ensure that all our clients are not being compromised by this campaign, through the following:

  • Gathering of IOCs and TTPs of the attack
    • Although no IP addresses of the third-party servers were disclosed to the public, our team is currently researching on the TTPs to potentially identify traffic on data exfiltration attempt
  • Performing threat hunting on potential exfiltration of data associated with campaign against our client SIEMs for the past three months
  • Documenting and investigating any potential incidents
  • Providing updates of threat hunting results to all Client Success Manager and Security Advisors, so they can alert clients, as applicable

General Recommendations

Given that the breach is newly discovered, there is still a lot of uncertainty as to how much damage it can bring to victim systems. As such, we always recommend our clients to keep the systems, and in this case, the scripts patched and up to date.

Clients that utilize Codecov as a service are strongly advised to run through Codecov’s recommendation and guidelines. For any Proficio clients who are unsure about logs investigations, please reach out to your assigned Client Success Manager or Security Advisors for the next steps.

Reference link

  • https://about.codecov.io/security-update/
  • https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
  • https://www.reuters.com/technology/us-investigators-probing-breach-san-francisco-code-testing-company-firm-2021-04-16/
  • https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
  • https://www.zdnet.com/article/codecov-breach-impacted-hundreds-of-customer-networks/
  • https://latesthackingnews.com/2021/04/26/codecov-breach-following-supply-chain-attack-affected-hundreds-of-networks/

Hafnium – Microsoft Exchange Server 0-Day Vulnerability

OVERVIEW | 0-day

As early as January 6, 2021, multiple Microsoft Exchange 0-day vulnerabilities had been publicly disclosed. These 0-day vulnerabilities were found to be actively exploited by the threat group Hafnium. This appears to be a nation-state attack that is currently targeting as many as 30,000 organizations in the United States and hundreds of thousands worldwide. Based on the current pool of targeted victims, these attacks do not appear to be targeting any specific sectors or countries.

Per BleepingComputer, there are four 0-day vulnerabilities that were being exploited:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Microsoft released patches for the exploited vulnerabilities on March 2, 2021. A PowerShell script called “Test-ProxyLogon.ps1” was also published by Microsoft to run against the Microsoft Exchange Servers for indicators of compromise. At this time, multiple groups of threat actors (other than the Hafnium group) were also known to be exploiting these vulnerabilities to compromised Microsoft Exchange Servers.

Hafnium Attack Details

These attacks began with reconnaissance on vulnerabilities against the potential servers from the adversary. For Hafnium, following the reconnaissance to gain initial access, they dropped webshells onto the affected servers. Based on our research, webshells dropped onto the victim’s servers were mainly variants related to China Chopper-like Webshell scripts.

The adversary was observed to have deployed these webshell scripts within web directory folders to establish persistence within the systems. The team also observed unusual HTTP POST requests of single letter or generically named Javascript files being used as part of the exploit attempt. CrowdStrike has decoded a sample of such scripts returning initial commands being passed to a dropped webshell. SetObject for OABVirtualDirectory commands were being used to point to the malicious JavaScripts. These webshells potentially allow attackers to perform malicious actions or steal data from the compromise servers.

Post exploitation activity such downloading PowerCat from GitHub was observed from this attack. PowerCat is used to connect to a remote server and open connections to the remote server. Activities such as utilization of exchange PowerShell snap-ins were observed to export mailbox data and stolen files were also observed to be compressed prior to exfiltration.

Stronger Together

Proficio’s Threat Intelligence team is continually researching and collecting IOCs with regards to these attacks. We continue to gather the latest IOCs available and many clients have also been providing additional Exchange logs and malicious artifacts, which we have used to find additional indicators to help in our threat hunting. With the indicators gathered, the team is able to quickly identify positive hits such as dropped files in client’s server.

Other than the public IOCs and additional indicators found by the team, we are also looking at other TTPs such as potential download traffic of PowerCat, large data transfers, access to file sharing sites and other unusual traffic that could help to identify the threat. This is an ongoing effort to help identify clients that may have been compromised and ensure our clients are not being targeted.

Precautionary Measures

Prevention is always better than cure. Given these exploits are still actively seen in the wild, we recommend organizations perform patching or upgrades to any on-premise Exchange environments to help mitigate the risk of successful exploit attempts; for those that have been exploited or are unsure of whether their servers have been compromised from these vulnerabilities prior to the patch, we strongly recommend investigating Microsoft Exchange Servers using Microsoft published PowerShell scripts that will scan for any indicators of compromise within the servers. Patch recommendation and PowerShell scripts provided by Microsoft team can be found here:

  • https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

For any concerned Proficio clients, please reach out to your assigned Client Success Manager or Security Advisors.

Reference links

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations

https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Phishing in the Wild II

OVERVIEW
Phishing events are commonly seen in the public so the Proficio’s threat intelligence team often receives opportunities to research different type of phishing activities. On the 13th November 2020, a client had requested for assistance on a phishing incidence that had occurred within their environment.

In this blog, we share some of the findings from our own deep-dive investigations into the HTM spear-phishing email campaigns.

PHISHING DETAILS
In this type of phishing attempt, the adversary would send a spear-phishing email with a HTM (.htm) file attach containing a URL link to the victim. Based on the team’s investigation of the incident that was reported, upon clicking on the phishing link it would redirect the victim to a phishing page which was hosted on another domain.

In this incidence, the phishing link was observed to be hosted on the domain “bayleafinternational[.]com” and upon clicking, the page would be redirected to the domain “laikipianorthtvc[.]ac[.]ke”. However, by 18th November 2020, the redirected phishing domain was taken down so instead of the first observed site “laikipianorthtvc[.]ac[.]ke”, it would redirect the user towards the domain “altia[.]in”. A Whois lookup (Figure 1) was performed on the first redirected link “laikipianorthtvc[.]ac[.]ke” and based on the updated date, it is suggested that this site was likely to taken down on 16th November 2020.

Figure 1 - Sample phishing domain

Figure 1 – Sample phishing domain

The team further investigated the redirected phishing link. Simulating access of the phishing domain would display a phishing page that resembles a Microsoft login page (Figure 2). Upon entering the credentials, we noticed that the phishing site would redirect the victim to a URL on the same domain with a URL path containing “/complete?ss=2”. In this incidence that we were investigating, the user was redirected to the request URL “hxxps://altia[.]in/complete?ss=2”. A HTTP POST request could also be identified upon submitting the credentials (Figure 3).

Figure 2 - Redirected fake login page

Figure 2 – Redirected fake login page

 

Test access with response code

Figure 3 – Test access with response code

Similar phishing activities were also found in the wild, with our research suggesting that this phishing campaign appears to have started as far back as 1st September 2020; it is likely this phishing campaign is still ongoing. We have noticed that multiple domains were being used in this phishing campaign, but some of the used and older pages have since been taken down.

Comparing the phishing activities observed with those seen in the wild, aside from the same fake Microsoft login page used, the phishing links appears to share similar naming formats as follows:

  • Initial URL from email
    • <domain>/<base64-encoded victim’s email address>
  • Redirected phishing page
    • < phishing domain>/?ss=2&ea=<victim email address>&session=<session ID>
  • Redirected complete page
    • <phishing domain>/complete?ss=2

MITRE ATT&CK FRAMEWORK
The following framework is produced based on the investigated incidence:

Tactics  Techniques  Use 
Reconnaissance [TA0043]  Phishing for Information: Spearphishing Link [T1598.003] The phishing email contains a HTM file with a phishing link that leads to a fake login page used to steal credentials
Defense Evasion [TA0005]  Masquerading: Match legitimate name or location [T1036.005] The phishing email contains the use of a htm files with the file name containing the client’s domain.
Initial access [TA0001]  Phishing: Spearphishing Link [T1566.002] The adversaries utilize spear phishing emails and redirect victims to credential harvesting sites.

 

PRECAUTIONARY MEASURES
Anyone can fall victim to a phishing attack. Cybercriminals offer try and catch unsuspecting individuals by sending a phishing email from a reputable or known users that they wouldn’t expect to be compromised. It is advisable to safeguard yourself and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
    • Remind users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • If your organization is expecting legitimate emails from the senders, filter by email subjects and quarantine emails sent from those compromised senders to anyone outside of an expected recipient list.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials.
  • Make use of network segmentation alongside the zero-trust model.

Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Fig 1. An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

Typeform Phishing Campaign

OVERVIEW
In recent years, phishing campaign comes in different types and forms. The attackers are known to utilize free online tools and a variety of methods in hope to harvest credentials out from the victims.

On 16 August 2020, a relatively new spear-phishing campaign was detected which appears to utilize a free online tool – Typeform. The attacker created and hosted fake online forms to harvest victims’ credentials.

In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed.

PHISHING DETAILS
Our investigation showed that victims would receive variants of emails, which can contain a URL link or an attachment that would redirect the victim to a phishing page. The phishing pages observed would inform the victim about a document that was sent through OneDrive in a PDF format.

Typeform Phished Email Example

Figure 1 – An example of phished email received

From our investigation, we have seen events where upon a successful phishing attempt, the compromised host would be used to subsequently broadcast the phishing email to all other employee using the organization email domain.

We have also seen events where the victim executed the phished PDF attachment in which the PDF would display a Microsoft labelled document with a “Open in OneDrive” button. Our investigation shows that clicking the button redirects to a phishing subdomain in Typeform with domain names such as

  • “hXXps://document-signonline[dot]typeform[dot]com”
  • ”hXXps://microsofonedrive6575[dot]typeform[dot]com”.
Typefrom Phishing Attachement Example

Figure 2 – An example of the attachment

Further investigations by the team reveals interesting network behaviour. Upon successful access to the phishing site and the user starts filling the phishing form, the page loads the domain ending with the URL parameter “/start-submission”. The phishing form first prompts for the user’s email address and then their password. Once the credentials are filled in, a button is displayed for the user to click on in order to send the inputs and view a document on the website. Clicking the button loads the domain ending with the URL parameter “/complete-submission”. Observing this traffic would represent a complete cycle whereby the victim has accessed and provided the credentials to the phished sites.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs include URL parameters and IP addresses.

The most notable indicator of accessing the phishing page was the sequence of redirections that occur after clicking the initial phishing link. Based on this, we were able to identify potential phishing attempts with higher certainty despite the limited visibility allowed for an MDRP/MSSP like Proficio.

From our investigation, this campaign appears to target by organization rather than random individuals, as we had observed the phishing emails being sent to multiple employees within an organization together in one wave. Even if the emails were blocked, there were no repeated attempts to send the emails to the targets. This campaign does not appear to target any specific industry sector.

PRECAUTIONARY MEASURES
This could have happened to anyone of us that works in any organization whom we would unexpectedly receive phishing email send by reputable or known users that were being compromised. It is advisable to safeguard you and your organization to avoid being the next victim from phishing attacks and credential theft. We would recommend organization to consider the following measures if this has seen within your environment.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

WastedLocker Ransomware

OVERVIEW
First discovered in May, WastedLocker ransomware is a relatively new strain from the group known as Evil Corp, which was previously associated with the Dridex banking Trojan and BitPaymer ransomware. This ransomware group was brought to our attention with the recent ransomware attack against Garmin. In our research, we discovered why these targeted attacks are even harder to defend against. Read on to learn what to look for and how to avoid this new strain.

RANSOMWARE DETAILS
WastedLocker attacks start with a drive-by compromise to gain initial entry. The attackers use the SocGholish framework to hack legitimate websites that display fake software update alerts to visitors. Attempting to download these fake alerts will deliver PowerShell scripts onto the user’s device, which subsequently download Cobalt Strike. Cobalt Strike then allows the attackers to gain access, move laterally through the target’s network, and deliver the WastedLocker ransomware to the victim host.

Before deploying the ransomware, the attackers perform the following tasks within the target’s network:

  • Escalates privileges via UAC bypass method
  • Disables Windows Defender
  • Gathers information about victim’s environment
  • Performs credential dumping

WastedLocker attackers have also been observed in previous attacks to utilize living-off-the-land (LOFT) tools to perform tasks. For example, using the Windows Sysinternals tool PsExec to disable Windows Defender, using PowerShell and WMIC to profile the target’s environment.

Upon successful encryption of a victim’s file, the ransomware appends a file extension that is a combination of the target organization’s name and the string “wasted”. In the case of the Garmin attack, the file extension “.garminwasted” was appended to encrypted files. For each encrypted file, the ransomware also creates a ransom note with the same name appended with “_info” at the end of the file extension, such as “.garminwasted_info”.

Example of a ransom note

Figure 1 – Example of a ransom note

Aside from encryption, the WastedLocker ransomware is also capable of deleting Windows shadow copies to wipe backups and file snapshots to make recovery impossible.

The method of payment provided to decrypt WastedLocker is to contact one of the emails listed within the ransom notes. As of now, email addresses that have been used by the attackers are can belong to either ProtonMail, Eclipso, Tutanota, or Airmail.

Unlike many other ransomwares this year, WastedLocker ransomware does not steal victims’ files but simply encrypt them. However, it is worth noting that WastedLocker attacks are highly targeted and ransomware samples used are each customized for the target organization. This means that standard IOCs such as the file hashes of previous samples would not be very helpful or useful in detections.

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place, or at minimum have backups separate from production systems, for your critical files or systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

ABOUT PROFICIO

Proficio’s Managed, Detection and Response (MDR) solution surpasses the capabilities of traditional Managed Security Services Providers (MSSPs). Our MDR service is powered by next-generation cybersecurity technology and our security experts partner with you to become an extension of your team, continuously monitoring and investigating threats from our global networks of security operations centers. Learn More About Proficio’s Services

REFERENCES

  • https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
  • https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/
  • https://www.bleepingcomputer.com/news/security/dozens-of-us-news-sites-hacked-in-wastedlocker-ransomware-attacks/
  • https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
  • https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Phishing in the Wild

OVERVIEW
It’s no secret that phishing is one of the most common types of cyberattacks, both to individuals and organizations. According to the 2020 Verizon Data Breach Investigation Report, one out of four breaches involved phishing. So when Proficio’s Threat Intelligence Team received a client request, asking for assistance with a phishing incident, we conducted a thorough investigation on the specific threat actor. Below we share the key findings from our deep-dive investigation, including the hooks used and key targets for this campaign.

PHISHING CAMPAIGN DETAILS
The threat actor appears to be utilizing compromised user accounts within the targeted organization to send out phishing emails to internal contacts within their mailing list. We observed that such phishing emails sent by the legitimate, but compromised, user accounts would contain a download image that resembles the original PDF download button (Figure 1).

Sample email received

Figure 1 – Sample email received

The Proficio’s Threat Intelligence Team dissected the email received, observing the below PCAP from a simulated access attempt against the download link (Figure 2). While the download button masquerades as an attachment, it appears to be a request URL link. The threat actor employs pretty standard social engineering “hooks” to creates a false sense of urgency with words such as “advise ASAP”. The purpose, of course, is to lure the victim into quickly clicking on the button without thinking too much.

Sample PCAP from email received

Figure 2 – Sample PCAP of email received

Our analysis of the PCAP file (generated upon clicking on the download image seen from the email) reveals a redirect to an external request URL. Simulated access against the external request URL in a controlled environment reveal a redirect to a website with a “CLICK HERE TO VIEW” button. This phishing “hook” resembles a secure document intended for the victim to access.

Simulated access to request URL

Figure 3 – Simulated access to request URL

If a victim clicks on the “CLICK HERE TO VIEW” button, they would be directed to a fake Microsoft login page. When we input fake credentials into the login page, the adversary directs the user to an error page and requests for the credentials to be submitted again. We believe that the second credential request is meant to direct the user to the real Microsoft login page, a setup very similar to those practiced by other phishing campaigns. There are no other redirections observed subsequently.

Fake Microsoft login page

Figure 4 – Fake Microsoft login page

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected several different IOCs to identify potential access to the phishing sites. The IOCs includes known domain, IP addresses and unique URL parameter used in this phishing attempt.

Our investigation revealed that this campaign targets organizations rather than random individuals, as we observed that the phishing emails were sent to multiple employees within an organization together in one wave. Our analysis and study of the threat actor’s infrastructure and TTPs reveal that the threat actor conducting the phishing campaign appears to be interested in targeting specific geographic regions. We have identified the presence of several interesting strings such as “AUSTRALIA” and “YANKEE” used by the threat actor in their request URLs to organize their data depending on the geographic region associated with their target.

During our extensive investigations, we discovered the phishing emails were sent to multiple clients containing multiple different phished domains which ends with “/DOCUMENT.html”. Simulated access towards all the discovered sites exhibits the same redirection behaviour. Most of the identified activity was from inbound phishing emails. In most cases, we did not identify any click-through traffic that would indicate a potentially successful phishing attack.

While the threat actor appears to be interested in only a few geographic region, they do not appear to target any specific industry sector. We have identified multiple clients who have received emails from this phishing campaign. The sectors targeted by the threat actor most frequently were:

  • Healthcare
  • Commercial Services
  • Real Estate

We will continue to keep an eye out for other phishing campaigns and intrusions that could be associated with this particular threat actor.

PRECAUTIONARY MEASURES & RECOMMENDATIONS
Phishing remains a popular attack vector because it continues to work very effectively. Anyone could receive phishing emails, and they could be sent by reputable or known users that were unknowingly compromised. It is advisable to take proactive steps to safeguard you and your organization to avoid being the next victim of a phishing attack or credential theft. We would recommend organizations to consider the following measures to protect themselves from phishing attacks.

  • Educate your employees and users to improve cybersecurity awareness.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate users to report any suspicious emails received, even from other employees, to their cyber-security team.
  • Always verify any suspicious emails through a different channel such as calling the supposed sender for verification.
  • Quarantine emails sent from those compromised senders to anyone outside of an expected recipient list of filtering by email subjects if your organization is expecting legitimate emails from the senders.
  • Reach out to any legitimate sender that appear have their account(s) compromised and instruct them to take action to secure their account(s).
  • Make use of Multi-Factor Authentication to secure email and other user credentials
  • Make use of network segmentation alongside the zero-trust model

Proficio Vulnerability and Advisory Report

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
PURPOSE:
The purpose of this report is to provide vendor specific advisories and vulnerability information that may be relevant to the security of a device(s) deployed within your network environment. Along with information about the vulnerability related issues, Proficio will provide recommended actions to either resolve, mitigate or workaround the vulnerability as provided by the vendor.

Please let us know if you have any questions or concerns about the information below. If you are a current MSS customer, please let us know if you would like assistance with implementation. Submit a change request to prosoc@proficio.com .

ADVISORY DETAILS

Reported Vulnerability

Date: 2020 June 29

Severity: Critical

CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

Summary:

When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

Affected Products

GlobalProtect Gateway,

GlobalProtect Portal,

GlobalProtect Clientless VPN,

Authentication and Captive Portal,

PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,

Prisma Access

Work Around

If SAML or SSO is configured; proceed to the recommendation section below.

This article will illustrate the actions to confirm the configuration is present.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP

Affected/Fixed Software

This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.

This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions.

Details

If SAML or SSO is not configured, no action required.  If SAML or SSO is configured, the proceed to the recommendation section below.

Proficio Recommendation

If SAML or SSO is configured, follow the directions below:

Using a different authentication method and disabling SAML authentication will completely mitigate the issue.

Until an upgrade can be performed, applying both these mitigations (a) and (b) eliminates the configuration required for exposure to this vulnerability:

(a) Ensure that the ‘Identity Provider Certificate’ is configured. Configuring the ‘Identity Provider Certificate’ is an essential part of a secure SAML authentication configuration.

(b) If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then ensure that the ‘Validate Identity Provider Certificate’ option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the ‘Validate Identity Provider Certificate’ option cannot be enabled. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP.

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks.