The Microsoft Threat Intelligence Podcast 10.23.24
Ep 30 | 10.23.24

Vanilla Tempest: The Threat Actor Behind Recent Hospital Ransomware Attacks

Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. I am joined by two fantastic security researchers from Microsoft, Anna and Keivan. Thank you for joining me.

Anna: Thank you. Thanks for having us.

Keivan: Hi. Yeah, thank you so much. It's a pleasure being here.

Sherrod DeGrippo: So I think we're going to jump right in to talk about two threat actors that we've done profiles on recently on the blog, and I wanted to just dig in with you, threat researchers that understand what these threat actors are doing and get an idea for the listeners of what they need to know. So Anna, let's start with you. You have Vanilla Tempest on deck, which for those of you who have memorized the threat actor naming, Tempest is a crime-based or financially motivated actor. So Anna, what's up with Vanilla Tempest lately?

Anna: That's right. They've been up to no good lately, that's for sure. So back in August, Microsoft Threat Intelligence observed Vanilla Tempest conducting ransomware attacks against hospitals in the United States. So Vanilla Tempest has previously targeted hospitals and the healthcare sector in the past. This is the first time that we've observed Vanilla Tempest using Ink ransomware. So just to overview Vanilla Tempest a little bit, they're a financially motivated threat group. So they have that nice little Tempest piece attached to their name, like all of the cybercrime groups here at Microsoft, and they typically focus on deploying ransomware for exfiltrating data and extortion. Ink is definitely different. In the past, they've shifted from BlackCat to QuantumLocker to Zeppelin, and now Ink. So usually before the ransomware deployment, Vanilla Tempest relies on pretty similar TTPs used among other ransomware actors, which also includes the use of PowerShell scripts and repurposed legitimate tools. We've also seen them exploiting some publicly disclosed vulnerabilities for initial access and using backdoors like SystemBC and Supper, which is a new backdoor.

Sherrod DeGrippo: So I also saw when I was looking through the profile of this actor that they're simultaneously often tracked as Dev0832, which is a previous Microsoft name, and it looks like some other intelligence organizations out there refer to them as Vice Society.

Anna: Yes. So they've graduated a little bit out of that dev group into this Vanilla Tempest naming convention, but I don't remember when that was. I think it was about a year ago where they got the official Tempest name, and that's just because more and more research has been linked to them, especially like the GootLoader thing. That's definitely a TTP that they're consistently using, which I can kind of describe a little bit if you're interested. GootLoader is spread through search engine optimization poisoning. So in this technique, this is when a threat actor uses different methods to try to manipulate the ranking of websites and search engine results, and this is in an attempt to trick users into clicking on those websites and then adding keywords and links that the actor can control. So the GootLoader infections that are used by Vanilla Tempest, they drop a scheduled task. Once that task is triggered, it runs this JavaScript and launches the PowerShell script. So this is usually followed by a handoff to Vanilla Tempest, and this is for further hands-on keyboard activity. And just a little note, so GootLoader is a different thing than GootKit. So I know they can be confused sometimes. GootKit is a banking Trojan, and GootLoader did initially load GootKit, which doesn't help with the confusion, but these are now noted in separate camps.

Sherrod DeGrippo: So and GootLoader has been around for quite a while, but it is like one of those flexible loaders and downloaders that can be used in a modular way where they can leverage different kinds of payloads within the same loader. It's sort of like a plug-in.

Anna: Yeah, totally, and so one of the tools that is seen originating from previous GootLoader infections is the Supper backdoor. So the Supper backdoor has a very complicated C2. It has two different buffers, and it uses a structure that has five members. So there's a lot going on with this, and these hosts are also used to process different commands on the compromised device.

Sherrod DeGrippo: Got it, and so we're seeing essentially Vanilla Tempest using a variety of different payloads. So BlackHat, QuantumLocker, Zeppelin, and Rhysida, which is old. Oh, Rhysida been around a long time, and now Ink. So any reason that you've seen that would indicate why they've maybe moved to the Ink payload?

Anna: That's a really good question. Oh, I don't really know the answer to that. I think Ink is being seen more in the wild lately, and we can also kind of touch on these other tools and different backdoors that Vanilla Tempest has been incorporating. Like in the past, they've typically used like SystemBC and PortStarter, but they've also used AnyDesk and Mega as well. So I think all of this coming together is just a new way to deploy their ransomware payload. I'm not exactly sure why they've landed on this one at this particular moment.

Sherrod DeGrippo: Yeah, it looks like they changed to Ink in August of 2024. So there's always the possibility that in the crimeware ecosystem, something new and cool came out and they just want to try what the new hotness is. I'm kind of coming to a theory that a lot of what we see in terms of changes in TTPs for the crime side of the house has a lot to do with the ecosystem capability to sell. So we see lots of different groups within the crime ecosystem that don't necessarily do ransomware. They sell attacker-in-the-middle phish kits. They sell downloaders as a service. They sell remote access. It looks like sometimes if certain providers have better customer service and better deals, sometimes they become the trend on the landscape. So it's been really interesting to watch some of the changes where different threat actor groups all of a sudden are like super into one thing. And I wonder if it's because that particular provider has done a better job marketing than others.

Anna: Yeah, I can totally see that being the case, especially because this is such a recent change, you know, just a month ago. So it's definitely something to keep poking and looking at.

Sherrod DeGrippo: Absolutely. So what else should we know, Anna, about Vanilla Tempest?

Anna: I did look up some stuff just about healthcare targeting in general over the threat landscape. Yeah, just some of the stuff that Microsoft has been seeing, and it actually has been not heavily targeted at the moment. It was on the lower end of targets that we'd seen over the past quarter, and some of the top-targeted industries were like manufacturing and consumer retail. So I found that to be kind of interesting. You know, I can even remember a few years ago, I think the healthcare industry was heavily targeted, and now we're seeing a slight decline. But maybe with this Vanilla Tempest activity, we might see a resurgence in that.

Sherrod DeGrippo: Super interesting. Organizations like healthcare, but all organizations, it's totally worth taking a look at the Microsoft Anti-Ransomware Program. There's a resiliency guide. I'll make sure that that URL is linked in the show notes. But essentially, we have a guide to ransomware resiliency for organizations, because at this point, being resilient is more realistic than being completely immune. So take a look at that. And I think from there, Keivan, we'll move on to Peach Sandstorm. Thanks, Anna.

Anna: Thank you.

Sherrod DeGrippo: So Peach Sandstorm, we've talked about them on the podcast before. We've released quite a few blogs and other intelligence pieces publicly about them. Peach Sandstorm is based in Iran, but what's going on with them lately?

Keivan: So I think it would be good maybe to start with a bit of a background, just a little background on Peach Sandstorm. So they are, like you said, an Iranian nation state threat actor that we previously tracked under the name Holmium. We assess that they operate on behalf of the Iranian Islamic Revolutionary Guard Corps. And for anyone who's not familiar, the IRGC is a branch of the Iranian military that was founded after the 1979 Islamic Revolution. And their purpose is to protect the regime, enforce internal security, and maintain ideological control. So at a really high level, Peach Sandstorm is known for conducting cyber espionage for the purpose of intelligence collection. They've also conducted some destructive operations in the past. From a targeting perspective, they have focused very heavily on the energy sector, so oil and gas, the defense sectors, along with -- there's a long list here, so aerospace, transportation, critical infrastructure, construction, education, financial services, health care, satellite sector, and telecommunications sectors. Yeah, really, really all over the place, and so, they typically target countries and entities that are strategically significant to Iran's geopolitical interests and countries who Iran considers as adversaries. And, of course, at the top of that list, you're going to find the United States, you're going to find Israel, and you're going to find Saudi Arabia. But then they also target some other Middle Eastern countries who have, "friendlier relations with the West," so like UAE, Kuwait, Bahrain, and Qatar, and we also see them targeting some Western European countries, and this is likely in response to those countries being involved in diplomacy with respect to Iran. From a TTP perspective, and, again, I'm going to hit this at a higher level, Peach Sandstorm frequently conducts spear phishing campaigns and password spray attacks for initial access. And, again, if anyone's not really familiar with password spray attacks, it's just a technique where a threat actor attempts to authenticate to many different accounts using either a single password or a list of commonly used passwords. So it's less likely to be detected and flagged, but from there, we've observed them using a combination of some open-source remote access tools, some commercial remote monitoring tools, living off the land techniques, and then some custom malware-like Tickler that we're going to discuss shortly.

Sherrod DeGrippo: So it sounds like they're very active, and I know that this particular threat actor group has been active for quite a few years at this point. They're one that we reported on very early, and we've been tracking them for a while. We've been publishing on them. What kind of evolution are we seeing there? How are they evolving and changing?

Keivan: Okay, sure. So, you know, going back to around 2015, you know, we observed Peach Sandstorm employing really what can be considered some quite basic techniques to conduct intel gathering and reconnaissance. So really basic, you know, social engineering, phishing, and some basic malware development, and then kind of moving up to 2019, 2020, we did observe an uptick in the number of campaigns attributed to Peach Sandstorm. But then that was followed by a fairly significant lull in all of 2021 and I believe most of 2022. However, in late 2022, again, we noted a significant increase in activity volume coming from them, also along with an increase in the maturity of their capabilities. And then starting again in 2023, we continue to observe more password spray attacks. The recent blog that we're here to discuss, again, more password spray attacks, some intelligence collection via LinkedIn, and then the deployment of a custom multi-stage backdoor that we call Tickler.

Sherrod DeGrippo: Well, everyone wants to know, what's up with Tickler?

Keivan: So I wish I had a really good answer for the name, right? Unfortunately, I don't think there really is in this case. There's no real good story behind it. Obviously, it's a fairly memorable name, and I have seen a lot of the, how do you want to call it, the hate on social media for the name, which I do find rather amusing.

Sherrod DeGrippo: That's fair.

Keivan: Yeah, it's fair, exactly, exactly.

Sherrod DeGrippo: We didn't name it, did we? We would never name that.

Keivan: Oh, we absolutely did.

Sherrod DeGrippo: We did?

Keivan: We did.

Sherrod DeGrippo: Oh, my gosh.

Keivan: But, I mean, just generally, you know, a reverse engineer, malware analyst, they name malware, you know, for multiple reasons. And, you know, when you're tracking this stuff every day, obviously it's extremely helpful to have some common name that you can track this as. Otherwise, it just becomes a pain, right? I mean, but this can be said, the same thing can be said for the various names that we track in the community for the different threat actors, right? I mean, some people love them; some people hate them. There's no way to make everyone happy with that.

Sherrod DeGrippo: It's got to be effective, though. That's the key. We've got to be effective. So what does the malware actually do?

Keivan: Okay, so Tickler, it's a custom multi-stage backdoor that leverages Azure infrastructure, in this case, a fraudulent actor-controlled Azure subscriptions for command and control. So this is a fairly novel technique, which kind of shows the continued evolution of Peach Sandstorm with respect to malware development, and it just demonstrates that they are continuing to improve their overall tradecraft. So we were able to -- we obtained two versions, two samples that we discussed in the blog, the second iteration showing some improvements over the first. So the sample, it beaconed to an Azure app service to download an additional payload from that C2, including a backdoor, a batch script to set persistence for that backdoor, and then a few legitimate Windows signed binaries likely used for DLL sideloading. As far as functionality goes, Tickler can run several commands. So one of them is gathering network information about the host, so, you know, host name, IP address, and some other networking information, and, you know, this type of information is very valuable to an attacker as it allows them to orient themselves to the compromised network. And then there's some other commands like listing the directory, executing commands, deleting files, and then uploading and downloading files from the C2.

Sherrod DeGrippo: So Peach Sandstorm, we've been watching it for a while. If people are out there doing their own intelligence work, what other names have we seen Peach Sandstorm tracked under?

Keivan: Okay, so I already mentioned that we previously tracked this as Holmium. There are a few other names in the industry. I believe APT33, Elfin, and Refined Kitten are a few, but we do have to keep in mind that these do not necessarily line up one-to-one with what we at Microsoft track as Peach Sandstorm, and that's obviously not very uncommon in the industry as a whole, right? Because every organization that does this type of work, they're going to have slightly different visibility, slightly different telemetry, and that's going to paint a different picture. So I would just say that, you know, there's a little bit of a mess when it comes to at least some of the Iranian threat groups as far as commonality within the industry.

Sherrod DeGrippo: So we know that Peach Sandstorm is using password spray. What can you tell us about that?

Keivan: So like I mentioned before, this is a very popular technique with them. It's very successful. In April and May of this year, we observed them conducting password spray attacks. This time against the defense, space, education, and government sectors in the U.S. and Australia. So of note, we observed Peach exclusively leveraging compromised user accounts in the educational sector to procure operational infrastructure. So in this case, they either accessed existing Azure subscriptions or created new ones using the compromised account to host their infrastructure. So this ties back to Tickler, and in this case, the attacker-controlled Azure infrastructure served as the C2 for Tickler.

Sherrod DeGrippo: Well, Anna, Keivan, thank you so much for joining me to tell us about Vanilla Tempest, Peach Sandstorm, and everything that's going on in the threat landscape. Thanks for joining us.

Anna: Thank you so much.

Keivan: Yeah, thank you so much.

Sherrod DeGrippo: This is Sherrod DiGrippo, Director of Threat Intelligence Strategy at Microsoft, and I am joined today by Colton Bremer, Senior Security Researcher. And Colton, we're going to learn today all about what the realities are working at Microsoft on something like Defender Experts. Welcome to the show.

Colton Bremer: Thanks, Sherrod. Thanks for having me.

Sherrod DeGrippo: So I know that you work on DEX, but can you kind of tell me what DEX is exactly?

Colton Bremer: Certainly. So DEX is short for Defender Experts. It's a service that's offered by Microsoft. It's kind of focused on hunting the more advanced threats that maybe the product may have missed. So there's a couple different flavors of DEX. There's kind of the free version where we only are looking at endpoint data and endpoint alerts. And then from there, there's a DEX for hunting service, which is one of the paid services where we bring in additional telemetry, your M365 suite and all that stuff, and do the hunting and correlation on all of that data, and then there's also the more white glove service, which is Defender for XDR, where it is more we're actually in the portal helping to figure out how to handle alerts and providing guidance, and it's a little bit more hands-on versus the other two services, which are more of an advisory where we will do the hunting and correlation, and if we find activity that the customer needs to be aware of, we can alert them by sending them a what we call Defender Expert notification, which is basically just an incident that pops up in the customer portal where we can share any relevant details that might help the customer kind of triage and figure out what's going on in the attack.

Sherrod DeGrippo: So in your day-to-day life, what part of that do you actually generally work on?

Keivan: So for me personally, as a researcher, a lot of what I'm focused on is kind of the emerging and the trending threats that are coming out each new week. So a lot of my time is spent kind of keeping up with what's new and what's the hot-topic button item for this week, whether that be on Twitter or any internal threat intel or possibly as a result of an investigation from one of our partner security teams. Sometimes that kind of gives us leads to pivot to our next hunting activity. So largely, it's been focused on when the new hot-button thing gets released. Obviously, the first question everybody asks is, are we protected by this? Is this impacting us? And that's kind of what our team is trying to answer, especially for the Defender Expert customers. We want to be able to provide that certainty that we are aware of these threats and are hunting on them and trying to get alerts and get that into the product so we can protect the community at large.

Sherrod DeGrippo: So you're a threat hunter. How did you start in your career? Like what brought you to this work?

Keivan: Yeah, so I've always kind of been into cybersecurity even before the high-school days, and once I got done with college, I started off doing technical support for a security vendor, primarily on their firewall and web filtering products. So that's where I spent the first couple of years of my career and got to see a lot of interesting things from that perspective, being fresh into the field and kind of learned the process of troubleshooting and the importance of kind of having a methodology to follow and not just kind of shotgun approaching and guessing what's going on. From there, I kind of moved into the traditional SOC style role. I had a large health care company and kind of helped the rollout of that SOC and the development of the processes and procedures. And eventually after that, I moved to a different SOC at a large financial company where it's kind of the same thing of building out the SOC, and then towards the end of my tenure there, I kind of pivoted into kind of more of a hybrid SOC analyst engineering threat hunting role. So we kind of started developing the threat hunting program there and I found that really interesting. So obviously I started to look for the next thing, and then I saw the opening at Microsoft for the threat hunting position. And knowing how much resources Microsoft has kind of dedicated into this space in the last couple of years seemed like an exciting opportunity to kind of join the team and have that vast amount of telemetry that's available to hunt on and makes it so you can find some attacks that you might not see otherwise, just because of the amount of data that Microsoft has access to hunt on.

Sherrod DeGrippo: So what do you think is like your favorite thing to do? Like what's something that gets you, really excited, when you're at work each day?

Colton Bremer: I mean, the biggest thing for me is that every day is kind of a new puzzle. It's not going to be the same kind of thing every day. In the SOC roles, a lot of times you're triaging the same alerts day in, day out. Whereas within DEX and the hunting side, it's every day there's a new threat that you're investigating. Every day there's potentially something new you can find, something new to learn about and kind of keep your skills sharp and always learning something new.

Sherrod DeGrippo: And so I guess tell me about like what are some things that you have found recently on the threat landscape? What's happening out there that is hitting your radar?

Colton Bremer: Yeah, as far as DEX goes, we're still seeing a lot of the adversary-in-the-middle phishing campaigns, specifically the ones leveraging QR codes, which makes for kind of a unique challenge. A lot of times these campaigns will go out and people will scan the QR codes on their personal device, where a corporate security team might not have the visibility to see what's actually happening there. So it makes it kind of a unique challenge to figure out who is actually getting these campaigns, especially when they're sent via text message. And then you don't even have the logs in your email to kind of track that campaign. So it makes it a little bit more difficult to actually figure out who may have received those messages and how they may have potentially entered their credentials.

Sherrod DeGrippo: So QR phish kits with MFA bypass are still super popular. What other things are out there? Any like TTPs that seem particularly prevalent lately?

Colton Bremer: I would say the other big thing that we still are seeing a lot of is more of -- I want to say it's an advanced thing, but the info stealer campaigns are still coming very frequently, and I think a lot of people may not give them the respect that they deserve because it doesn't seem as impactful as some of the other threats that you may see out there. But with the whole ecosystem of threat adversaries these days, that could just be the first part. I mean, you could have somebody collecting these credentials and then selling them to an access broker who's selling them to the next person, and who knows what's going to happen when somebody buys these credentials down the road? Because once these access brokers have the credentials and sell them, they don't really care what happens. So once they give this access up, then it's really open field.

Sherrod DeGrippo: So let's talk about info stealers actually for a second, because they've been around like a really long time. They essentially get on a host and go look through various stores of information. So like credit cards and things like that, right? Like username, password pairs, personal information. And typically we see them package those up and then they do something else with them, right?

Colton Bremer: Exactly, and it's not really a new technique, but kind of the thing that's been interesting over the last year or two is starting to steal all of these session tokens from the browser, which obviously if you get that, then that's just as good as having the username and password. So a lot of people might not think it's as big a threat compared to maybe ransomware, but it's possible that that could be the first step to an adversary getting into your environment that later will deploy ransomware. So --

Sherrod DeGrippo: Yeah, info stealers have been around a long time and it's interesting that they're such a staple, but when you look at like the crime ecosystem, it's just another part of it. Just because they're not doing ransomware doesn't mean that they're not part of like contributing to those criminal operations.

Colton Bremer: Exactly.

Sherrod DeGrippo: So something that a lot of security operations professionals deal with is identity and access management, and I know that you work quite a bit on like cloud identity abuse. So what's happening with that landscape?

Colton Bremer: Yeah, so that's another one that's kind of getting a lot more popular. It's not necessarily new, but we're starting to see more and more threat actors kind of picking this up and adding it to their toolkit. Specifically, when actors can get a hold of your credentials and leverage tools that are used like AAD Internals or ROADTools, even AzureHound, and GraphRunner we've seen be used pretty frequently by threat actors to kind of get into the environment and perform reconnaissance within that environment, and that could lead to their next steps down the road.

Sherrod DeGrippo: And so is there anything that individuals or organizations can do to kind of help mitigate some of that?

Colton Bremer: Yeah, I think part of the reason that this has kind of become more popular is with the rise of SaaS solutions and vendor accounts and access management being so difficult to kind of maintain. A lot of times accounts are granted more permissions than they really need. And then eventually, essentially, they get forgotten about. And there's just an account that's sitting out there not being used that has access to the whole kingdom. So I would say being aware of what access is actually out there. And this extends to applications as well. A lot of times when you do a POC for a new software product, you spin up an application and give it all the permissions that they need, which is usually everything on the list. And then you do your POC and then a lot of times those applications never get decommissioned and they just kind of sit out there until a threat actor comes along and sees that app is sitting out there with all the permissions that they want, and they can kind of blend in with the environment by leveraging an application that's already created and permissions that are already there versus having to kind of create a new application and risk getting caught there.

Sherrod DeGrippo: So over-permissioned apps, legacy credentials, legacy infrastructure, all those things that we're supposed to be cleaning up as part of security hygiene are being leveraged by threat actors just as much as ever.

Colton Bremer: Yeah, pretty much. I think the other big thing is kind of the low-hanging fruit that has been harped on for years and years and years is making sure MFA is enabled on every account that it could possibly be enabled on. Because that's just one extra step that a threat actor would have to get past to leverage those accounts.

Sherrod DeGrippo: So, Colton, you sound like you've had a lot of SOC experience. What kinds of skills do you feel like you focus on and need day to day to be able to do this work?

Colton Bremer: I think the biggest thing for me is kind of the soft skills that often get overlooked. Anybody can kind of learn the technical side of things and how to do threat hunting, but if you don't have the communication skills to disseminate the findings that you find or being able to work with other analysts, that makes your job a lot tougher when you have to kind of live in that bubble. I think the other big thing is the curiosity aspect. A lot of times when you find something, you might not know what it is. Some people tend to just kind of glance over it. Whereas if you're curious about why is this process doing that and you can end up down a rabbit hole and find out that, oh, this process doesn't normally make network connections. That's odd, and then kind of unraveling it from there to trace it back and find the root of the problem.

Sherrod DeGrippo: So it sounds like you use a lot of intuition if you're looking for things that are odd.

Colton Bremer: I think that it definitely helps to have the knowledge of how things are supposed to look, because if you're looking for anomalous activity, but you don't know that where fault.exe is not supposed to be doing something, then how do you know to kind of investigate further and see what's actually happening?

Sherrod DeGrippo: Yeah, I think understanding the technology that we have to secure has to come first. Well, Colton, it was great to hear from you what it's like to be a threat hunter inside Microsoft. Thanks for joining me, and I hope we get to talk to you again soon.

Colton Bremer: Thanks a lot for having me. Hopefully, we can do another one. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. E-mail us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]