Research Saturday 9.12.20
Ep 151 | 9.12.20

Leveraging legitimate tools.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Jon DiMaggio: So, we were actually not looking at ransomware. We were looking at a tool that's being misused by a lot of bad guys these days called "Cobalt Strike."

Dave Bittner: That's Jon DiMaggio. He's a Senior Threat Intelligence Analyst at Symantec, a Broadcom company. The research we're discussing today is titled, "Sodinokibi: Ransomware Attackers Also Scanning for PoS Software, Leveraging Cobalt Strike."

Jon DiMaggio: So, Cobalt Strike is a legitimate pentesting tool. It's used essentially to test an organization's security posture so they can decide if they need to make changes to their defenses and how to best protect.

Jon DiMaggio: Well, what we found was a lot of ransomware attackers – enterprise ransomware attackers specifically – were leveraging that and using it to get the initial foothold on organizations before they deploy ransomware. So, by looking at these sort of rogue deployments of this Cobalt Strike tool, what we found is – when we started to look, we found, oh, this looks kind of interesting. And we started to pull some threads and we started to see, OK, well, they're using this Cobalt Strike tool, and now they're moving and they're using a lot of the legitimate tools within the network, and they're dropping specific files, looking to turn off certain services. And long story short, it really built out a profile that was very familiar to us.

Jon DiMaggio: At that point, we believed it was one of the enterprise ransomware attack groups that we had been following or tracking, and just sort of profiling and looking at those behaviors, along with sort of the tools that they were using, we were able to identify that this was a much larger-scale attack. It took a little bit, but once we – eventually, we were able to find the payload, the ransomware payload. And that really is the biggest differentiator between, you know, the handful of enterprise ransomware groups that are out there – they really do follow almost the exact same steps when they're in networks. They're very, very similar these days. Get in, use legitimate tools, go unnoticed, try to blend in with administrative traffic. And it's not until they drop their payload that they give us something unique, usually, to identify them.

Jon DiMaggio: So we try to profile these groups. We try to build a digital fingerprint of them, per se, based off of the tools – even legitimate ones – that they use, the order that they use them in, any behaviors that we see, as well as their malware. The thing about it is these enterprise ransomware groups, you know, they're human beings behind the keyboard, and they all spend time in the environment prior to actually engaging the ransom piece. That's the last thing that they do.

Jon DiMaggio: There's a number of things, though, that were unique to this group that really made them stand out from other groups. But in essence, it's not till you see that ransom payload at the end that you can really know who it is, but there are some good giveaways that give you a clue that this is an enterprise ransomware attacker. And obviously, that's the biggest concern to a lot of organizations these days, is ransomware. So, it just set off a lot of alarms for us, and we started alerting customers and were able to prevent some of these attacks.

Jon DiMaggio: One of the big things that differentiates this group, however – there's sort of a minor and a major point that are very different. So, minor point, which was very interesting, was they were looking at point-of-sale devices and software in organizations. That's a little bit different than what we're used to seeing.

Jon DiMaggio: But the other thing that's really unique – there's a couple of groups doing this, but not many, and the Sodinokibi group is one of them. They're actually not just encrypting and holding your data – if you don't pay, they're threatening to post that publicly on sites like Pastebin and other publicly available infrastructure to embarrass the organization, to hurt their customers, hurt their credibility, in order to force them to pay. So it's not – they don't really care how they get an organization to pay. Maybe they don't hit the ransom that they want, but they're going to do what they can, whether it's taking advantage of your point-of-sale software, whether it's posting and/or selling your data, or – and if you don't do any, they're just going to embarrass you. So that makes them, in my mind, a little bit more dangerous. It's sort of like enterprise ransomware 2.0. You know, we're seeing this change and, you know, there's a couple of groups doing it, but it wouldn't surprise me if we see that trend increasing over the next year.

Dave Bittner: Well, let's walk through some of the details together. Why don't we start with Cobalt Strike? Can you give us a description of exactly what is that capable of doing and how do they implement that to get what they're after here?

Jon DiMaggio: Sure. So, as I mentioned, it's a legitimate tool. It's used for legitimate testing. But what it does is it allows the – let's just go from the perspective of how the bad guy uses it. It allows the bad guy to load shellcode on the machines. Once they do that, they actually can load it into memory and then they can compile – like, old-school compile manually – the shellcode. And that's what they're doing. They're using PowerShell, which is already in the environment and comes on most Windows systems. They're using that to download – to run PowerShell scripts in-memory of the victim's system. So it's not even – it's fileless – it's not even on the system. So it makes it much harder to detect, is the reason I'm pointing that out. And it downloads it, they compile it, and once they compile that code, now they actually have Cobalt Strike.

Jon DiMaggio: And that can be used for quite a number of purposes. Everything from creating a reverse shell so that the attacker can now log in and access the network themselves – you know, human-on-keyboard access – or it can be used to upload and download other binaries so they can download other malware if they want. And that's one of the main ways that we see where often they do obtain the ransomware payload. They can download other tools. However, I gotta say, we usually – or with this group anyway, the main thing that we see is they try to use the tools that are in the environment first. And that's actually really smart on their behalf, because it makes it harder to detect when they blend in with your legitimate traffic. The one key to that, though, is if an organization has their security controls and their access sort of locked down and who has certain permissions locked down, only administrators should have those tools. So, in essence, you wouldn't have to look at every machine or every user account on your infrastructure in order to monitor that, but you would have to look at your administrators and see what they're doing, because that's the tools these guys are using.

Jon DiMaggio: If they can't leverage those tools, then they download other things. So we might see them down, like, Mimikatz, for example, which is a tool that's also publicly available, free, and used by pentesters. So they'll download that to obtain the credentials of systems in the environment to increase their privileges. But one thing about that, you know, what we used to see is bad guys would have their own custom malware. And the advantage to that would be, you know, it would be something we haven't seen, it might have a better chance of getting past defenders or security software that catches this stuff because it's something that's brand new and never been seen before. However, what they've learned over time is the industry has gotten better at detecting those things just through the behavior of it, whether it's a new binary or not. They've realized that they can use the legitimate tools, and when they can't like in the example I just gave with Mimikatz, the benefit of that is even if we catch you, anyone can download and use it. So it makes the attribution and using it for evidence and pointing a finger at someone much harder, because anyone in the world could download it and use it, even though it's being used maliciously. So it makes it hard for attribution and it benefits the adversary.

Dave Bittner: Now, one thing you noted here in your research is the initial exploitation usually comes through brute-forcing, taking advantage of Remote Desktop Protocol?

Jon DiMaggio: Yeah. So that's a big one, that essentially they scan for systems that have that port open, and if that port's open, then they use, again, publicly available tools can be used to sort of brute-force and try to obtain the correct password or brute-forcing the characters and words until they actually get one that works. Also, it depends – there's two ways that they use that. Sometimes they'll use it on publicly facing infrastructure. So that means prior to having access, they'll do this. And it's really bad when organizations have that open on their external infrastructure, but, you know, with business needs today, sometimes shortcuts are taken, or it's just a necessity where an organization is willing to take that risk. Well, these bad guys are looking for that, and that's one of the things they exploit.

Jon DiMaggio: But one of the other ways that they use it – and this is also unique – is they have another method. Let's say they use spearphishing or let's say they find some other vulnerability on your public-facing infrastructure to get in. Once they're in, they'll scan your internal network, because a lot of organizations feel safe on the inside using that – it makes administrating components easier, server administration services, everything else – and they feel safe because it's on their internal network. Well, once the bad guy has access, it's – again, it's very easy to exploit and that's why they do that. So, whether it's on the outside, which is worse, or the inside, it still allows adversaries to use that as a mechanism to gain a further foothold and increase their privileges and escalate their ability to hurt the organization, or to plant malware or ransomware, or to steal your data, or whatever it might be.

Dave Bittner: And these folks seem to be really targeting specific organizations. They're trying to maximize the possibility for payback here.

Jon DiMaggio: They are. So, one of the things that they do is they really assess their victims. And what I mean by that is they want them to pay the ransom, obviously, so they try to assess what is an amount that we think this organization can pay where it's not going to be unreasonable, it's not going to hurt them financially, publicly, but it's something that'll be easy enough for them to pay and worth our time to do the attack for the bad guys' return on value. Because like I said, they're spending time. We're seeing anywhere from three to seven days where they're on the network prior to actually executing the ransom piece of this. So they're – you know, by doing that, they're there for a while, they're investing their time. And they look at, like, how many servers they have, how many domain controllers they have, what types of servers are they? Are they file servers? Are they running services? Are those services for their internal or for the external?

Jon DiMaggio: So what I'm getting at, and the reason I'm pointing that out, is they literally do an assessment of the victim. The more infrastructure, the more services, the more resources that they have, as well as publicly available information on, you know, their profit margins, things like that – all those sort of things they take into consideration when they – or it appears they take that into consideration. Because you'll see, from one victim to the next, there's differences in the ransom they ask, and it really appears to be they're actually assessing and they want to give an amount that you'll actually pay.

Dave Bittner: Now, once they decide to pull the trigger and activate the ransomware, what happens next?

Jon DiMaggio: So, at that point, just being direct here, you're in a lot of trouble at that point. The time to act is when they're on your network for those three to seven days to stop it. Once that happens, at this point in time, the encryption that they're using is not something we can defeat. We, not just – I don't mean my company, I mean anyone. It's – you're not able to decrypt it without that key. So if you don't get that key, you'll never get access to that data again. You're going to have to rebuild. Hopefully you have offsite backups or whatever your backup plan is. But your actual systems – that data is encrypted. They actually go in and delete any local backups or any backup servers that they can identify, so you really need to have a complete separate network with your backup data. But they go in and delete that, they make sure that you're going to be in trouble.

Jon DiMaggio: So once that encryption process takes place – I mean, that's really all it is. They're just encrypting data. And I say "just," because that's – we use that every day in the world for legitimate purposes. They're just encrypting it, and they're using an encryption algorithm that at this point in time hasn't been broken, so that they really have the ability to force you to pay or spend a lot more money having to rebuild your network infrastructure.

Jon DiMaggio: And like I mentioned, these guys take it a step further. In addition to that, they're going to embarrass you publicly and try to hurt you and your public image by posting your and/or your customers' data. They literally will try to pressure customers to call and be upset with the organization. You know, they'll actually post stuff on forums like, "Here's data," and they'll post a message, you know, Company X was warned, they refused to pay, and now your data is not secure – things of that nature. So they really put a lot of effort to hurt you if you don't pay. And that's why I said it's kind of ransomware 2.0. It's scary how they're evolving the things that they're doing. Because it's one thing to lose access to your data, but then it's another to have to deal with the public relations aspect, especially if you're a publicly traded company. So it's definitely a scary world with these types of attack groups.

Dave Bittner: What sort of insights do you have on the exfiltration part of it? I'm curious – one thing I wonder about is are they encrypting first and then exfiltrating that encrypted data, or are they sending the data in the clear? Do you have any insight into that?

Jon DiMaggio: Yeah, no, they're encrypting the data. Now you got to remember they have the key...

Dave Bittner: Right. Right.

Jon DiMaggio: ...So it's very easy. And by encrypting it, when it's going out the door, it blends in with other encrypted data and communications and protocols that you, a defender, would naturally see. So not only does it blend in, but it also isn't going to set off any alarms or whistles or anything like that because it's encrypted. So, you know, they've already owned the network. By the time – that's what I was saying – by the time the encryption takes place, they have gained – they now have legitimate accounts with legitimate administrative permissions, and they're coming and going, they've got remote access, they're coming and going into your network, and yes, they're stealing that encrypted data. They have it, they unencrypt it on the back end, they look through it, they find what they consider the high-value data, and that's what they use to embarrass. And they don't just post it all. They threaten, hey, you're going to pay us. If you don't, we're going to do X. And then they'll give you a sample and they'll post just a little bit. Not enough to hurt you too much, but just enough to show that they're for real, that they're serious. And then if you still don't pay, then they do a lot more damage by releasing that information.

Jon DiMaggio: But yeah, they try to give the opportunity that their goal doesn't appear to be to embarrass. It's not a revenge thing. They don't want – I don't think they actually want to post the users' data. They just want them to pay, period. They pay, they don't post the data. But if they refuse to pay, then yeah, then they go all in and try and hurt the organization as much as they can.

Dave Bittner: And what's their track record? Do you know, if people do pay, do they get their data back?

Jon DiMaggio: So, this group is not, um – let me answer that from the aspect of, so, there's not a ton of enterprise ransomware attackers out there. There's a bazillion elements of ransomware, but the actual organized, enterprise ransomware attackers, there's maybe a dozen of them. And that's really not a lot when you think about, you know, from a global perspective. So, when – most of these guys, when you pay, they know it's going to be a very public event that you've been attacked and that you're being held ransom. So the track record for most of the enterprise groups is they do actually provide you the key after you pay. And the reason they do that is, again, this is their job. It's almost a business. They're not just regular criminals. I mean, this is what they get up and do every day. They're professionals. You know, they're not run-of-the-mill criminals. They just want the money. It's not personal. It's not revenge. They want the money. So, they want to make sure that the next victim pays, too. So, yes, they – usually, the track record for enterprise attacks is to provide that key if the victim pays.

Dave Bittner: So, what are your recommendations here? I mean, at what points along this attack path do folks have an opportunity to stop it?

Jon DiMaggio: So that's really, I think, the best-kept secret about all this that I think really needs to be discussed more. One of the things we're looking at right now as a project that I'm working is we're going through all these enterprise ransomware attacks over the last year and we're looking at the – what we call "dwell time," the time on network between initial access and when they execute the ransom. And I can tell you that most of these groups, it's less than seven days. This particular group was three to ten. But most of them, the average is less than seven. So it's right around a week they're on your network. During that time – every day they increase their foothold – but during that time, that is when you have the opportunity to stop them. That is when you have the opportunity to detect, deter, and get them off of your network and resources.

Jon DiMaggio: The thing is, we, as a culture in the industry, we're just very reactive. So, the defenders, it's just the mentality – and it's slowly changing – but the mentality is to be reactive. And this requires a very proactive hunting aspect to your defenses. And what I mean by that is you're not going to find them if you're just looking for something to be flagged as malicious. You have to look at the legitimate tools, administration tools, and how they're being used on your network. You know, we talk about – this is going to be really basic – but separation of privileges, not allowing anybody to have all the keys to the kingdom. If you really segregate the tools that are in your environment that are legitimate administrative tools to only be on systems and available to legitimate administrators. Well, now you're talking maybe ten, fifteen percent of your daily activity that you have to monitor. So if you were to just do a random audit of that, let's say you look at ten percent of that activity every day, just doing that, you're going to dramatically increase your chances of identifying things like this.

Jon DiMaggio: But that window of time – when they're on your network, when they're using legitimate tools and publicly available tools or any sort of pentesting tool that's being used – that is when you need to prevent this. That's the window of opportunity. Once the execution of the ransomware happens, to be honest with you, it's too late. You're really in the control of those attackers at that point.

Dave Bittner: So, is my understanding correct here then, that, you know, rather than looking for, you know, a piece of malware, a piece of code – because as you say, they're living off the land, they're using tools that would normally be installed that wouldn't draw attention to themselves – that what you really need to be looking for are particular behaviors, particular activities that might be out of the ordinary.

Jon DiMaggio: Exactly. So, things like they use a legitimate tool – and this isn't just this group. I'm going to give you some examples that are common across many of these dozen or so enterprise ransomware attackers. One of the big things that they use, PowerShell and a tool called PsExec. Both are used for administrative purposes. PowerShell is extremely powerful, no pun intended...

Dave Bittner: (Laughs)

Jon DiMaggio: ...And it allows them to, you know, to run these scripts. And they can even set schedules to run them to do different various tasks. But what they do then with the PsExec tool is that's what they actually use to drop and to spread everything from ransomware to other tools and components. They also use what's called BAT files, which is just a – basically it's almost like a text file with a stream of commands that you run on the system and they'll use this tool to deploy that. But things like that you can flag. Like, that's probably – well, yes, that could be flagged as typical. But looking at that and looking at these files, if you would actually just open that file, these BAT files, in a text editor, you'd see that they were searching and trying to identify security tools and firewalls or whatever it might be, things of that nature. There's usually a list – and this is, again, common with all these groups. There'll be a list of specific things that they're looking for that are shared that we sort of see used a lot. So that's not really something your regular administrator's going to be doing.

Jon DiMaggio: So watching this tool used to drop these files, just taking a look and seeing what they're doing, again, just auditing the legitimate stuff. It sounds difficult, but that is the mindset that we have to get if we're going to start catching these guys. It's not necessarily spending a bazillion dollars on security tools and everything else. I'm not saying that you don't have to have a strong security budget and security posture, but what I am saying is, even with that, that's not what's going to catch these guys. You have to have a human being going and looking at the legitimate traffic. There's tools and software to help with that as well. But you can't just wait for a red alarm to go off, to say, hey, there's malware on your network, because that's not what they're using. You got to look at the legitimate activity as well.

Dave Bittner: You know, I know, John, you and your team spend a lot of time looking at this sort of ransomware, but also many of the other flavors, and indeed, you know, different variants of malware. I mean, is this the shape of things to come? Should we expect to see more of this? Is this the direction that – this professionalization of this – is this where you sense things might be headed?

Jon DiMaggio: Yes and no. So, it's definitely where we're headed, but it's not just the everyday criminal that can pull this off. And what I mean by that is it takes multiple people, it takes a lot of coordination, and it takes a lot of discipline to not make mistakes. So, it's – that's why I said that they're professionals. What they do at certain times, the tools that they use, not using regular malware, spending the time on the network learning it, going undetected. It's sort of a discipline that these attackers use. And again, it's very organized, in the profiling, the figuring out who to ask for the ransom and who not to, and how much, figuring all those little details out. But the piece – why I said that, you know, it's the way we're going, but it's not as easy where you're going to see it blow up to where it's every average criminal is going to do this, because it is actually a difficult operation to execute, and it does take a lot of time and work. If you're someone who has a regular day job, you're not going to have time to spend seven to ten days, every day, going into someone's network to try to identify this activity. So, this is all these guys do. They're professional. They know the tools. They know their environment. It's not the first time they're using them when they go in. They're well-rehearsed. And they really seem to know what they're doing.

Jon DiMaggio: Now, one way, though, that you could – unfortunately we're not doing this – but one way that would really deter this is if everybody just stopped paying. If they knew that it was less likely that an organization would pay, you wouldn't have all this happening. You wouldn't have new groups popping up. You wouldn't have them spending the time and resources to come up with new infrastructure and new creative ways to own an organization. But most pay, unfortunately. It's always recommended not to for that very reason, because if everybody stopped paying, this just wouldn't be as lucrative and these guys would go find something new to do.

Jon DiMaggio: If you recall, you know, there's other groups out there that have sort of evolved, like there's the Evil Corp group sort of evolved. They used to be in the banking Trojan business, and now they're an enterprise ransomware attacker. So, they transitioned. They do what they can to get the money. That's really what it's about, is the money, as I mentioned several times. And I do that because with a lot of attackers, it'll be personal. They'll want to hurt an organization or whatever it is, or they'll have some sort of a hacktivist reason where they have a cause and they want to cause embarrassment. That's not what these guys are doing. It's all professional. It's all about the money.

Dave Bittner: Our thanks to Symantec's Jon DiMaggio for joining us. The research is titled, "Sodinokibi: Ransomware Attackers Also Scanning for PoS Software, Leveraging Cobalt Strike." We'll have a link in the show notes. 

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.