Research Saturday 12.4.21
Ep 211 | 12.4.21

Getting in and getting out with SnapMC.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Christo Butcher: So, it started around the summer of this year where we, you know, started seeing clearly related incident response cases and SOC sightings, and compared to a lot of what we were seeing, these were very rapid in-and-out style attacks, often done, you know, within half an hour less time than it takes to have a pizza delivery.

Dave Bittner: That's Christo Butcher from the NCC Group Research and Intelligence Fusion Team. The research we're discussing today is titled, "SnapMC: Extortion Without Ransomware."

Dave Bittner: Well, I want to dig into that element of it, but before we do, let's just go over some of the basics here. Can you give us a little overview of who this group that you all are calling "SnapMC" may be, and how they go about doing the things they do?

Christo Butcher: Sure. Great question. So, we have not been able to link this cluster of activity with any other known actors. That's why we came up with a new name, you know, and want to share this with the community to hear about others' experiences and, you know, help the rest protect themselves. The sort of M.O. – the way of working, as far as we've seen, is different than we usually see, where – and that's also, you know, where the name comes from, that focus on speed instead of focus on impact. The approach we saw here was that the actor was actually choosing to simplify the attacks be, you know, get in and get out again with the stolen data much more quickly, thereby not taking some of the opportunities to explore further or move laterally, et cetera. That was different from most of the attacks we see, where the attacker, you know, tries to do as much damage, get get as far into the network as possible.

Dave Bittner: Well, let's walk through it together here. How does someone find themselves falling victim to SnapMC?

Christo Butcher: So, the incidents we've seen so far were based on, you know, known vulnerabilities. So, not very advanced initial access techniques, but basically abusing known vulnerability in software, Telerik UI, or SQL injection. So basically fairly standard stuff. And you know, again, that focus on speed – the attacker would get into one of these systems through one of those vulnerabilities or misconfigurations, look around what he could get at quickly, what kind of data was available, exfiltrate that, and then, you know, leave it at that. So very little attempt at lateral movement or privilege escalation or even persistence. Very much focused on, here's a vulnerable system, getting in, seeing what's easy to get, and then leaving again.

Dave Bittner: Do you have any sense for what that makes available to them? I mean, using the methods that they use, what sort of data is there for the picking?

Christo Butcher: You know, a lot of their focus was on web-based systems, web apps, and the databases behind there. So, you know, it depends totally on the victim, of course, what's in there, but often it does include lots of sensitive customer data or personal data of people using the service there, and that does give the attacker access to that kind of sensitive information. Not the strongest lever for extortion, but it is the kind of information which would force the victim to go into the notification process of a data breach.

Dave Bittner: Now you mentioned that it didn't seem to be a focus of theirs for privilege escalation, but you – according to your research here, there were some instances of that.

Christo Butcher: Some, and each incident was slightly different. So, you know, there were very clear signs that this was a manual looking-around. There was actually somebody seeing what there could be had, what kind of data was available. But again, compared to the traditional ransomware-type breaches, which would use more advanced tools, this would remain fairly limited.

Dave Bittner: Well, let's talk about the actual collection and exfiltration, then. What sort of processes are they using to actually gather up the data and get it out of the system?

Christo Butcher: So, in the different incidents we saw, they'd look for fairly easy data to get access to. So, in the SQL injection case, I believe they actually never left sort of the SQL protocol. So they actually, through the SQL injection, just tried to pull out all of the data out of the database. There might have been chances there for, you know, further penetration, getting persistence on the machine, et cetera, moving from there – it looked like they didn't even try to do that. They really kept it at what was easy to access.

Christo Butcher: Same with the other vulnerabilities. Once on that first system, they'd have, you know, a look around, collect some data. And the most telling sign was their use of MinIO, a cloud object storage, which let them fairly quickly exfiltrate large amounts of data. That was one of the main telltale signs we saw in all the incidents where they actually use the Telerik UI vulnerability and gain access to that first machine.

Dave Bittner: Yeah, it really does seem like kind of the – I don't know – an online version of kind of a smash-and-grab burglary, you know where you're just breaking a window and grabbing everything in the display there as quickly as possible.

Christo Butcher: One-hundred percent. That is very much how we interpret these attacks. Which, on the one hand, that makes them fairly simple and straightforward. There's not much use of advanced tooling or techniques here. But at the same time, that speed actually is one of the big challenges here to be able to respond quickly enough to stop sensitive data from being exfiltrated. That's the big challenge here. Where in, you know, traditional ransomware, traditional attacks, there would be more time from the attacker coming in to when they would actually start exfiltrating data or encrypting files or doing actual damage, which gives the defenders, you know, a window of opportunity to detect and to respond to stop the attack. Here, you know, under half an hour, that really forces the defenders to act fast.

Dave Bittner: One of the interesting things that your research points out is that there is no shortage of extortion emails being sent out there, but a lot of times it's an empty threat. And in this case, the SnapMC group, they are actually going out there and grabbing stuff. What sort of follow-up do they have to the victims to demonstrate that they've actually grabbed some data?

Christo Butcher: Right, right. So, that extortion process is interesting because, just like in the attack itself, it's aimed at speed, where the emails would ask the victim to get in touch within twenty-four hours and then give them three days, seventy-two hours, after that to respond. And, you know, that's a relatively short time frame compared to some of the other extortion negotiations we've seen. And even within that time frame, we'd see the actor actively increasing the pressure, threatening to release the data early. And, you know, during that whole process, the actor would have evidence, file listings, et cetera, showing that they actually had been present had been able to get their hands on that data. In some cases, we've also seen the actor on fora, dark web fora. So we do believe that this actor is actually, you know, able to go through and intends to go through with either selling the data or publishing it.

Dave Bittner: Do you have any insights on on what the ask is – you know, dollar amounts – are they are they looking for here?

Christo Butcher: We've seen amounts in the order of $50,000 to a little over $100,000.

Dave Bittner: Hmm, that's interesting. I mean, in itself, you know, it's – I mean, that's certainly not a small amount of money, but we see ransomware asks, you know, in the multi-millions. So again, it's the speed of the operation, maybe not trying to inflict too much pain, but get their payment and be on with it.

Christo Butcher: Exactly. It seems to be in that range of not huge amounts, which, you know, might be more difficult for the victim to pay. At the same time, we also don't think this actor, you know, like traditional ransomware actors, this actor doesn't seem to take the time to get to know their victims very well. So, our impression is that the actor doesn't have as much information. What is the exact financial situation of their victim? So the damage they do is lower, the information they have is slightly less. So we think that's why they aim for these amounts.

Dave Bittner: Well, let's talk about potential mitigations here. What are your recommendations?

Christo Butcher: Yes, great question. Because, you know, in the end, I think the main lesson is that from a purely TTP point of view, this actor is not very special. The types of attacks, the tools, the techniques are fairly standard. But the speed actually makes it quite a challenge. So, you know, at NCC Group, when we talk to clients, we find that a holistic approach works well. Thinking about the prevention, detection, the response. And of those three preventions, probably the most straightforward and normal one, this actor used known vulnerabilities, so basic security hygiene is very important here. Keeping software up to date, good patch management, hardening the attack surface, regular pentests, et cetera. They're the basics. This actor is just showing, if you don't have that up to scratch, then within no time you might be paying the price.

Now, the detection side, again, the detection in and of itself, because these are known vulnerabilities – they're not that difficult to detect. But the speed required to respond means that you actually have to take good care of that detection pipeline so that the people and processes aren't flooded by, say, a big backlog of false positives slowing down the response time here. It's very important to be able to, you know, bubble up these incidents as relevant, very urgent, so that on the response side, you're in time to do something about it.

Christo Butcher: And given response, automation, of course, can help, but the people and the processes are really the bedrock. And practicing these kinds of incidents we feel is a very important part. You know, it's OK to have the best tools, but if you're not able to, you know, jump right on the incident, fix it really quickly, be able to make the right decisions quickly – that'll slow you down. And you know, half an hour really is not much time. So practicing these processes, looking at what your IT landscape looks like, figuring out what possible attack vectors would be, and then going through the movements to make sure that everybody's lined up to act quickly.

Christo Butcher: And to be able to do all of that, to be able to do those practice rounds, prepare your prevention detection response, of course, it's very important to know these threats, understand the urgency. And you know, in this case, the Telerik UI or the SQL injection was used, but we expect that this actor, you know, will basically choose whatever gives him good victims. So next time might be something totally different. Having that good threat intelligence so that you can prepare yourself is very important here.

Dave Bittner: Yeah. It really strikes me that this is an actor who has been very deliberate in making their living by going after that low-hanging fruit.

Christo Butcher: Exactly low-hanging fruit, I think is the right expression here. Yes.

Dave Bittner: Our thanks to Christo Butcher from the NCC Group Research and Intelligence Fusion Team. The research is titled, "SnapMC: Extortion Without Ransomware." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies are amazing. CyberWire team is Elliott Peltzman Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.