Research Saturday 7.18.20
Ep 143 | 7.18.20
Every time we get smarter, the bad guy changes something.
Transcript

Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities. Solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: Thanks for listening to the CyberWire's Research Saturday podcast. Today, I want to reach out to those members of our audience who are students or serve in the military. Did you know that the CyberWire has special CyberWire Pro subscription offers just for you? Well, you do now. Because of your student or military status – that's active or reserve military status – you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our Focus Briefings, exclusive podcasts, quarterly analyst calls, premium articles, and much more. To learn more, visit thecyberwire.com/pro, and click on the "Contact us" button in the "Academic or Government and Military" box. That's thecyberwire.com/pro, and then click "Contact us" in the box that applies to you, and we'll hook you up. Thanks again for listening to Research Saturday.

Dave Bittner: Thanks to our sponsor, Reservoir Labs. Reservoir knows that cybersecurity teams need full network visibility to discover new threats, tactics, and behaviors. This is true today more than ever. Reservoir Labs provides solutions based on rock-solid, enterprise-class network sensing and spectral hypergraph analytics, using advanced algorithms and mathematics to deliver for your team and your network. Contact Reservoir to learn how you can gain comprehensive threat visibility in minutes. Learn more at reservoir.com/cyberwire. That's reservoir.com/cyberwire. And we thank Reservoir Labs for sponsoring Research Saturday.

Jon DiMaggio: Similar to other research that we've done, we sort of stumbled upon this while looking at some victims of different malware.

Dave Bittner: That's Jon DiMaggio. He's a senior threat intelligence analyst at Symantec, a Broadcom company. The research we're discussing today is titled, "Sodinokibi: Ransomware Attackers also scanning for PoS Software Leveraging Cobalt Strike."

Jon DiMaggio: We were looking at two separate things. We were looking at the previous project of looking at Cobalt Strike infections, and we were also looking at exploit kits that were – new exploit kits that were being used in the wild. So, what we found was that there's an exploit kit called "SocGholish," and – I don't make these names...

Dave Bittner: (Laughs)

Jon DiMaggio: ...And, while it itself is not so much brand new as much as it has sort of been updated, and there was an increased presence that we began to see, which is what caught our attention in the first place. It turned out that there was quite a large footprint of infrastructure across the Internet as a whole in comparison to other exploit kits in which we were seeing it. The interesting part of it is it was being delivered as a browser update. So, right then, you know, that was sort of an indicator that this was a larger attack than regular exploit kits. The reason I say that is, you know, a lot of times these will be used just by phishing emails and things like that – it's much more manual. But when you're using it to deliver as a browser update, that's usually indicative of that it's attached to a watering hole or a compromised website. As you can imagine, the more you dig and you see things like compromised websites and larger infrastructure to deliver something, you know, you probably have a more advanced attacker, because obviously it takes time and resources to compromise, not just one legitimate website, but many. And that's what we were seeing. So, we didn't know at first it was a ransomware attack, but we did know that it was at least an adversary with a medium level of sophistication that had the ability to compromise legitimate websites, create and package this as a browser update, and then infect victims.

Jon DiMaggio: Where we went from there, we actually started to look into what happened to systems once that malware was executed, once that browser update was executed. And what we found was it was downloading some shellcode, but it was also being used to sort of profile the victim. So, it was collecting the network name, the system names, the user's name that was logged in, and sending it back. And the reason that's relevant is, you know, that is information that can be used to determine who the victim organization is. So, let's say it's a mom-and-pop shop versus being, you know, a major retail chain or a major technology company – that's going to make a difference to an adversary. So seeing that there was a bit of profiling going on, seeing that there was compromised websites involved, and that this was being packaged as a browser update, we knew we had something interesting.

Jon DiMaggio: We didn't know it was ransomware, let alone a brand new ransomware variant that hadn't been seen before. You know, WastedLocker had just been first reported a couple days prior to us figuring out what we had was similar in its binary and its behaviors. And then we validated that it, in fact, was that. The difference is we had a lot of good information now on the lifecycle of this, not just how it was being used to infect, but the actual mechanisms of once they were on a network or a system, what the bad guys did. And I can continue on from there – I want to take a sort of step back to let you ask questions. I know I gave you a lot of information.

Dave Bittner: Yeah, well, before we dig into the details of what exactly happens here, you're pretty confident in your attribution here. This is being attributed to a group that we have heard of before?

Jon DiMaggio: Yes. Yes, it is. So, there's a group called Evil Corp. The name actually comes from the TV show "Mr. Robot." It's the hacking group that in the TV show is used to sort of attack the financial industry and disrupt credit card companies and things of that nature. This was along the same lines, you know, they're attacking major companies and they're stealing large amounts of money or extorting large amounts of money – hence the name sort of stuck. I honestly don't know whether they gave themselves that name or whether it was something that was applied to them.

Jon DiMaggio: But yeah, Evil Corp actually started out as a cybercriminal group that was in the banking malware business. So, they actually used very famous malware known as Dridex. That malware would sit on the victim's computer and it would simply act as a middleman. And it would watch as you used your browser and you went to various websites. When it saw that you browsed to a banking website, however, it would inject itself and it would present what to the user looked like the legitimate website. However, it actually was a fake website that captured your credentials and then sent them back to Evil Corp and they would liquidate your account, take all your money, and move on to the next victim.

Jon DiMaggio: Over time, though, you know, the cybersecurity community began to keep up with that, began to identify these injects before they could even be used in some cases. And they got less and less of an opportunity to actually have success with that. So, knowing that, and being, you know, I'll call them sophisticated hackers, they evolved. That evolution changed to ransomware. Now, it wasn't WastedLocker, however. What they did is, they still leveraged the Dridex malware – that malware, by this time, had been in existence for years and it had a large footprint. It had infected massive amounts of victims. So, they used that as sort of a step into profiling and finding good victims for ransom. And there was components built into Dridex, since it was module-based, that they could use, that were completely separate from any sort of banking compromise. So they would use that to gain privileges, to steal passwords, things of that nature. 

Jon DiMaggio: That footprint and that sort of infrastructure, they then applied to what was called BitPaymer ransomware. And that was the initial variant that was being used by these guys for years. BitPaymer became very popular. It was reported by the media. Law enforcement took a big interest in it. And in December of 2019, the United States government issued some – the Department of Justice issued indictments against two members of Evil Corp for that activity involving both Dridex and the BitPaymer ransomware.

Jon DiMaggio: That sort of is likely what led to this kind of change in tactics, change in malware, change in infrastructure. And that's where we saw WastedLocker. So, WastedLocker is not an evolution of BitPaymer, or at least it doesn't appear to be. It appears to be a new instance of ransomware. We're also seeing, you know, this new delivery method – doesn't mean we won't see them still use Dridex, but in this particular campaign, you know, as I mentioned, they're using this new exploit kit and they're using legitimate, compromised infrastructure to deliver it. So, in tandem, it's a whole new attack lifecycle. Brand new ransomware, brand new infection vector. What is similar is some of the tactics when the adversary is actually on the victim network. But besides that, they really spent the time, money, and resources to sort of reinvent themselves. And it does take time, money, and resources. That's not just, you know, something I'm saying. It actually is an operation, and all of that has a cost to it. So, this was important enough for them to retool, and to spend the time and money to do it.

Dave Bittner: Well, let's walk through it together. Can you take us through, step by step, from the very beginning – what happens when these folks get you in their crosshairs?

Dave Bittner: Absolutely. So, it starts where the user browses to a compromised website. What we found was most or many of the legitimate websites that were compromised belonged to a US newspaper or a US news organization. Their infrastructure had many different news-related websites, and we believe that the adversary was specifically looking to target US companies and organizations, so a US newspaper and their infrastructure would sort of makes sense as a good starting place, anyway, to begin entry into obtaining access to victims.

Jon DiMaggio: So, they compromised these websites, and what they did is they used the exploit kit, to – so that when the user or the potential victim went to the legitimate website, they were then redirected in the background to the adversary-controlled infrastructure, where they actually delivered the exploit kit SocGholish – that payload – onto their systems. So, they're browsing to the website, a little window pops up and says, hey, you need to update your browser in order to continue viewing our website. You know, that happens every day for legitimate purposes, it looks legit, they select "OK," it downloads and infects them. They still don't know they're infected.

Jon DiMaggio: What happens at this point is, like I said, that initial profiling takes place, where information is sent back to the bad guy and they then can choose to continue the operation or to not continue and just let that victim go about their way. If the victim meets their requirements and it is of interest to them. Now, the exploit kit will download PowerShell. PowerShell is – I'm sorry – it uses PowerShell on the victim's system to download Cobalt Strike – I apologize, I misspoke. And that Cobalt Strike is compiled in-memory. It also downloads what's called a .NET injector.

Jon DiMaggio: So, the PowerShell and the .NET injector allow them to inject any payload they want. So, any sort of malicious malware that they want to run, they can now do in-memory of the victim system. Again, it's important to understand that that makes it fileless. Fileless is important because it doesn't touch the disk, which makes it much harder for defenders' antivirus software, endpoint detection, to identify. It doesn't mean it won't get identified, but it makes it harder to identify.

Jon DiMaggio: So, at that point, there's there's two JavaScripts. So, one we already talked about – that's the update piece where it does the initial infection. And the other piece is a script, basically. And between the two, you have Cobalt Strike compiled and then you have another payload that's placed on the system.

Jon DiMaggio: So, now that the adversary actually has access, at this point, they need to enumerate the network and identify servers. They need to identify all the relevant file systems that they would want to infect with a ransomware payload. So they use legitimate tools that are present in the network. Now, a lot of those are sort of common across the dozen or so larger enterprise ransomware attackers, but there were some interesting aspects that were a little bit different here. So, Cobalt Strike, as I've mentioned before, we see them all the time – that's a tool that's commonly used. But some of the things that stuck out that we saw in this particular attack was they used a tool called PowerView, which is a legitimate tool that was probably used because it was present in a lot of the victims' systems. And what that would do is it would allow them to do Active Directory enumeration. So, it's a tool that's meant to administrate and to do processes and services via Active Directory – all legitimate, used by administrators – and they used that to sort of further their compromise.

Jon DiMaggio: Another very interesting thing with this that differed from some of their previous attacks is – what we saw before was where they'd actually identify some of the defense software and systems, and they would actually, once they had administrative privileges, they would disable it. And what we saw this time was they took Microsoft's built-in UAC, which is what it uses to give the user access controls, limit what they can do, sort of monitoring and deploying any sort of privileges to a user. So, it's a part of Windows Defender. And what they actually did is they used it to alter privileges, and then they changed Windows Defender to not be disabled, they just changed it to not scan their files. And that, I thought, was interesting. And the reason I think that's interesting is because before they would just disable a service. Let's think about it – if you're a bad guy and you want to do everything you can to not get detected, they've sort of – while it's minor – they've improved their process. An administrator might recognize that a service has been turned off. They're not as likely to recognize that you simply, you know, blocked it from scanning specific files. So, I thought that was interesting that they took these smaller steps to just, again, tweak their attack to make it a little bit more difficult to detect. 

Dave Bittner: Yeah.

Jon DiMaggio: All right. So, once they did that now, they knew that they would be able to deploy other tools, run scripts, and more importantly, actually drop and execute ransomware. They used other legitimate tools – they used a thing called the WMIC, which is a Windows Management Instrument Console. So that allows them to actually add users, execute commands, and what was interesting here is WMIC was used to run a tool called ProcDump. ProcDump actually dumped the log files. So, again, log files are used where we could identify them, see that they're on the system, used for forensic evidence, things of that nature – they're deleting those now. That was also something that was a little bit different, that was interesting about this – these extra steps they were taking to delete their tracks or to hide their tracks.

Jon DiMaggio: Adding legitimate users – that's another issue, because now they have a legitimate account on the network that they're using to traverse. It's so much harder to find a bad guy when they have legitimate credentials than it is when they just have a remote shell and are sort of poking around. So, with that legitimate access, using the legitimate tools, setting up defenses to simply not scan their malware, they created the perfect storm to sort of take over that network and encrypt your data. 

Jon DiMaggio: At that point, they use a tool called PsExec. Again, this sounds familiar here. It's another legitimate administrative tool. And that tool was used to actually place and copy and drop the ransomware payload onto all the servers and systems that they had identified, that they wanted to execute the malware. Just prior to executing the malware, the last step that they do is, again, using that WMI console, they delete all the shadow volumes. Shadow volumes are used in Windows to sort of restore to a previous state, so you can see where that would be bad for a ransomware adversary if the victim could simply restore to a previous state. So they delete that.

Jon DiMaggio: And then, once all of that is done – the shadow volumes have been deleted, the environment's been staged and prepped, and everything is sort of perfectly set up for the attack – that's when they execute the payload across all of the servers instantaneously and systems instantaneously and present the victim with a ransom note.

Jon DiMaggio: Now, one of the things that's interesting that Evil Corp has not done is – we've seen some other adversaries do – is, you know, threatening to post the victim's data publicly or embarrass the victim. You know, we've not seen them do anything like that, which we have seen other victims do. So, that could be the next evolution that we see, but it hasn't happened yet. Just again, just something I noticed when comparing this attack to other recent attacks. But that's sort of the lifecycle of the attack.

Dave Bittner: Yeah. Are they even making an attempt to exfiltrate any data?

Jon DiMaggio: They're not. No, we have not seen any evidence of that. And that's sort of what I was getting at, is that, you know, we saw other recent ransomware attackers doing that. And I think I've mentioned before, there's only about a dozen or so of these, you know, organized enterprise attackers out there. And there's two or three that we've seen start this trend. And, you know, Evil Corp's one of the most professional and unfortunately successful attackers in the ransomware business. So, it could be that they have sort of a, you know, a doctrine of what they do and when they go in for these attacks, and it works for them and they don't want to deviate it, and/or they really want to sort of test the boundaries before they change anything they do to ensure that they don't get caught.

Jon DiMaggio: You know, it's important to mention, just because the US indictments were placed against them, that doesn't mean we arrested anyone. So, these guys are still out there. You know, no one was arrested. But what was interesting is this time we only saw US companies attacked. So, you know, who knows if that's by design or just happened to be that that's where these victims were physically present during the attacks. But, you know, it is interesting that the US has indictments and then the next major iteration of their attack lifecycle involves all US companies.

Dave Bittner: Do you have any sense for the amount of time that passes between that initial infection when the victim clicks on that link and when ransomware gets executed?

Jon DiMaggio: Yeah, so there's – it's about three to seven days with this group. You know, one – we've been looking at a lot of groups. And I think the longest that I've seen out of like a dozen or so enterprise attackers is fourteen days. So, keeping that in mind, you know, these guys are – you know, that that's a pretty good average in comparison to that. It's about half. So, you know, the shorter amount of time, the smaller window of time that it takes them to execute the payload from their, you know, from the time they gain initial access, that's a smaller window that they can be identified, caught, or prevented from being successful in their attacks. Just as an example, you know, that window of time is what allowed us to identify what was taking place.

Jon DiMaggio: And, you know, these are thirty-one companies, but they're thirty-one, you know, big companies, most of which, you know, the average American has heard of. Eleven of them were publicly traded companies. But all of them were large organizations that, you know, are common names, are commonly known. So, these were big targets. And because we were able to identify it within that window of time, we were able to prevent the success of this. I mean, you're talking at each one of these companies, the ransom is usually in the millions. So, this is a lot of money that they – that we were able to prevent going out the door.

Jon DiMaggio: But the truth is, is that we were able to prevent it this time – ransomware's a big problem. And especially when you have creative attackers, it is something it's very difficult to defend against and identify. You know, every time we get smarter, you know, the bad guy changes something. So, I don't want to come across as too headstrong or arrogant trying to say that, you know, we're going to stop this, you know, they don't have a chance. We really – defenders really got to be on their toes and keep sort of reinventing their defensive posture in order to identify adversaries such as this.

Dave Bittner: And the ransomware itself – does it seem to be fairly well constructed, sophisticated, not much hope of coming up with a key to unlock it?

Jon DiMaggio: Yeah, that's the worst part of this, is the encryption itself, because once that payload is executed, to this date, you know, there's not a way to decrypt it without the key. So, it's too late once that happens. Once you are hit and the payload is actually executed, there's not a way to decrypt it without the key. So then you're either at the mercy of paying the ransom or you have to rebuild your systems, and hopefully you have offsite data that you can reinstate, because as I mentioned, they delete a lot of the local backup that you might have for your data.

Dave Bittner: Now, so that other organizations can learn from the success that you all have had here heading this off – what was the key to your ability to be able to detect this and stop it before they actually got to the ransomware phase?

Jon DiMaggio: So, it was a combination. It was a little bit of, you know, the sort of proactive threat hunting. So we know Cobalt Strike is a tool – we went and looked at the big ransomware – enterprise ransomware groups. And we looked at tools that are used by all of them, sort of across the whole threat landscape. And there's several things that they use. It's difficult for us as a defender to go in and identify all of the legitimate tools that are being used. It's a little bit – it's not impossible, but it is a little bit more difficult. It is easier, you know, to identify some of the rarer penetration testing tools that are still used for legitimate purposes, but aren't as prevalent on networks. So, Cobalt Strike being one of those, was something that we just started looking at all Cobalt Strike activity. Again, there's a lot of legitimate activity, so it's not it's not the easiest task. But by looking at that, that sort of led us to the SocGholish framework, which I've kind of already explained that story, how we pivoted from this. 

Jon DiMaggio: But, what you could do – again, that's my view, our view, where we're looking at many organizations. It's a little bit different if you're an organization protecting yourself, because you can use, I mean, there's obviously – there's security vendors like Symantec where we help our customers and we do proactive threat hunting. But we're doing it for a lot of companies. So, what companies really need to do is, with their own – everybody usually has their own internal people as well for security, and they really have to look at, you know, those legitimate administrative tools and see how they're being used. That's really what it's going to take in order to identify this. 

Jon DiMaggio: And there's software. You know, there's targeted attack analytics and different tools that you can use that sort of monitors legitimate tools and, you know, takes logs and can present them to defenders to sort of audit and to look through, especially if something's suspicious or it's used at a weird time, or it's using it to drop a file that has a low prevalence, meaning it's not normally seen on your network. All of those things that are not malicious, but they're things that you can dive into and identify and research, and that would allow you to see this activity. And that's usually how we identify it, to be honest.

Dave Bittner: So, I mean, is it fair to say that the – I guess the leading edge of the type of work that you all are doing and the folks who do the types of things that you're doing is – it's more about looking for behaviors than actual stuff, than looking for files, you know, a particular file that's written to a hard drive.

Jon DiMaggio: Yeah, it's  – so you can't – you no longer can you just look for the malicious file that's going to set off, you know, an alert or fire on a signature, because the only – really, there were only two malicious files here used, and one was the initial exploit framework, and then the next was the actual ransomware payload. But there's about, you know, a dozen or so tools that were used for malicious purposes in between, and they were all legitimate. They were all tools that would be used that were already present in the network, or were present on the Internet and could be downloaded by anyone and also used for legitimate purposes. So, it really does take looking at how those tools are being used, not just looking for a malicious tool, if that makes sense.

Dave Bittner: Yeah, it does. So, in terms of take-homes and recommendations, what do you what do you have to say there? What's the best approach for folks to protect themselves against this sort of thing?

Jon DiMaggio: Yeah, a couple of things. One, you know, ensuring that privileges are really broken out by each administrative need, and that there's no one role within your network that has sort of the keys to the kingdom.

Jon DiMaggio: Another is to monitor and heavily audit any newly created accounts on your network. While not all adversaries do this, you know, Evil Corp is one of the ones that do, you know, create their own users. So that's another opportunity. And that one's an easier one to flag and to identify.

Jon DiMaggio: And then the third is to only allow your administrative tools, many of which are present by default when Windows is installed, but to remove them and or lock those down so that they cannot be used or accessed by anyone but your administrators. And at that point, you have a much smaller pocket of legitimate administrator activity, and you can you can audit that. You can monitor that easier and you can hopefully identify things that just don't look right.

Jon DiMaggio: And the last piece of it is, you know, there are systems and software and defensive components out there that do help with the legitimate tools monitoring them. All of it's a little bit difficult because none of it's directly malicious. But a combination of those sort of three or four things I just said – many of which just take time, not necessarily money – are all things that you could do that would really decrease the opportunity for an adversary to be successful at this, especially because they have to spend so much time on your network. They're spending at least a week in most cases, you know, three to seven days. Three days – that's sort of the quickest. But there's a window of time where you can identify this, but you have to look at the legitimate activity, not just the malicious stuff.

Dave Bittner: Our thanks to Symantec's Jon DiMaggio for joining us. The research is titled, "Sodinokibi: Ransomware Attackers Also Scanning for PoS Software Leveraging Cobalt Strike." We'll have a link in the show notes.

Dave Bittner: Our thanks to Reservoir Labs for sponsoring this week's Research Saturday. Don't forget, you can learn all about them at reservoir.com/cyberwire.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building, the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.