How 1-Time Passcodes Became a Corporate Liability

Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms. A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.

In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.

The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server.

This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign “0ktapus” for the attackers targeting organizations using identity management tools from Okta.com.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

It’s not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.

A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username “havefuninjail.”

Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant Cloudflare.com, and the intercepted credentials show at least three employees fell for the scam.

Image: Cloudflare.com

In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. Cloudflare said it does not rely on one-time passcodes as a second factor, so there was nothing to provide to the attackers. But Cloudflare said it wanted to call attention to the phishing attacks because they would probably work against most other companies.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” Cloudflare CEO Matthew Prince wrote. “On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.”

On three separate occasions, the phishers targeted employees at Twilio.com, a San Francisco based company that provides services for making and receiving text messages and phone calls. It’s unclear how many Twilio employees received the SMS phishes, but the data suggest at least four Twilio employees responded to a spate of SMS phishing attempts on July 27, Aug. 2, and Aug. 7.

On that last date, Twilio disclosed that on Aug. 4 it became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

That “certain customer data” included information on roughly 1,900 users of the secure messaging app Signal, which relied on Twilio to provide phone number verification services. In its disclosure on the incident, Signal said that with their access to Twilio’s internal tools the attackers were able to re-register those users’ phone numbers to another device.

On Aug. 25, food delivery service DoorDash disclosed that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. DoorDash said intruders stole information on a “small percentage” of users that have since been notified. TechCrunch reported last week that the incident was linked to the same phishing campaign that targeted Twilio.

This phishing gang apparently had great success targeting employees of all the major mobile wireless providers, but most especially T-Mobile. Between July 10 and July 16, dozens of T-Mobile employees fell for the phishing messages and provided their remote access credentials.

“Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said in a statement. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.”

This same group saw hundreds of responses from employees at some of the largest customer support and staffing firms, including Teleperformanceusa.com, Sitel.com and Sykes.com. Teleperformance did not respond to requests for comment. KrebsOnSecurity did hear from Christopher Knauer, global chief security officer at Sitel Group, the customer support giant that recently acquired Sykes. Knauer said the attacks leveraged newly-registered domains and asked employees to approve upcoming changes to their work schedules.

Image: Group-IB.

Knauer said the attackers set up the phishing domains just minutes in advance of spamming links to those domains in phony SMS alerts to targeted employees. He said such tactics largely sidestep automated alerts generated by companies that monitor brand names for signs of new phishing domains being registered.

“They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.”

On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On Aug. 15, the hosting company DigitalOcean published a blog post saying it had severed ties with MailChimp after its Mailchimp account was compromised. DigitalOcean said the MailChimp incident resulted in a “very small number” of DigitalOcean customers experiencing attempted compromises of their accounts through password resets.

According to interviews with multiple companies hit by the group, the attackers are mostly interested in stealing access to cryptocurrency, and to companies that manage communications with people interested in cryptocurrency investing. In an Aug. 3 blog post from email and SMS marketing firm Klaviyo.com, the company’s CEO recounted how the phishers gained access to the company’s internal tools, and used that to download information on 38 crypto-related accounts.

A flow chart of the attacks by the SMS phishing group known as 0ktapus and ScatterSwine. Image: Amitai Cohen for Wiz.io. twitter.com/amitaico.

The ubiquity of mobile phones became a lifeline for many companies trying to manage their remote employees throughout the Coronavirus pandemic. But these same mobile devices are fast becoming a liability for organizations that use them for phishable forms of multi-factor authentication, such as one-time codes generated by a mobile app or delivered via SMS.

Because as we can see from the success of this phishing group, this type of data extraction is now being massively automated, and employee authentication compromises can quickly lead to security and privacy risks for the employer’s partners or for anyone in their supply chain.

Unfortunately, a great many companies still rely on SMS for employee multi-factor authentication. According to a report this year from Okta, 47 percent of workforce customers deploy SMS and voice factors for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.

Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices.

Others are moving away from SMS and one-time code apps and toward requiring employees to use physical FIDO multi-factor authentication devices such as security keys, which can neutralize phishing attacks because any stolen credentials can’t be used unless the phishers also have physical access to the user’s security key or mobile device.

This came in handy for Twitter, which announced last year that it was moving all of its employees to using security keys, and/or biometric authentication via their mobile device. The phishers’ Telegram bot reported that on June 16, 2022, five employees at Twitter gave away their work credentials. In response to questions from KrebsOnSecurity, Twitter confirmed several employees were relieved of their employee usernames and passwords, but that its security key requirement prevented the phishers from abusing that information.

Twitter accelerated its plans to improve employee authentication following the July 2020 security incident, wherein several employees were phished and relieved of credentials for Twitter’s internal tools. In that intrusion, the attackers used Twitter’s tools to hijack accounts for some of the world’s most recognizable public figures, executives and celebrities — forcing those accounts to tweet out links to bitcoin scams.

“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said in an Oct. 2021 post about the change. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”

Update, 6:02 p.m. ET: Clarified that Cloudflare does not rely on TOTP (one-time multi-factor authentication codes) as a second factor for employee authentication.

Autonomous Detection & Response | How MDR Disrupts the Cyber Kill Chain

The only predictable thing about the cyber threat landscape is that you can always expect it to shift and move even faster than before. Just in the year passed, businesses across the world witnessed a surge in cyber attacks, advanced in both severity and variety. Let’s take a look at some threat-related statistics from the last 12 months:

Reflecting on the current state of the threat landscape, it is clear that advanced persistent threats (APTs) and financially-motivated cyber criminals are seeing success. A key element to these modern threats is lateral movement or lateral spread – the movement of a threat actor within a compromised network. With this technique, actors are able to secure their foothold and start to move laterally through the remainder of a network to locate, steal, and encrypt sensitive assets and data for ransom.

Examining the Cyber Attack Lifecycle

Threat actors journey through a compromised environment using a defined process called the attack lifecycle, or kill chain. The cyber attack lifecycle is typically defined by the following phases:

  1. Reconnaissance/Planning – To kickstart the process, threat actors select their targets and perform as much research as they can including data about the target’s network infrastructure, users, and systems. By gathering this information, actors can better exploit their target and leverage any found vulnerabilities.
  2. Credential Dumping – After performing reconnaissance on their target, threat actors will focus on gaining initial entry into the environment. This is when actors will obtain legitimate credentials through fraudulent means and compromise as many hosts as possible.
  3. Enumeration – In this phase, threat actors have gained access and need to quickly figure out where they are in the environment, what access they have, and where they can start moving. This is when they will extract machine names, network resources, and more by performing directed queries.
  4. Lateral Movement Access – This is the most crucial part of the attack lifecycle from the threat actor’s standpoint. Once actors have what they need, they will begin to expand their foothold throughout the network using malicious tools to continuously upgrade their permissions, access critical data and systems, and distribute any malware and toolsets.
  5. Mission Completion – Post-deployment of any malware or toolsets, modern threat actors are increasingly exfiltrating sensitive data before encrypting them for better leverage over their victim.

The Challenge of Shorter Dwell Times

In a cyber attack campaign, “dwell time” refers to the length of time between an initial breach to the detection of a threat actor. Research shows that threat actors are becoming more efficient, making the overall average timeframe for an attack much shorter than in years before. Gone are the days of dwell time being weeks and months – the main challenge for businesses now is to detect the presence of cyber threats as fast as possible. Many threat campaigns, particularly ransomware campaigns, only last a few hours and actors are often already within a victim’s network, just waiting to deploy.

Unfortunately, security solutions such as traditional SIEMs (security information and event management platforms), next-generation anti-viruses, and anti-malware just aren’t efficient enough when it comes to detecting modern threat actors quickly. Up against shorter dwell times and advanced hacker tradecraft, fast and accurate detection matters most in a strong cybersecurity strategy.

Preventing Lateral Movement Through Autonomous Detection

So, how fast does detection need to happen before it’s too late? Referring back to the cyber attack timeline, the reconnaissance and credential dumping phases become the most critical period as threat actors have not yet moved deep into the compromised network through lateral movement. This is also before they have managed to blend in with normal network traffic or started to “live off the land”, which entails the use native tools and processes to expand their foothold.

It’s often the case that with enough time and resources, threat actors can successfully meet their goals. The main goal then is to prevent the threat actors before they can reach the lateral movement phase and do critical damage. With threat actors becoming increasingly sophisticated, the time between initial intrusion and lateral movement continues to get shorter, making that quick detection time even more important.

When attacks happen, the speed with which an organization is able to detect and respond determines if the threat actors can reach mission completion. This is why organizations rely on SentinelOne’s global Managed Detection and Response (MDR) service, Vigilance Respond. Utilizing SentinelOne’s patented autonomous detection EDR, Vigilance Respond defends networks against cyber attacks instantly and with a higher accuracy than any human team can provide. Vigilance monitors customer environments 24/7/365, hunting for advanced threats and providing faster mean time to response (MTTR) rates.

How Vigilance Respond Disrupts the Cyber Attack Kill Chain

Businesses globally trust Vigilance to provide machine-speed detection technology run by dedicated analysts. Working around-the-clock, Vigilance allows organizations to adapt instantly, and at scale, in today’s ever-shifting threat landscape, closing the gap between intrusion and lateral movement and neutralizing the threat actor before they can begin to spread deep into a target’s systems. Vigilance Respond offers these services to ensure businesses are safeguarded:

  • Active threat campaign hunting for APTs
  • Alerting and remediation guidance for emerging threats
  • Incident-based triage and hunting
  • 24/7/365 monitoring, triage, and response
  • Security Assessment (Vigilance Respond Pro)
  • Digital Forensics Investigation & Malware Analysis (Vigilance Respond Pro)

Conclusion

Today’s threat actors may be moving faster than ever, but that doesn’t mean businesses can’t get ahead of them. Machine-speed detection technology run by dedicated analysts ensures organizations are safeguarded before actors can start moving laterally within their environments to exfiltrate and encrypt sensitive data.

If you would like to learn more about how SentinelOne’s Vigilance Respond can help safeguard your business, contact us or request a demo.

Vigilance Respond
Rely on machine-speed technology run by dedicated analysts to adapt to today’s threat landscape.

The Good, the Bad and the Ugly in Cybersecurity – Week 35

The Good

This week, Stanford Internet Observatory reported on their collaborative effort with social media analytics firm, Graphika, to analyze a vast network of accounts removed from Facebook, Instagram, and Twitter. This removal was the result of an information operation said to have originated in the United States and targeted countries in Central Asia and the Middle East.

Between July and August 2022, Meta (Facebook and Instagram) and Twitter booted two related sets of accounts off their platforms for violating their terms of services. Violations included “platform manipulation and spam” and “coordinating inauthentic behavior”.

The joint investigation by Stanford and Graphika found that these accounts, along with five other social media platforms, employed deceptive tactics to promote pro-Western (US and its allies) narratives to users in Central Asia and the Middle East while openly criticizing opposing nations including Russia, China, and Iran.

Cyber influence operations like this one showcase the substantial role private entities and a large range of actors play in active campaigns to affect and sway online audiences. In this particular case, the actors created fake personas using GAN-generated faces, impersonated independent media outlets, and launched digital petitions – all behaviors noted in other similar operations.

The uneasy fact is that we are living in the age of disinformation and it has become a cybersecurity threat. While many socio-psychological factors and social media fuel this trend, there is no shortage of bad actors that are all too eager to take advantage. Disinformation campaigns often make use of social media platforms to compromise information security, manipulate significant data, or cause reputational damage. With this in mind, it’s always good news when disinformation gets the takedown it deserves.

The Bad

Trying to wind down with some screen time? Well, things just got a little more complex. Reports this week detail a data breach attack on widely-used American streaming media service, Plex. After unauthorized access to one of its databases, Plex has sent out password reset notices to many of its users including Troy Hunt, Australian web security consultant known for being the creator of the Have I Been Pwned website.

In an email sent to customers, Plex said that a third-party was successful in accessing a limited subset of data including emails, usernames, and encrypted passwords. They underscored that all potentially accessed passwords were hashed, no payment data was vulnerable in the incident, and that the method of breach has already been addressed and additional reviews and hardening procedures are being taken. Both BleepingComputer and ZDNet have reached out to Plex for more details as the impact of this breach is still developing.

At the level we are all digitally connected these days, cybercrimes both large and small affect everyone. Where there is sensitive information, there is security risk. Online streamlining services have boomed in recent years and bad actors continue to target these vendors to steal consumer personal information, entice users into scams, and or launch phishing campaigns.

Login credentials are always a hot commodity on the dark web, and we all need to make it more difficult for info-stealers by extending our cyber hygiene to sources of entertainment and updating passwords often, refraining from credential recycling, and staying alert for phishing attempts.

The Ugly

On Saturday, Greece’s largest natural gas distributor, DESFA, confirmed that they were hit with a ransomware-based data breach. In their official statement, DESFA reported that bad actors were able to access sensitive files.

DESFA has deactivated many of its online services and is reported to be working on a gradual return to normal operations. The gas operator also assured consumers that natural gas supplies across the country would not be impacted and reiterated its firm stance against negotiating with the actors over a ransom payment. The data breach has since been attributed to the Ragnar Locker ransomware gang, who have already posted details on their leak site.

The Ragnar Locker gang has been prolific in its attacks for over two years now and seems to have set its main sights on targeting critical infrastructure sectors. Just earlier this year, the FBI reported that the gang has breached the networks of at least 52 organizations across multiple US critical infrastructure sectors, including manufacturing, energy, finance, and government.

In the grip of the Russian invasion of Ukraine, ongoing economic downturn, and continuing Covid-19 and monkeypox outbreaks, cybercriminals are digging their heels in hard during periods of global distress to have their ransoms met. The increased attacks on critical infrastructure is especially devastating as Europe grapples with an energy crisis. Prices for natural gas and electricity have soared 1000% higher than those seen in 2021 to 2020 with fears that it will result in the lowest valuation of the euro in 20 years and a hard winter ahead fraught with large-scale power outages.

BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar

BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails.

Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign. In this post, we cover the latest intelligence on BlueSky ransomware to help security teams defend against this developing threat.

Emergence of BlueSky Ransomware

BlueSky was first noted on VirusTotal by researcher @Kangxiaopao in late June 2022. Subsequently, analysts from CloudSek and Unit42 have documented some of BlueSky’s behavior.

At present, BlueSky has not stood up a public data leak site and BTC wallets associated with known samples have not registered any transactions, indicating that the threat actor’s distribution campaign is still in its infancy.

Initial delivery vectors seen to date include trojanized downloads from websites hosting “cracks” and “keygens” as well as malicious attachments delivered via email. Some observed mechanisms include delivery via third-party frameworks such as Cobalt Strike and BRc4.

Upon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts. The ransomware has the ability to move laterally via SMB and has been observed doing so in Active Directory environments. Encrypted files will be marked with the .bluesky extension. Victims are instructed to contact the attackers via a TOR-based portal to obtain a decrypter.

A multi-stage attack leading to a BlueSky infection was documented by Germán Fernández in early July.

Fernández tweeted details around an infection chain that, depending on the client, resembles JuicyPotato, exploiting an elevation of privilege flaw (CVE-2022-21882) in Microsoft Windows and a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block (SMB), before dropping the BlueSky ransomware.

The use of trojanized downloads was documented by CloudSEK. Trojanized downloads of BlueSky ransomware were briefly made available via a website known to host questionable executables such as application “cracks” and “keygens”, license generators for software products such as Windows 10.

cracked Windows license
Malicious Site Hosting BlueSky Payloads

One such site was observed being hosted at kmsauto[.]us. The following list of malicious URLs were recorded as hosting BlueSky ransomware payloads. Note the redundant use of both HTTP and HTTPS.

http[:]//kmsauto[.]us/alguien/l.exe
http[:]//kmsauto[.]us/alguien/potato.exe
http[:]//kmsauto[.]us/alguien/spooler.exe
http[:]//kmsauto[.]us/off/off.bin
http[:]//kmsauto[.]us/someone/ghost.exe
http[:]//kmsauto[.]us/someone/I.exe
http[:]//kmsauto[.]us/someone/potato.exe
http[:]//kmsauto[.]us/sti/sti.bin
https[:]//kmsauto[.]us/alguien/l.exe
https[:]//kmsauto[.]us/alguien/spooler.exe
https[:]//kmsauto[.]us/ekonomika/
https[:]//kmsauto[.]us/someone/l.exe
https[:]//kmsauto[.]us/someone/potato.exe
https[:]//kmsauto[.]us/someone/start.ps1
https[:]//kmsauto[.]us/v-mire/

BlueSky Ransomware Technical Details

The first stage of a BlueSky ransomware infection involves a compressed, base64-encoded PowerShell script, start.ps1. On execution, the script produces a further PowerShell script, stage.ps1. If stage.ps1 is run without administrator privileges, it first seeks to elevate privileges through CVE-2021-1732 or CVE-2022-21882.

Encrypted content of start.ps1

Once sufficient privileges are acquired, the script downloads the ransomware payload, l.exe, and writes it to disk at the following file path:

%APPDATA%MicrosoftWindowsStart MenuProgramsStartupjavaw.exe.

The payload contains anti-analysis logic including leveraging NtSetInformationThread to hide threads launched by the malware executable.

Setting ThreadInformationClass to the value of 0x11 prevents certain events from being viewed or hooked by debuggers, or from being detected by certain EDR hooking mechanisms. As noted by Unit32, BlueSky uses a multithreaded queue for faster encryption.

The ransomware makes use of the NtQueryInformationProcess API for process discovery before calling TerminateProcess.

Local drives are discovered and stored via GetLogicalDriveStringsW, with the ransomware traversing each drive serially.

BlueSky’s ability to spread laterally across accessible networks is enabled by way of SMB (Server Message Block) and the NetShareEnum (+WNetOpenEnumW) API.

Payload output, NetShareEnum

In some cases, 1000ms Sleep intervals are inserted between each remote connection attempt.

Sleep MS count in hex

Previous researchers have noted that file targeting is inverted compared to typical ransomware behavior: rather than targeting specific file extensions, BlueSky instead lists file types to be excluded from encryption. The following extensions are reportedly excluded:

ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx

Post-Infection and Ransom Demands

The ransom note “# DECRYPT FILES BLUESKY #.html ” is written into each folder containing encrypted items. With the exception of the victim’s ‘recover ID’, all ransom notes regardless of the target are identical. In addition, the malware drops notes in both text and HTML format.

bluesky ransom note
BlueSky ransom note, .txt version
bluesky ransom note
BlueSky ransom note, html version

After infection, victims are instructed to visit the BlueSky ‘DECRYPTOR’ portal and enter the unique recovery ID embedded in the ransom note. The portal displays the time limit and the increasing dollar amounts required to regain access to encrypted data.

BlueSky Decryptor Portal
BlueSky Decryptor Portal

In the pool of samples we analyzed, victims were given seven days to pay the ransom demand, after which the ransom amount doubled.

Detecting and Protecting Against BlueSky Ransomware

As demonstrated in the following video, SentinelOne Singularity™ fully protects against BlueSky ransomware, preventing lateral movement across Active Directory and connected devices.

Conclusion

BlueSky ransomware has the ability to rapidly encrypt the local host and move laterally by exploiting known vulnerabilities. BlueSky campaigns appear to be in their infancy, but the architecture of both droppers and payloads indicates that the actors have invested significant effort and will be looking to reap the returns. Now is the time for security teams to get ahead by bolstering their protection and detection posture.

Indicators of Compromise

SHA256
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d
e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f
2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
d6386b2747335f7b0d13b1f69d995944ad8e9b71e09b036dbc0b907e583d857a
c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
c3d5248230230e33565c04019801892174a6e5d8f688d61002e369b0b9e441ff
b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
dcdba086e6d0cd3067d3998bb624be16c805b2cde76a451c0ceaf30d66ba7349 (decryptor)

SHA1
d8369cb0d8ccec95b2a49ba34aa7749b60998661
a306aa69d4ac0087c6dad1851c7f500710c829e3
720714032a7a8ee72f034ddbb0578b910e6c9885
1bab1913533d5748e9cda388f55c446be6b770ff
71e3cc4a53a9cf4cb5e5c3998afe891cd78c09aa
429237548351288fac00e0909616b1518d5487b9
9fc631bdd0d05d750e343c802e132b56e5121243
59e756e0da6a82a0f9046a3538d507c75eb95252
a9233cb65ab53a08a4cce24a134c5b9296672a32 (decryptor)

Connections
ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid[.]onion
kmsauto[.]us

MITRE ATT&CK
T1552.001 – Unsecured Credentials: Credentials In Files
T1049 – System Network Connections Discovery
T1422 – System Network Configuration Discovery
T1083 – File and Directory Discovery
T1012 – Query Registry
T1082 – System Information Discovery
T1119 – Automated Collection
T1005 – Data from Local System
T1486 – Data Encrypted for Impact
T1135 – Network Share Discovery
T1021.002 – Remote Services: SMB/Windows Admin Shares
T0809 – Data Destruction

Microsoft Active Directory as a Prime Target for Ransomware Operators

The Active Directory (AD) infrastructure continues to be a key element in ransomware campaigns and post-compromise extortion, representing a significant threat to businesses. With the time between initial breach and impact being so short in a ransomware attack, the main area of concern for businesses is the challenge of quick detection.

Targeted businesses usually become aware of ransomware only after an adversary encrypts its assets to interrupt their availability. At this point, it is too late to do anything about the attack and they must shift immediately to executing their post-breach response plan.

Active Directory in the Crosshairs

By definition, Active Directory (AD) stores information about objects on a network in a logical, hierarchical manner making information easy for administrators and users to find and use. It uses a structured data store, known as the directory, as the basis for organizing the directory information (objects). These objects will typically include shared resources such as servers, volumes, printers, and user and computer accounts.

Cyber adversaries have increasingly set their sights on abusing Microsoft’s AD since it serves as a neat gateway into the entirety of a network. Compromising AD allows adversaries to move laterally through the rest of the network, escalate privileges, obtain administrative access rights, and ultimately, encrypt and exfiltrate sensitive data.

Many legacy security solutions have proven ineffective against ransomware operators, who have developed tactics to evade or bypass traditional security controls. Although EDR solutions can protect endpoints, without Identity protection, a threat actor may compromise AD and increase their chances of finding holes in the network that can be exploited and used to launch ransomware attacks.

Businesses can greatly reduce the impact of such compromises as long as they can detect the threat early enough in the attack cycle. Early detection in the post-infiltration phase is where the SentinelOne® Identity solution excels.

Ransomware Case Studies

Let’s examine three recent case studies by The DFIR Report in which ransomware gangs targeted Microsoft AD as part of their tactics.

  1. Bumblebee Ransomware
    This case study details an attempted ransomware deployment using a malware loader called BumbleBee. Initial execution began with a password protected zipped ISO file that likely originated from a malicious email. After a user opened the file containing BumbleBee, it dropped a Cobalt Strike beacon and proceeded to inject into various other processes on the host.

    The adversary in this attack was noted to have started AD discovery using ADFind only four hours after initial breach and, later in the attack timeline, searched for control to a more privileged account. Investigations showed that the adversary enumerated AD on three different occasions over an 11-day dwell period through ADFind.

  2. Quantum Ransomware
    In “one of the fastest ransomware cases” observed by The DFIR Report, cyber adversaries gained initial access and deployed domain-wide ransomware in under four hours through an IcedID payload delivered via email.

    After a user clicked the malicious files, a collection of discovery tasks were executed within Windows built-in utilities and established persistence in the host. Two hours later, the adversaries deployed Cobalt Strike followed by the use of ADFind to perform discovery of the target organizations’ AD structure.

    During this intrusion, it was discovered that the adversaries managed to steal administrator account credentials which enabled them to spread laterally across the AD domain.

  3. Conti Ransomware
    Cyber adversaries don’t take holidays. In fact, public holidays, long weekends, and off hours are when they thrive. In this case study, the adversaries remained dormant over a 19-day dwell time before deploying Conti ransomware shortly after Christmas, resulting in domain-wide encryption.

    The investigation found that the adversaries utilized IcedID as an initial access vector to drop a Cobalt Strike beacon on a compromised host and then established persistence in the environment by installing remote management tools Atera and Splashtop. Notably, there were many attempts to exploit CVE-2021-42278 and CVE-2021-42287; both known AD vulnerabilities often used to create privileged accounts.

Reducing adversary dwell times is vital in an age where attackers have a plethora of tools at their disposal to gain privileged access to internal corporate networks. Widespread IT and AD hygiene issues coupled with weak detection capabilities that do not detect the techniques used in ransomware attacks leave many enterprises exposed to devastating compromises.

Preventing Ransomware Encryption Isn’t Enough

Ransomware operators attacking enterprises have evolved their tactics beyond simple encryption, using double or even triple extortion techniques, exposing their victim’s data to increase the level of coercion.

Organizations that refuse to pay ransom demands are exposed to economic and reputational harm as attackers threaten to make stolen data available on ransomware leak sites or to sell it on the darknet to other threat actors. The technique, pioneered by the Maze ransomware gang, has been widely copied and extended by other operators.

Threats to leak data if victims approach law enforcement, negotiation or incident response firms pile on the pressure to pay up and pay early – most ransomware operators will increase their demands the longer victims hold out.

In human-operated ransomware attacks, the threat actors typically perform internal reconnaissance and move laterally through the compromised networks to profile their victims, targeting the organization’s most critical assets so they can negotiate from a stronger position. The use of “Living off the Land” techniques and tools coupled with leveraging AD to deploy the ransomware via Group Policy Objects (GPOs) is prevalent in recent attacks.

Essential Questions in Ransomware Preparedness Assessment

A ransomware preparedness assessment can help ensure the organization has a strong security posture to prevent and contain ransomware attacks. Some key questions the organization should seek to answer include:

  • How can the organization identify malicious actors on the AD infrastructure and differentiate them from organizational assets? Does the security team have the tools to separate legitimate queries to AD from malicious ones?
  • How does the business prevent the use of tools like Bloodhound or Mimikatz? Should the EPP/EDR solution contain or alert when malicious tools like these are used?
  • How can the security team identify when exposed credentials on other endpoints are vulnerable to exploit?
  • How can the organization restrict connectivity and trust relationships within AD across different areas of the company to prevent the spread of ransomware attacks?
  • What tools are available to identify when attackers are exploiting privileged accounts, such as AD domain admins, service accounts, or shadow admins possessing privileges at the endpoints?
  • Is the business currently able to protect data from tampering by unauthorized programs or ransomware?
  • How can the security team isolate the attack source when investigation confirms the presence of domain controller enumeration or “credential dumping” events?

The SentinelOne Singularity™ Identity Solution

The SentinelOne Singularity™ Identity solution works with existing security controls to address the ransomware problem. Good EDR solutions detect most ransomware variants in use today. However, should attackers find a way through the organization’s first line of defense, Singularity™ Identity provides detection capabilities for discovery, lateral movement, privilege escalation, and data gathering activities used in ransomware attacks.

Singularity™ Identity offers coverage across different layers including the network, endpoint, data, applications, and AD, providing early and accurate detection while preventing attackers from accessing sensitive or critical data, credentials, and other objects.

The Singularity™ Identity solution prevents attackers from breaking out of a compromised system by restricting their ability to conduct reconnaissance or move laterally to production assets. Further, it denies cyber adversaries the ability to discover or list domain controllers, domain memberships, group privileges, and other AD objects while providing early and accurate alerts on the activity. It returns data that leads the adversaries to decoys for engagement, identifying their tactics, technique, and procedures and providing telemetry on the tools they used to extract the data from AD.

Simply put, the solution immediately misdirects and misinforms the adversaries as soon as they look or attempt to move around, diverting them to the decoy environment and reducing the impact on production infrastructure. Singularity Identity also provides detailed event data, displays visual attack replays, and collects forensic evidence for analysis and threat intelligence development to raise the security posture and defend against subsequent attacks.

Finally, Singularity™ Identity’s concealment capability hides and denies access to local files, folders, removable devices, and mapped network or cloud shares, preventing adversaries from enumerating, accessing, encrypting, or even exfiltrating them from the organization. Simultaneously, the solution maps fake file shares that lead to decoy servers for the ransomware to discover and encrypt. As the malware attempts to encrypt the data it finds, the Identity solution rate-limits the connection and feeds the ransomware with endless streams of data to encrypt. This delay stalls the attack, giving the security teams time to isolate infected systems and stop further damage quickly.

Conclusion

Protecting against modern ransomware attacks takes preparation and overlapping security controls that provide a layered defense that sophisticated attackers must penetrate undetected. Deploying the SentinelOne Singularity™ Identity solution as a layer in that defensive strategy enhances existing security controls while providing unique denial, detection, and derailment functions to elevate the security posture and harden the organization against ransomware attacks.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

XCSSET Malware Update | macOS Threat Actors Prepare for Life Without Python

Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.

In this post, we review changes made to the latest versions of XCSSET and reveal some of the context in which these threat actors operate.

XCSSET Changes in 2022

Since XCSSSET first appeared, the authors have made consistent use of two primary tools to obfuscate both droppers and dropped files: SHC and run-only compiled AppleScripts, respectively.

SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.

As all SHC-compiled binaries, legitimate or malicious, contain these same strings, signature scanners cannot distinguish between them.

SHA1: 127b66afa20a1c42e653ee4f4b64cf1ee3ed637d

Dynamic execution of this recent SHC-compiled XCSSET dropper, currently with 0 detections on VirusTotal despite having been known for 2 months, also reveals that the malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022. These fake apps are invariably dropped in a parent folder created in random locations in the user’s Library folder. When executed, this particular sample writes the fake Notes.app to:

~/Library/Application Scripts/com.apple.CalendarAgent

The updated run-only AppleScripts that XCSSET drops as second-stage payloads use a collection of newly-registered domains:


set domains to {
  "superdocs.ru",
  "melindas.ru",
  "kinksdoc.ru",
  "adobefile.ru",
  "gurumades.ru",
  "appledocs.ru",
  "45.82.153.92",
  "gismolow.com",
  "Cosmodron.com"
}

Changes in the replicator.applescript file, which infects users’ Xcode projects with the XCSSET malware, show that both curl’s –max-time value and the script’s phaseName variable have now been randomized, presumably to hamper static detection or hunting rules.

Xcode infection script from 2021 (Left) and 2022 (Right)

The –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list:

"Copy Bundle Frameworks",
"Compile Binary Libraries",
"Compile Swift Frameworks",
"Binary Frameworks Compiler"

In the previous version of XCSSET, the malware created and dropped files for its own caches and control functions in a folder at ~/Library/Caches/GeoServices/. This has been modified slightly to “GitServices”.

Persistence plists are currently chosen from the following list:

com.apple.airplay.plist
com.apple.spx.plist
com.google.keystore.plist
com.google.chrome.plist

and target a file at one of:

~/Library/Caches/GitServices/CloudServiceWorker
~/Library/Caches/GitServices/AppleWebKit

As previously, XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software.

XCSSET’s Updated Fake Notes.app

As noted, XCSSET makes use of a fake Notes.app to hide the primary executable, a.scpt, itself launched by the run-only compiled AppleScript main.scpt when “Notes” is executed via the dropped LaunchAgent.

The SHC-compiled dropper script defines several random paths to use as parent directories for the fake Notes.app.

osacompile -x -e try do shell script "osascript '/Users/user1/Library/Application Support/com.apple.spotlight/Notes.app/Contents/Resources/Scripts/a.scpt'" end try -o

The a.scpt remains, in essence, the same as earlier versions except that the encoding handler has changed from one previously shared with OSAMiner.

on xe(_str)
  set x to id of _str
  repeat with c in x
    set contents of c to c - (102 - 2)
   end repeat
  return string id x
end xe

on xex(_str)
  set x to id of _str
  repeat with c in x
    set contents of c to c - (102 - 1)
  end repeat
  return string id x
end xex

Malicious Run-Only AppleScripts

Aside from a.scpt, XCSSET makes use of multiple run-only AppleScripts. Although these scripts are written to disk as compiled and run-only, we were able to capture the scripts in plain text on the wire. In the updated version of XCSSET, these continue to target Telegram and other chat apps heavily in use by Chinese users such as WeChat and Tencent’s 360, along with an expanded list of browsers, including Opera, Brave, Edge and other Chromium-based browsers.

Many of the scripts shown above share the same structure and list of handlers but make minor changes to handle the specifics of each target application.

check_loop()
log(message)
runme()
upload(filePath, fileName)
urlencode(theText)

The contacts.applescript has the role of targeting various chat apps from which to steal and exfiltrate data.

Among other tasks, the payloader.applescript checks for AppleBackLightDisplay, presumably to distinguish between laptops and desktops. This info is part of what is exfiltrated, showing that the threat actors are keen to gather very precise hardware profiling information.

Similarly, the threat actors are interested in exactly how up-to-date the victim is with Apple’s XProtect and MRT malware removal tool, presumably all the better to target them with more effective payloads. The listing.applescript script is used for this purpose.

Also of interest is the use of the public service transfer.sh for exfiltrating data files that are too large for the attacker’s server.

XCSSET Changes for Monterey and Python

One of the more interesting things we noted in recent samples of XCSSET is the developer’s awareness of OS versions and the clear intent that the authors are here for the long run.

Right from its initial version, XCSSET made use of python scripts for certain functions, in particular for dropping fake application icons on the Dock. It achieved this by abusing a public Github repo called DockUtil. In the latest version, we also note that XCSSET uses python to parse and steal data from the user’s (legitimate) Notes.app. For this functionality, they use a modified version of a plugin from a legitimate python-based tool called mac_apt used by macOS forensics experts.

mac_apt on Github (left); malware script found in XCSSET (right)

XCSSET’s authors have updated their AppleScripts to account for Apple’s recent removal of python 2. The following image shows how the malware authors updated their safari_remote.applescript for python3 and Monterey 12.3 and above.

Similarly, the comment in edge_remote.applescript shows that the authors are keenly aware that DockUtil and other utilities will need to be replaced in their toolkit in the near future.

XCSSET Threat Actors and Targets

While very little is publicly known about the actors behind XCSSET, their motivations or their exact targets, the actors have engaged with journalists and security researchers at times. The original version of XCCSET, which appeared in August 2020, contained the full names of two individuals. Subsequently, a Twitter account with the name ‘Hans’ briefly became active and sent private messages to a journalist, claiming that he was the real author and not the two individuals whose names appeared in the malware code. The same individual claimed that the targets were “developers from China” and “big gambling business”.

‘Hans’ subsequently disappeared from view, but about a year later another Twitter account in the name of ‘Vlad F’ began reaching out to researchers, complaining that they had been falsely accused of being the actors behind the malware.

While Apple refused to comment on these claims at the time, Vlad F’s Twitter account ceased to respond. Earlier this year, however, Chinese users reported XCSSET infections and attempts to unlock stolen “accounts” from victims in return for “200 USDT” (a so-called “stable” bitcoin belonging to Tether).

Prior to that, researchers had noticed that XCSSET infections were being embedded in a number of Github repositories.

At this point in time, it’s unclear whether these infected repos are victims or plants by threat actors hoping to infect unwary users. It has been suggested that unsuspecting users may be pointed to the infected repositories through tutorials and screencasts for novice developers. Our research into XCSSET and its infection vectors continues.

Staying Protected Against XCSSET Malware on macOS

XCSSET has many moving parts, and samples change rapidly. While some static signatures such as those used in Apple’s XProtect service will detect known samples, full protection against evolving threats like these is only really possible with a multi-engine agent including behavioral AI.

SentinelOne Singularity fully protects SentinelOne customers against XCSSET malware.

With the agent policy set to ‘Protect’, the malware is prevented from executing or dropping any of its components. For this demonstration, we set the policy to ‘Detect-only’ in order to observe further stage payloads.

Indicators of Compromise

Scripts
25f8d7ac99e00c9d69679f2d9aca5954d2609a03 ./brave_remote.applescript
0e1b2f01441e6e6fc8a48a7871e649d3647828cd ./canary_remote.applescript
4c368635ecfee61a89203f3f0e84bfdd7d85073d ./chrome_remote.applescript
2a2330b13886ffe0e4fe54f7254008490814b5fa ./chromium_remote.applescript
fd82b821fa2c23f2b88f64179e3a7a8905c1e40b ./contacts.applescript
bde20788e2656454052aae9baf2f4d2b7c256c9d ./edge_remote.applescript
3f35fd8306d4a05fadd9095acacd8d5f297a112e ./firefox_remote.applescript
3de232d0a42959b20703ebb9d9376b3ef3d3015d ./firewall_off.applescript
3257a1f540455444a56975e7fd9cdb6f8148b828 ./listing.applescript
2dbf06445a294b4f786501ef16ea4aabd8e1ad72 ./notes.applescript
6c0b4e3e3bac36f3228e69ab1e53884f76f6828b ./notes.py
6cf1ec6af6c6102c9d4929b1a83e0a463e737255 ./notes_app.applescript
73918b840384e485d009632fdf1a396758d7c515 ./opera_remote.applescript
e2de10a6b517e298cb2e7da150224dfe7e5717a7 ./payloader.applescript
5e673f4c494c424ae450f2ea5c0b066f912edccb ./pods_infect.applescript
73d9a443933fb0c40dde3065ec77adad35a5c49a ./remove_old.applescript
5b66e4b1556ad03b4bf072d061de0606eabe8603 ./replicator.applescript
672837de18d0e34f8b2a77bc2646b245671c83dc ./safari_remote.applescript
b66dbd55ce42a61cfedd06f31725b7f56d10d548 ./safari_update.applescript
fb29c9daa6fdeaa945446fe7cde185d51296dc7d ./telegram.applescript
760676a2e05d25959dee1f9ffaf3042e5f2e0f31 ./telegram_lite.applescript
4ffb268475e3816b22aadfb147bd7cd2f211e3d5 ./uploader.applescript
c2a90c68ad9d93139ebce981a409beae5d7de8bf ./yandex_remote.applescript
d70f4974bd531af674c5c2da3bc3c7d1a0ac9b54 ./360_remote.applescript
a57b73190525a729d821b6aed6849084fc1beddd ./a.applescript

Binaries
127b66afa20a1c42e653ee4f4b64cf1ee3ed637d ./exec.2430808
f4099a0884d3f1bf5602c8c6ba5265b76d7f4953 ./Pods
dde87aefcaf788f770e5e1229db4fe73873e1c36 ./agentd
bd13d22095d377938c50088e59fa3079143cb0f2 ./braved
a1449c5fbf8cf126502bd68a8e8d657b3dcfd87a ./canaryd
cbf08fae71fcd46cc852fad7502685466c40e168 ./edged
2a62d6bcac7b0c5e75f561458e934ec45c77699c ./firefoxd
263b243df32be6d9d9878c459d2fc6491342d547 ./metald
f3a747bf10763d7d8c1cd9ccedd1e25ee195fce3 ./open
2a6d37160f21ec13aa6c692a3ca3374db3d35e96 ./operad
1396fdbff38b787d14b1135dcdfc367658669637 ./speedd
e4b6c56faa97493dc0f0f7c4fc2196096ef66513 ./yandexd

Communications
adobefile[.]ru
appledocs[.]ru
Cosmodron[.]com
gismolow[.]com
gurumades[.]ru
kinksdoc[.]ru
melindas[.]ru
superdocs[.]ru
45[.]82[.]153[.]92

The Good, the Bad and the Ugly in Cybersecurity – Week 34

The Good

This week, the U.S. Department of Justice has extradited a Russian citizen from the Netherlands to face charges of laundering cryptocurrency-based ransom payments from Ryuk ransomware victims.

According to a statement from the DoJ and court documents, the alleged cryptocurrency launderer, Denis Mihaqlovic Dubnikov, and his accomplices laundered ransom payments from both individuals and organizations targeted by the Ryuk ransomware gang around the world.

After receiving the ransom payments, Dubnikov, his accomplices, and Ryuk operators collaborated to engage in both domestic and international financial transactions to conceal the ransom money’s origins. In one month alone, Dubnikov is accused of laundering more than $400,000 in Ryuk ransoms, and the Department of Justice believes that Dubnikov and his co-conspirators have laundered at least $70 million in ransoms.

First sighted in August 2018, Ryuk is a notorious ransomware family that threat actors have leveraged in several high-profile attacks in recent years, including a 2018 attack on the Los Angeles Times. Ryuk is particularly aggressive in terms of speed-of-encryption, and it is known to deploy additional measures to cripple defenses and recovery options on machines. In October 2020, law enforcement officials specifically identified Ryuk as an imminent and increasing cybercrime threat to hospitals and healthcare providers in the United States.

As Dubnikov goes to trial, the Justice Department’s Ransomware and Digital Extortion Task Force should celebrate the fact that they have successfully disrupted one of the channels for threat actors to retrieve their ransom payments. We can only hope that future investigations will continue to strategically disrupt ransomware criminal ecosystems and identify a path where victims can reclaim the money that they lost.

The Bad

The threat actors behind BlackByte ransomware have re-emerged, with some techniques that other notorious threat actors have leveraged in the past.

The ransomware operators returned after a brief hiatus with “BlackByte version 2.0.” While research into BlackByte’s ransomware encryptor is ongoing, the BlackByte threat actors have launched a new data leak site on Tor that incorporates extortion techniques affiliated with threat actors that deploy LockBit ransomware.

In a new twist in extortion tactics, the BlackByte leaks site now gives victims the option to pay for an extension to their ransom deadline. If a victim pays $5,000 in Bitcoin or Monero, they can push the date that their data is published by 24 hours. They can also pay $200,000 to download a copy of their data, or $300,000 to destroy it entirely. This scheme is designed to help threat actors extort more money from victims, and sell exfiltrated data to fellow cyber criminals. However, security researchers say that BlackByte’s data leak site is not correctly embedding the cryptocurrency wallet addresses, leaving victims unable to pay the threat actors for an extension or deletion.

This re-emergence is a concerning development in today’s threat landscape. BlackByte has already launched several high profile attacks in the past, and they show no signs of slowing down.

The Ugly

Cyber criminals created confusion in the United Kingdom this week, as one major drinking water provider disclosed that they had been impacted by a cyber attack, and a ransomware gang claimed to have compromised another.

In a disclosure published on their website, South Staffordshire Water, which supplies water to 1.6 million customers in the South Staffordshire and West Midlands areas, confirmed that the breach had only impacted their corporate IT network, and that there was no risk of a water or customer service outage for customers. The company also disclosed that they were working closely with the UK authorities to investigate the incident further.

Meanwhile, the Clop (also known as C10p) ransomware gang claimed that they had breached Thames Water, another UK-based water supplier. The threat actors alleged that they had exfiltrated 5 TB of data and successfully accessed SCADA and water treatment systems, which they could hypothetically use to impact 15 million customers. However, Clop pledged that they would not be encrypting Thames’ data, but criticized the water provider for its poor security practices.

In response, Thames Water released a statement denying these claims and claiming their systems are fully operational. When Clop subsequently released evidence they had breached the water provider, the published material contained leaked documents, usernames, and passwords from South Staffordshire Water. As a result, it has been suggested that Clop either misidentified their target or fabricated evidence to target a larger company.

Either way, breaches like these raise concerns for the security practices of organizations in charge of critical infrastructure. It cannot be emphasized enough that critical infrastructure providers must continually re-evaluate their current security measures to account for evolving threats.

Chronicle of an Identity-Based Attack | Singularity™ Identity vs. Cisco Breach

While data breaches, ransomware, and supply chain attacks saturate news articles, the risk of identity-based threats is also on the rise. Threat actors are exploiting a common denominator across the current backdrop of remote workforces, IoT, and a global shift towards cloud services – the sheer number of digital identities needed per user, per technology, per organization. Each new identity is another attack vector exploitable by a threat actor and exposes a larger attack surface for many organizations.

In recent news, US networking giant Cisco confirmed that it was breached by a threat actor through a successful identity-based attack on an employee. This blog post explores the lessons learned from this incident, the need for identity threat detection and response (ITDR), and how SentinelOne’s Singularity™ Identity could have prevented the Cisco breach.

Breach Overview | What Happened at Cisco

In Cisco’s analysis detailing the May attack, a threat actor identified as an initial access broker to both UNC2447 and Lapsus$ cyber gangs and the Yanluowang ransomware group gained initial access to the network company’s VPN after successfully gaining control of an employee’s personal Google account.

Cisco stated that the threat group obtained legitimate employee credentials synced in the employee’s browser. Then, the threat actor executed a combination of sophisticated voice phishing attacks and MFA push notifications (also known as MFA fatigue) to achieve VPN in the context of the targeted employee. The threat actor escalated their administrative privileges, planted a variety of hacking tools such as Cobalt Strike and Mimikatz, and added backdoor accounts for future persistence efforts.

Cisco noted that while the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory, no ransomware was deployed and there was no business nor customer impact in this particular event. Cisco’s article did however report that after the group was removed from the environment, they tried to establish email communications with company executives and attempted to regain access in weeks following the initial breach, though all subsequent attempts were unsuccessful.

Lessons Learned from the Cisco Breach

According to Cisco, they were unable to identify losses to any of their products, sensitive customer data, IP, nor supply chain operations. However, this successful identity-based attack is worth discussing from an educational perspective.

This particular type of attack is growing in number and businesses mobilizing their remote workforces on cloud services must be properly equipped to detect when attacks exploit, misuse, or exfiltrate digital identities. The COVID-19 pandemic especially highlighted many organization’s lack of knowledge when it comes to their attack surface. For example:

  • Businesses began or accelerated their migration from on-premises to cloud to support more remote workers than they had ever planned for. Cloud environments are particularly susceptible to identify-based threats such as phishing, credential stuffing, and password spraying.

  • Smart devices continue to become enmeshed in professional workflows and processes. In the early stage of the pandemic, some businesses loosened their bring-your-own-device policies in an attempt to get back to normal operation levels. Businesses that lack proper IoT security (internet of things) inherit the risk of adding more points of access for threat actors, weak password hygiene, unencrypted connections, and more.

It is clear that identity-based attacks are severe and require our attention as more human and non-human identities continue to increase. Identity Threat Detection and Response (ITDR) seeks to address this issue amongst the various threat vectors that make up the greater cybersecurity landscape. The Cisco breach discussed in this post shows the possible impact that a single failure in identity security could have, even on large-scale corporations with robust security measures.

What sets ITDR apart from other detection and response solutions (EPP, MDR, EDR, and NDR) is its ability to detect credential theft and privilege misuse on Active Directory and other vulnerable entitlements that may create avenues for attack. The primary benefits of ITDR solutions are gaining visibility to credential misuse, and exposing poorly managed access entitlements and privilege escalations from the endpoint through to Active Directory and, finally, the cloud environment.

Based on analysis shared by the networking company’s threat intelligence team, Cisco Talos, we break down the specific tactics used by the threat actor and how Singularity™ Identity could have thwarted both the initial access and the subsequent persistence mechanisms.

Step: Initial access to the Cisco VPN was achieved after successfully compromising a Cisco employee’s personal Google account.

Solution:

  • Singularity™ Identity hides credential storage from unauthorized application access to stop credential theft early in the attack cycle.

  • Singularity™ Identity prevents unauthorized access by binding credentials to critical applications across the network.

  • Singularity™ Identity deploys deceptive domain accounts on endpoints. Threat actors attempting to steal valid domain accounts from endpoints will get redirected to the decoys for engagement.

Step: The threat actor bypasssed multi-factor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue. They enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.

Solution:

  • Singularity™ Identity detects bypassing attempts and privilege escalation and alerts on multiple failed attempts to perform a privileged operation by the same user.

Step: Once in the system, the threat actor began to enumerate the Active Directory (AD) environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and the user account context under which they were operating.

Solution:

  • Singularity™ Identity detects user account enumerations against Active Directory. In addition, it includes any targeted Active Directory objects a threat actor may query to understand the privileges and groups.

Step: The threat actor laterally moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers (DC). After obtaining access to the DCs, the threat actor dumped NTDS using the “ntdsutil.exe” command.

Solution:

  • Singularity™ Identity detects credential dumping tools. Once identified, it injects deceptive credentials across the enterprise at the actual endpoints. These credentials are strategically cached for threat actors to discover, leading them to decoys for engagement.

  • Singularity™ Identity scans and reports the credentials exposed on the endpoints. It can also remediate such exposure to address the risks of theft.

Step: The threat actor leveraged machine accounts for privileged authentication and lateral movement across the environment, created an administrative user called “z” on the system using the built-in Windows “net.exe” commands, and executed additional utilities such as ADfind or secretsdump. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows endpoints.

Solution:

  • Singularity™ Identity prevents the discovery of AD objects using tools like ADfind and stops the dump of credentials from different credential stores.

  • Singularity™ Ranger AD detects suspicious Service Creation on DCs and reports abusing system services or daemons to execute commands or programs.

Step: On some victim’s endpoints, the threat actor used MiniDump from Mimikatz to dump LSASS. They also leveraged the “wevtutil.exe” utility to identify and clear event logs generated on the system.

Solution:

  • Singularity™ Ranger AD Assessor detects the modification of authentication mechanisms on a domain controller, thwarting threat actors that attempt to patch the authentication process to bypass the authentication mechanisms.

Steps: The threat actor leveraged Remote Desktop Protocol (RDP) and Citrix by modifying the host-based firewall configurations to enable RDP access to systems. They installed additional remote access tools, including TeamViewer, LogMeIn, Cobalt Strike, PowerSploit, Mimikatz, and Impacket. They also added custom backdoor accounts and persistence mechanisms.

Solution:

  • Singularity™ Hologram deploys decoys host production applications (e.g., SSH Servers, VNC, RDP servers).

  • Singularity™ Identity distributes deceptive keys and credentials to these decoy servers to lure attackers away from production systems, including RDP and other remote access tools.

Step: The threat actor dropped a series of payloads that take commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor.

Solution:

  • Singularity™ XDR agents detect dropping payloads using behavioral and static AI engines. Once detected, the connection is terminated, blocking the ability of an attacker to gain access to the remote system. SentinelOne autonomous agents would then remediate the entire chain of activities leading to remote execution attempts.

Step: The threat actor attempted to exfiltrate information from the environment. The data exfiltration during the attack included the contents of a Box folder on the compromised employee’s device and employee authentication data from Active Directory.

Solution:

  • Singularity™ Identity DataCloak prevents unauthorized applications from reading and exfiltrating protected data and storage locations from endpoints.

Learn More About Singularity™ Identity

The attack on Cisco discussed in this post shows that identity-based attacks are a leading threat vector used in data breaches. From the perspective of a threat actor, targeting identity and access management gaps through compromised credentials is the quickest path to reaching a target’s resources and critical data. Attackers are very aware that Active Directory is the crown jewel of a business, granting them the ability to exfiltrate sensitive information, install backdoors, alter security policies, and more.

With the rapid shift to remote working environments and the adoption of hybrid and cloud environments, identity has become the new perimeter, highlighting the importance of visibility. Businesses must be able to detect and respond effectively and protect all of their various digital identities through a comprehensive identity security solution. SentinelOne identifies Identity Threat Detection and Response (ITDR) as the missing link between holistic XDR and zero trust strategies in the mission to protect organizations from threats at every stage of the attack journey.

Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne delivers comprehensive identity security as part of Singularity™ XDR for autonomous protection including:

  • Singularity™ Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity™ Identity defends Active Directory & Azure AD domain controllers and domain-joined assets from adversaries aiming to gain privilege and move covertly.

  • Singularity™ Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.

  • Singularity™ Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity™ Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

SentinelOne extends Singularity™ XDR capabilities to identity-based threats across endpoint, cloud workloads, IoT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption. To learn more about SentinelOne’s identity and deception solutions, please request a demo.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

More Evil Markets | How It’s Never Been Easier To Buy Initial Access To Compromised Networks

From ransomware operators like LockBit and BlackBasta to APTs striking for or against Russian or Chinese interests, threat actors of various stripes all need one thing to get their operations off the ground: initial access to an organization’s network.

Such access can be bought on a variety of trading forums from cyber criminals who specialize in running low-risk phishing campaigns and credential theft operations, or in scanning enterprise networks for known remote code execution (RCE) software vulnerabilities.

Because of the ease with which initial access can now be obtained thanks to poor patch management and lax controls over identity and user credentials, there exists a market where supply is outstripping demand, and vendors involved in selling initial access are lowering their prices in a race to the bottom, making it easier than ever before for threat actors to compromise organizations of all sizes and kinds.

In this post, we reveal what these marketplaces look like from the inside, exposing the ways these traders advertise and sell unauthorized access to organizations.

What Are Initial Access Brokers?

‘Initial Access Brokers’ or IABs typically do not exploit enterprise networks directly but rather sell the access they have harvested to those that do. As a result, various darknet marketplaces, community forums, Telegram channels and surface net communities are teeming with such brokers, competing in a ferocious bazaar to attract and retain new and existing customers.

We have previously explored how such actors focus on the market for buying and selling access to MSP environments. As attacks like Kaseya, Solarwinds, and Wipro have proven, MSPs are a much-sought after target for both financially-motivated cyber criminals and APTs intent on espionage. Since then, we have seen the range of compromised networks expand to cover almost any kind of business or organization, regardless of size.

Companies At Risk From Compromise By Initial Access Brokers

The range of compromised networks we have seen and give examples of below is a worrying indictment of the state of cyber security today. Across these markets, we’ve seen access being sold to government and police computer systems, high courts, banks and critical infrastructure at one end of the scale to online cinemas, casinos, delivery companies, logistics, ISP providers, and local retailers at the other.

In some cases, IABs have surveyed the environments of the victims they are selling access to and even provide the buyer with information on the AV or EDR security solution being used.

initail access vendor

The example above shows a vendor advertising access to a service provider with a customer base of 1.3 million subscribers in the Republic of Mauritius. In an effort to encourage early exploitation, some sales of this nature take on a time-based component in that the seller will raise the price over prescribed intervals, in this case in increments of $500.

In a different example, a threat actor offers access to a UK IT infrastructure solutions and services provider with 15,000 employees at a starting price of $4000.

IAB threat actors possess few scruples when it comes to the nature of their targets, even selling unauthorized access to organizations such as hospitals and children’s hospices.

In other cases, vendors are quite happy to sell access to critical infrastructure, such as in this advertisement offering administrative panel-level access to “dam and aqueduct panels”.

Initial Access via Known Vulnerabilities at Rock Bottom Prices

A common form of advertisement in these markets involves a list of many different organizations offered by the vendor that have been collated by scanning for targets that have not patched against various known remote code execution vulnerabilities.

Some of the vulnerabilities most routinely exploited to gain access to organizations and enterprises are:

  • CVE-2022-26134 – Confluence
  • CVE-2021-26855 (aka ProxyLogon)
  • CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 – Microsoft Exchange
  • CVE-2021-20038 – SonicWall SMA RCE

In other cases, vendors list a range of organizations with individual prices. The means of initial access is not clear, but given the vast range of different organizations, mass phishing campaigns and credential theft are also likely vectors.

On the one hand, the vendor above is selling access to relatively low-interest compromises at rock-bottom prices, like

  • Algeria hosting company; [AV:] Sophos; access type:admin level. Price: $100

On the other, there is potentially devastating data being offered in access for sale to orgnaizations such as

  • Royal Thai Police; online access to the database of detainees, fines, seizures and reports. Price $1000
  • Thailand Police Personnel Department; web access to staff data total 642721. Price $1000

For a mere $250, the same actor offers interested APTs or enterprising cyber criminals access to the Bangladesh Ministry of Emergency Situations management system, which lists “employees, departments, all personal data of employees [and] of their families”.

Others offer discounts for bulk buys, selling access to RDP, cPanels, SSH, and Webmail among other things for as little as $10 per item.

High Value Targets Come at Premium Prices

While there is a bustling market for low-priced access, it remains true in the IAB marketplace as any other that you get what you pay for. The takeaway difference between ‘bottom of the barrel’ bulk sales and the more expensive access is precision.

Bulk sellers offer large quantities of accounts with far less control over what environments the accounts belong to or how effectively they can be monetized. Some buyers want to know exactly what they are getting and are willing to pay a premium for it.

In the next example, the seller is offering access to a high-value target where much of the preliminary work needed for successful exploitation has been done. Accordingly, the vendor is asking for a premium price.

For the right criminal buyer, this provides most of the key information needed. On offer is “Full” network access to a large “central” bank. The vendor claims to have Domain Admin (DA) access with reach to over 10,000 hosts. The seller even makes note of the EDR in use (Symantec, in this case). The price tag, at the time of writing, was a hefty $500,000.

Evil Markets | There’s Something For Everyone

IAB markets are not new, and some vendors and marketplaces have been around long enough to have a surprisingly polished presence.

This vendor aims to make life as easy as possible for potential buyers. Along with each entry, the seller provides access type, user level/context, revenue numbers, and links to Zoominfo. If known, the installed AV/EDR is listed along with helpful hints or potential ways to bypass it, such as “AV Cylance, but rights allow you to turn it off”.

As in any area of commerce, more sophisticated vendors understand the importance of presentation and some marketplaces like Odin offer slick interfaces to facilitate trade.

From simple forum listings to polished web applications offering filtering and sorting options, there’s an evil market trader out there to suit every type of buyer looking for access to compromised organizations.

Does Access For Sale Translate Into Real-World Breaches?

It is not difficult to correlate the items we see for sale in IAB marketplaces and the compromises listed on ransomware operators’ leak sites.

For example, the following victim, a Brazilian company in São Paulo, was listed on an IAB marketplace in March 2022.

Searching the LockBit 3.0 ransomware group’s index in August shows the company’s data has been exfiltrated for ransom, sale or public leaking.

The stolen data amounts to around 68 gigabytes in two zip archives, along with file tree indexes for each.

Conclusion

The trade in access to compromised networks has been around for some time and is not going away anytime soon, and the nature and existence of these markets hold several important takeaways for organizations and security teams.

First, neither location nor size offer protection from cyber criminals. The geographical range of compromised organizations spans pretty much the entire world, and every type and size of business and organization is represented.

Second, protection against initial compromise isn’t optional or ‘nice-to-have’. Organizations that find themselves being traded on these markets are at high risk of finding themselves appearing on ransomware leak sites or suffering breaches with potentially serious financial and reputational harm.

Third, the bar to entry has never been lower. Criminals are happy to sell this access at prices that are little more than pocket change to most threat actors. These low prices mean new players can experiment at low cost, fuelling the cybercrime economy and expanding the number of attackers out there. For security teams, understanding where the barrier of entry is for such threat actors in the organization’s network can go a long way towards structuring effective defenses.

For organizations, it is imperative to ensure that access to networks is protected by a trusted identity solution that can prevent credential misuse, identify vulnerabilities, and trap both remote and insider threat actors through deception technologies. To learn more about how to protect your organization, please visit Singularity™ Identity.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?