“The specific ransomware payload at the end of each attack chain was almost solely a stylistic choice”
Morally bankrupt hackers have been hiding in compromised networks for months waiting for the right moment to initiate ransomware attacks, and given the activation of a host of ransomware deployments in the first two weeks of April, a pandemic is clearly that commercial opportunity.
An uptick in attacks at the beginning of April was recorded by the Microsoft Threat Protection Intelligence Team and reported this week, in a comprehensive blog that also names the top five vulnerabilities the team saw exploited by cyber criminals to gain an initial network foothold.
(Two “indigenous” Microsoft vulnerabilities are among them).
In the incidents MSFT tracked, threat actors spent months obtaining access to systems and maintaining a persistent threat on networks.
Over the past month they have deployed ransomware to the detriment of aid organisations, government institutions, manufacturing and education software providers, the company reported. Microsoft’s security data shows that the initial compromise of these systems happened months ago, indicating that cyber criminals were biding time waiting for the right moment to monetise the compromis, noting that this is “in stark contrast to attacks that deliver ransomware via email—
Microsoft security notes that: “Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice.”
“On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt.”
Hidden Network Hackers
The breaches and attacks occurring are part of human operated campaigns that require a certain degree of involvement from the hacker; as they conduct spear phishing campaigns and target vulnerable internet-facing systems.
The most common weakness exploited in internet-facing systems tend to be Remote Desktop Protocol (RDP) or Virtual Desktop endpoints that have not been secured with multi-factor authentication. In a similar vein misconfigured web and management servers are prime causes for breaches.
There are an insurmountable number of CVEs for security teams to watch out for these days, but Microsoft security has highlighted five known vulnerabilities that behind many initial exploitations:
- Citrix ADC systems affected by CVE-2019-19781
- Pulse Secure VPN systems affected by CVE-2019-11510
- Microsoft SharePoint servers affected by CVE-2019-0604
- Microsoft Exchange servers affected by CVE-2020-0688
- Zoho ManageEngine systems affected by CVE-2020-10189
The ransomware group REvil (also known as Sodinokibi) is thought to be the first to exploit the network device vulnerabilities in Pulse VPN allowing them to obtain credentials for network access escalations. This threat group has been targeting MSPs on a regular basis and during the pandemic they haven’t taken their foot off the pedal.
Microsoft security notes that: “They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments.
“REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.”
While each of the detected campaigns and threat groups are using different ransomware payloads and breaching techniques, the overall attack pattern is a common one. First they gain initial access, then they steal higher levels of credentials. Once an appropriate level of access is obtained they hangout on the network until the time is right to strike.
Interestingly Microsoft notice that: “The specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.”
Unfortunately once ransomware is deployed or data is stolen it’s pretty much too late to avoid serious damage to systems or reputation. Your best bet is to rout out attackers at the earliest stages of compromise by prioritizing robust investigation schedules and continuous systems checks for abnormalities.
Microsoft’s security team have highlighted a few malicious behaviours that IT teams should keep an eye out for, including:
> Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.
> Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials.
> Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data