The only predictable thing about the cyber threat landscape is that you can always expect it to shift and move even faster than before. Just in the year passed, businesses across the world witnessed a surge in cyber attacks, advanced in both severity and variety. Let’s take a look at some threat-related statistics from the last 12 months:

• More than 3 in every 5 companies are targeted by software supply chain attacks
• In 93% of cases, threat actors can breach company network perimeters to access sensitive resources
• Business Email Compromise (BEC) attacks have cost companies over $43 billion since 2016
• In the first half of 2022, worldwide ransomware attacks totaled over $236 million

Reflecting on the current state of the threat landscape, it is clear that advanced persistent threats (APTs) and financially-motivated cyber criminals are seeing success. A key element to these modern threats is lateral movement or lateral spread – the movement of a threat actor within a compromised network. With this technique, actors are able to secure their foothold and start to move laterally through the remainder of a network to locate, steal, and encrypt sensitive assets and data for ransom.

Examining the Cyber Attack Lifecycle

Threat actors journey through a compromised environment using a defined process called the attack lifecycle, or kill chain. The cyber attack lifecycle is typically defined by the following phases:

1. Reconnaissance/Planning – To kickstart the process, threat actors select their targets and perform as much research as they can including data about the target’s network infrastructure, users, and systems. By gathering this information, actors can better exploit their target and leverage any found vulnerabilities.
2. Credential Dumping – After performing reconnaissance on their target, threat actors will focus on gaining initial entry into the environment. This is when actors will obtain legitimate credentials through fraudulent means and compromise as many hosts as possible.
3. Enumeration – In this phase, threat actors have gained access and need to quickly figure out where they are in the environment, what access they have, and where they can start moving. This is when they will extract machine names, network resources, and more by performing directed queries.
4. Lateral Movement Access – This is the most crucial part of the attack lifecycle from the threat actor’s standpoint. Once actors have what they need, they will begin to expand their foothold throughout the network using malicious tools to continuously upgrade their permissions, access critical data and systems, and distribute any malware and toolsets.
5. Mission Completion – Post-deployment of any malware or toolsets, modern threat actors are increasingly exfiltrating sensitive data before encrypting them for better leverage over their victim.

The Challenge of Shorter Dwell Times

In a cyber attack campaign, “dwell time” refers to the length of time between an initial breach to the detection of a threat actor. Research shows that threat actors are becoming more efficient, making the overall average timeframe for an attack much shorter than in years before. Gone are the days of dwell time being weeks and months – the main challenge for businesses now is to detect the presence of cyber threats as fast as possible. Many threat campaigns, particularly ransomware campaigns, only last a few hours and actors are often already within a victim’s network, just waiting to deploy.

Unfortunately, security solutions such as traditional SIEMs (security information and event management platforms), next-generation anti-viruses, and anti-malware just aren’t efficient enough when it comes to detecting modern threat actors quickly. Up against shorter dwell times and advanced hacker tradecraft, fast and accurate detection matters most in a strong cybersecurity strategy.

Preventing Lateral Movement Through Autonomous Detection

So, how fast does detection need to happen before it’s too late? Referring back to the cyber attack timeline, the reconnaissance and credential dumping phases become the most critical period as threat actors have not yet moved deep into the compromised network through lateral movement. This is also before they have managed to blend in with normal network traffic or started to “live off the land”, which entails the use native tools and processes to expand their foothold.

It’s often the case that with enough time and resources, threat actors can successfully meet their goals. The main goal then is to prevent the threat actors before they can reach the lateral movement phase and do critical damage. With threat actors becoming increasingly sophisticated, the time between initial intrusion and lateral movement continues to get shorter, making that quick detection time even more important.

When attacks happen, the speed with which an organization is able to detect and respond determines if the threat actors can reach mission completion. This is why organizations rely on SentinelOne’s global Managed Detection and Response (MDR) service, Vigilance Respond. Utilizing SentinelOne’s patented autonomous detection EDR, Vigilance Respond defends networks against cyber attacks instantly and with a higher accuracy than any human team can provide. Vigilance monitors customer environments 24/7/365, hunting for advanced threats and providing faster mean time to response (MTTR) rates.

How Vigilance Respond Disrupts the Cyber Attack Kill Chain

Businesses globally trust Vigilance to provide machine-speed detection technology run by dedicated analysts. Working around-the-clock, Vigilance allows organizations to adapt instantly, and at scale, in today’s ever-shifting threat landscape, closing the gap between intrusion and lateral movement and neutralizing the threat actor before they can begin to spread deep into a target’s systems. Vigilance Respond offers these services to ensure businesses are safeguarded:

• Active threat campaign hunting for APTs
• Alerting and remediation guidance for emerging threats
• Incident-based triage and hunting
• 24/7/365 monitoring, triage, and response
• Security Assessment (Vigilance Respond Pro)
• Digital Forensics Investigation & Malware Analysis (Vigilance Respond Pro)

Conclusion

Today’s threat actors may be moving faster than ever, but that doesn’t mean businesses can’t get ahead of them. Machine-speed detection technology run by dedicated analysts ensures organizations are safeguarded before actors can start moving laterally within their environments to exfiltrate and encrypt sensitive data.

If you would like to learn more about how SentinelOne’s Vigilance Respond can help safeguard your business, contact us or request a demo.

BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails.

Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign. In this post, we cover the latest intelligence on BlueSky ransomware to help security teams defend against this developing threat.

Emergence of BlueSky Ransomware

BlueSky was first noted on VirusTotal by researcher @Kangxiaopao in late June 2022. Subsequently, analysts from CloudSek and Unit42 have documented some of BlueSky’s behavior.

At present, BlueSky has not stood up a public data leak site and BTC wallets associated with known samples have not registered any transactions, indicating that the threat actor’s distribution campaign is still in its infancy.

Initial delivery vectors seen to date include trojanized downloads from websites hosting “cracks” and “keygens” as well as malicious attachments delivered via email. Some observed mechanisms include delivery via third-party frameworks such as Cobalt Strike and BRc4.

Upon infection, BlueSky uses fast encryption techniques to rapidly process files on the target and connected hosts. The ransomware has the ability to move laterally via SMB and has been observed doing so in Active Directory environments. Encrypted files will be marked with the .bluesky extension. Victims are instructed to contact the attackers via a TOR-based portal to obtain a decrypter.

A multi-stage attack leading to a BlueSky infection was documented by Germán Fernández in early July.

Interesting, cracks/activators site distributes Powershell that installs #RemcosRAT (C2: 80.66.75.88:2807).

Depending on environment and privileges it also executes:
– JuicyPotato ↓
– CVE-2022-21882 ↓
– CVE-2020-0796 aka #SMBGhost ↓
– #BlueSky Ransomware

1/X pic.twitter.com/9DKzWi3dD3

— Germán Fernández (@1ZRR4H) July 2, 2022

Fernández tweeted details around an infection chain that, depending on the client, resembles JuicyPotato, exploiting an elevation of privilege flaw (CVE-2022-21882) in Microsoft Windows and a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block (SMB), before dropping the BlueSky ransomware.

The use of trojanized downloads was documented by CloudSEK. Trojanized downloads of BlueSky ransomware were briefly made available via a website known to host questionable executables such as application “cracks” and “keygens”, license generators for software products such as Windows 10.

One such site was observed being hosted at kmsauto[.]us. The following list of malicious URLs were recorded as hosting BlueSky ransomware payloads. Note the redundant use of both HTTP and HTTPS.

http[:]//kmsauto[.]us/alguien/l.exe
http[:]//kmsauto[.]us/alguien/potato.exe
http[:]//kmsauto[.]us/alguien/spooler.exe
http[:]//kmsauto[.]us/off/off.bin
http[:]//kmsauto[.]us/someone/ghost.exe
http[:]//kmsauto[.]us/someone/I.exe
http[:]//kmsauto[.]us/someone/potato.exe
http[:]//kmsauto[.]us/sti/sti.bin
https[:]//kmsauto[.]us/alguien/l.exe
https[:]//kmsauto[.]us/alguien/spooler.exe
https[:]//kmsauto[.]us/ekonomika/
https[:]//kmsauto[.]us/someone/l.exe
https[:]//kmsauto[.]us/someone/potato.exe
https[:]//kmsauto[.]us/someone/start.ps1
https[:]//kmsauto[.]us/v-mire/

BlueSky Ransomware Technical Details

The first stage of a BlueSky ransomware infection involves a compressed, base64-encoded PowerShell script, start.ps1. On execution, the script produces a further PowerShell script, stage.ps1. If stage.ps1 is run without administrator privileges, it first seeks to elevate privileges through CVE-2021-1732 or CVE-2022-21882.

Once sufficient privileges are acquired, the script downloads the ransomware payload, l.exe, and writes it to disk at the following file path:

%APPDATA%MicrosoftWindowsStart MenuProgramsStartupjavaw.exe.

The payload contains anti-analysis logic including leveraging NtSetInformationThread to hide threads launched by the malware executable.

Setting ThreadInformationClass to the value of 0x11 prevents certain events from being viewed or hooked by debuggers, or from being detected by certain EDR hooking mechanisms. As noted by Unit32, BlueSky uses a multithreaded queue for faster encryption.

The ransomware makes use of the NtQueryInformationProcess API for process discovery before calling TerminateProcess.

Local drives are discovered and stored via GetLogicalDriveStringsW, with the ransomware traversing each drive serially.

BlueSky’s ability to spread laterally across accessible networks is enabled by way of SMB (Server Message Block) and the NetShareEnum (+WNetOpenEnumW) API.

In some cases, 1000ms Sleep intervals are inserted between each remote connection attempt.

Previous researchers have noted that file targeting is inverted compared to typical ransomware behavior: rather than targeting specific file extensions, BlueSky instead lists file types to be excluded from encryption. The following extensions are reportedly excluded:

ldf, scr, icl, 386, cmd, ani, adv, theme, msi, rtp, diagcfg, msstyles, bin, hlp, shs, drv, wpx, bat, rom, msc, lnk, cab, spl, ps1, msu, ics, key, msp, com, sys, diagpkg, nls, diagcab, ico, lock, ocx, mpa, cur, cpl, mod, hta, exe, ini, icns, prf, dll, bluesky, nomedia, idx

Post-Infection and Ransom Demands

The ransom note “# DECRYPT FILES BLUESKY #.html ” is written into each folder containing encrypted items. With the exception of the victim’s ‘recover ID’, all ransom notes regardless of the target are identical. In addition, the malware drops notes in both text and HTML format.

After infection, victims are instructed to visit the BlueSky ‘DECRYPTOR’ portal and enter the unique recovery ID embedded in the ransom note. The portal displays the time limit and the increasing dollar amounts required to regain access to encrypted data.

In the pool of samples we analyzed, victims were given seven days to pay the ransom demand, after which the ransom amount doubled.

Detecting and Protecting Against BlueSky Ransomware

As demonstrated in the following video, SentinelOne Singularity fully protects against BlueSky ransomware, preventing lateral movement across Active Directory and connected devices.

Conclusion

BlueSky ransomware has the ability to rapidly encrypt the local host and move laterally by exploiting known vulnerabilities. BlueSky campaigns appear to be in their infancy, but the architecture of both droppers and payloads indicates that the actors have invested significant effort and will be looking to reap the returns. Now is the time for security teams to get ahead by bolstering their protection and detection posture.

Indicators of Compromise

SHA256
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d
e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f
2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
d6386b2747335f7b0d13b1f69d995944ad8e9b71e09b036dbc0b907e583d857a
c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
c3d5248230230e33565c04019801892174a6e5d8f688d61002e369b0b9e441ff
b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
dcdba086e6d0cd3067d3998bb624be16c805b2cde76a451c0ceaf30d66ba7349 (decryptor)

SHA1
d8369cb0d8ccec95b2a49ba34aa7749b60998661
a306aa69d4ac0087c6dad1851c7f500710c829e3
720714032a7a8ee72f034ddbb0578b910e6c9885
1bab1913533d5748e9cda388f55c446be6b770ff
71e3cc4a53a9cf4cb5e5c3998afe891cd78c09aa
429237548351288fac00e0909616b1518d5487b9
9fc631bdd0d05d750e343c802e132b56e5121243
59e756e0da6a82a0f9046a3538d507c75eb95252
a9233cb65ab53a08a4cce24a134c5b9296672a32 (decryptor)

Connections
ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid[.]onion
kmsauto[.]us

MITRE ATT&CK
T1552.001 – Unsecured Credentials: Credentials In Files
T1049 – System Network Connections Discovery
T1422 – System Network Configuration Discovery
T1083 – File and Directory Discovery
T1012 – Query Registry
T1082 – System Information Discovery
T1119 – Automated Collection
T1005 – Data from Local System
T1486 – Data Encrypted for Impact
T1135 – Network Share Discovery
T1021.002 – Remote Services: SMB/Windows Admin Shares
T0809 – Data Destruction

Threat actors behind the XCSSET malware have been relatively quiet since last year. However, new activity beginning around April 2022 and increasing through May to August shows that actors have not only adapted to changes in macOS Monterey, but are preparing for the demise of Python, an integral and essential part of their current toolkit.

In this post, we review changes made to the latest versions of XCSSET and reveal some of the context in which these threat actors operate.

XCSSET Changes in 2022

Since XCSSSET first appeared, the authors have made consistent use of two primary tools to obfuscate both droppers and dropped files: SHC and run-only compiled AppleScripts, respectively.

SHC-compiled shell scripts are opaque to traditional static scanning tools and contain only a few human-readable strings.

As all SHC-compiled binaries, legitimate or malicious, contain these same strings, signature scanners cannot distinguish between them.

Dynamic execution of this recent SHC-compiled XCSSET dropper, currently with 0 detections on VirusTotal despite having been known for 2 months, also reveals that the malware authors have changed from hiding the primary executable in a fake Xcode.app in the initial versions in 2020 to a fake Mail.app in 2021 and now to a fake Notes.app in 2022. These fake apps are invariably dropped in a parent folder created in random locations in the user’s Library folder. When executed, this particular sample writes the fake Notes.app to:

~/Library/Application Scripts/com.apple.CalendarAgent

The updated run-only AppleScripts that XCSSET drops as second-stage payloads use a collection of newly-registered domains:

set domains to {
  "superdocs.ru",
  "melindas.ru",
  "kinksdoc.ru",
  "adobefile.ru",
  "gurumades.ru",
  "appledocs.ru",
  "45.82.153.92",
  "gismolow.com",
  "Cosmodron.com"
}

Changes in the replicator.applescript file, which infects users’ Xcode projects with the XCSSET malware, show that both curl’s –max-time value and the script’s phaseName variable have now been randomized, presumably to hamper static detection or hunting rules.

The –max-time option is now set to a random value between 5 and 9, while phaseName is chosen from the following list:

"Copy Bundle Frameworks",
"Compile Binary Libraries",
"Compile Swift Frameworks",
"Binary Frameworks Compiler"

In the previous version of XCSSET, the malware created and dropped files for its own caches and control functions in a folder at ~/Library/Caches/GeoServices/. This has been modified slightly to “GitServices”.

Persistence plists are currently chosen from the following list:

com.apple.airplay.plist
com.apple.spx.plist
com.google.keystore.plist
com.google.chrome.plist

and target a file at one of:

~/Library/Caches/GitServices/CloudServiceWorker
~/Library/Caches/GitServices/AppleWebKit

As previously, XCSSET continues to attempt to evade detection by masquerading as either system software or the almost ubiquitous Google and Chrome browser software.

XCSSET’s Updated Fake Notes.app

As noted, XCSSET makes use of a fake Notes.app to hide the primary executable, a.scpt, itself launched by the run-only compiled AppleScript main.scpt when “Notes” is executed via the dropped LaunchAgent.

The SHC-compiled dropper script defines several random paths to use as parent directories for the fake Notes.app.

osacompile -x -e try do shell script "osascript '/Users/user1/Library/Application Support/com.apple.spotlight/Notes.app/Contents/Resources/Scripts/a.scpt'" end try -o

The a.scpt remains, in essence, the same as earlier versions except that the encoding handler has changed from one previously shared with OSAMiner.

on xe(_str)
  set x to id of _str
  repeat with c in x
    set contents of c to c - (102 - 2)
   end repeat
  return string id x
end xe

on xex(_str)
  set x to id of _str
  repeat with c in x
    set contents of c to c - (102 - 1)
  end repeat
  return string id x
end xex

Malicious Run-Only AppleScripts

Aside from a.scpt, XCSSET makes use of multiple run-only AppleScripts. Although these scripts are written to disk as compiled and run-only, we were able to capture the scripts in plain text on the wire. In the updated version of XCSSET, these continue to target Telegram and other chat apps heavily in use by Chinese users such as WeChat and Tencent’s 360, along with an expanded list of browsers, including Opera, Brave, Edge and other Chromium-based browsers.

Many of the scripts shown above share the same structure and list of handlers but make minor changes to handle the specifics of each target application.

check_loop()
log(message)
runme()
upload(filePath, fileName)
urlencode(theText)

The contacts.applescript has the role of targeting various chat apps from which to steal and exfiltrate data.

Among other tasks, the payloader.applescript checks for AppleBackLightDisplay, presumably to distinguish between laptops and desktops. This info is part of what is exfiltrated, showing that the threat actors are keen to gather very precise hardware profiling information.

Similarly, the threat actors are interested in exactly how up-to-date the victim is with Apple’s XProtect and MRT malware removal tool, presumably all the better to target them with more effective payloads. The listing.applescript script is used for this purpose.

Also of interest is the use of the public service transfer.sh for exfiltrating data files that are too large for the attacker’s server.

XCSSET Changes for Monterey and Python

One of the more interesting things we noted in recent samples of XCSSET is the developer’s awareness of OS versions and the clear intent that the authors are here for the long run.

Right from its initial version, XCSSET made use of python scripts for certain functions, in particular for dropping fake application icons on the Dock. It achieved this by abusing a public Github repo called DockUtil. In the latest version, we also note that XCSSET uses python to parse and steal data from the user’s (legitimate) Notes.app. For this functionality, they use a modified version of a plugin from a legitimate python-based tool called mac_apt used by macOS forensics experts.

XCSSET’s authors have updated their AppleScripts to account for Apple’s recent removal of python 2. The following image shows how the malware authors updated their safari_remote.applescript for python3 and Monterey 12.3 and above.

Similarly, the comment in edge_remote.applescript shows that the authors are keenly aware that DockUtil and other utilities will need to be replaced in their toolkit in the near future.

XCSSET Threat Actors and Targets

While very little is publicly known about the actors behind XCSSET, their motivations or their exact targets, the actors have engaged with journalists and security researchers at times. The original version of XCCSET, which appeared in August 2020, contained the full names of two individuals. Subsequently, a Twitter account with the name ‘Hans’ briefly became active and sent private messages to a journalist, claiming that he was the real author and not the two individuals whose names appeared in the malware code. The same individual claimed that the targets were “developers from China” and “big gambling business”.

‘Hans’ subsequently disappeared from view, but about a year later another Twitter account in the name of ‘Vlad F’ began reaching out to researchers, complaining that they had been falsely accused of being the actors behind the malware.

While Apple refused to comment on these claims at the time, Vlad F’s Twitter account ceased to respond. Earlier this year, however, Chinese users reported XCSSET infections and attempts to unlock stolen “accounts” from victims in return for “200 USDT” (a so-called “stable” bitcoin belonging to Tether).

Prior to that, researchers had noticed that XCSSET infections were being embedded in a number of Github repositories.

It seems a new trojan is going around and affecting @Apple #iOS builds. I don’t know the original method of infection, but I’m starting to see some public repos on GitHub being affectedhttps://t.co/EmutE0jCbD

— Pier Fumagalli (@ianosh) June 4, 2021

At this point in time, it’s unclear whether these infected repos are victims or plants by threat actors hoping to infect unwary users. It has been suggested that unsuspecting users may be pointed to the infected repositories through tutorials and screencasts for novice developers. Our research into XCSSET and its infection vectors continues.

Staying Protected Against XCSSET Malware on macOS

XCSSET has many moving parts, and samples change rapidly. While some static signatures such as those used in Apple’s XProtect service will detect known samples, full protection against evolving threats like these is only really possible with a multi-engine agent including behavioral AI.

SentinelOne Singularity fully protects SentinelOne customers against XCSSET malware.

With the agent policy set to ‘Protect’, the malware is prevented from executing or dropping any of its components. For this demonstration, we set the policy to ‘Detect-only’ in order to observe further stage payloads.

Indicators of Compromise

Scripts
25f8d7ac99e00c9d69679f2d9aca5954d2609a03 ./brave_remote.applescript
0e1b2f01441e6e6fc8a48a7871e649d3647828cd ./canary_remote.applescript
4c368635ecfee61a89203f3f0e84bfdd7d85073d ./chrome_remote.applescript
2a2330b13886ffe0e4fe54f7254008490814b5fa ./chromium_remote.applescript
fd82b821fa2c23f2b88f64179e3a7a8905c1e40b ./contacts.applescript
bde20788e2656454052aae9baf2f4d2b7c256c9d ./edge_remote.applescript
3f35fd8306d4a05fadd9095acacd8d5f297a112e ./firefox_remote.applescript
3de232d0a42959b20703ebb9d9376b3ef3d3015d ./firewall_off.applescript
3257a1f540455444a56975e7fd9cdb6f8148b828 ./listing.applescript
2dbf06445a294b4f786501ef16ea4aabd8e1ad72 ./notes.applescript
6c0b4e3e3bac36f3228e69ab1e53884f76f6828b ./notes.py
6cf1ec6af6c6102c9d4929b1a83e0a463e737255 ./notes_app.applescript
73918b840384e485d009632fdf1a396758d7c515 ./opera_remote.applescript
e2de10a6b517e298cb2e7da150224dfe7e5717a7 ./payloader.applescript
5e673f4c494c424ae450f2ea5c0b066f912edccb ./pods_infect.applescript
73d9a443933fb0c40dde3065ec77adad35a5c49a ./remove_old.applescript
5b66e4b1556ad03b4bf072d061de0606eabe8603 ./replicator.applescript
672837de18d0e34f8b2a77bc2646b245671c83dc ./safari_remote.applescript
b66dbd55ce42a61cfedd06f31725b7f56d10d548 ./safari_update.applescript
fb29c9daa6fdeaa945446fe7cde185d51296dc7d ./telegram.applescript
760676a2e05d25959dee1f9ffaf3042e5f2e0f31 ./telegram_lite.applescript
4ffb268475e3816b22aadfb147bd7cd2f211e3d5 ./uploader.applescript
c2a90c68ad9d93139ebce981a409beae5d7de8bf ./yandex_remote.applescript
d70f4974bd531af674c5c2da3bc3c7d1a0ac9b54 ./360_remote.applescript
a57b73190525a729d821b6aed6849084fc1beddd ./a.applescript

Binaries
127b66afa20a1c42e653ee4f4b64cf1ee3ed637d ./exec.2430808
f4099a0884d3f1bf5602c8c6ba5265b76d7f4953 ./Pods
dde87aefcaf788f770e5e1229db4fe73873e1c36 ./agentd
bd13d22095d377938c50088e59fa3079143cb0f2 ./braved
a1449c5fbf8cf126502bd68a8e8d657b3dcfd87a ./canaryd
cbf08fae71fcd46cc852fad7502685466c40e168 ./edged
2a62d6bcac7b0c5e75f561458e934ec45c77699c ./firefoxd
263b243df32be6d9d9878c459d2fc6491342d547 ./metald
f3a747bf10763d7d8c1cd9ccedd1e25ee195fce3 ./open
2a6d37160f21ec13aa6c692a3ca3374db3d35e96 ./operad
1396fdbff38b787d14b1135dcdfc367658669637 ./speedd
e4b6c56faa97493dc0f0f7c4fc2196096ef66513 ./yandexd

Communications
adobefile[.]ru
appledocs[.]ru
Cosmodron[.]com
gismolow[.]com
gurumades[.]ru
kinksdoc[.]ru
melindas[.]ru
superdocs[.]ru
45[.]82[.]153[.]92

While data breaches, ransomware, and supply chain attacks saturate news articles, the risk of identity-based threats is also on the rise. Threat actors are exploiting a common denominator across the current backdrop of remote workforces, IoT, and a global shift towards cloud services – the sheer number of digital identities needed per user, per technology, per organization. Each new identity is another attack vector exploitable by a threat actor and exposes a larger attack surface for many organizations.

In recent news, US networking giant Cisco confirmed that it was breached by a threat actor through a successful identity-based attack on an employee. This blog post explores the lessons learned from this incident, the need for identity threat detection and response (ITDR), and how SentinelOne’s Singularity Identity could have prevented the Cisco breach.

Breach Overview | What Happened at Cisco

In Cisco’s analysis detailing the May attack, a threat actor identified as an initial access broker to both UNC2447 and Lapsus$ cyber gangs and the Yanluowang ransomware group gained initial access to the network company’s VPN after successfully gaining control of an employee’s personal Google account.

Cisco stated that the threat group obtained legitimate employee credentials synced in the employee’s browser. Then, the threat actor executed a combination of sophisticated voice phishing attacks and MFA push notifications (also known as MFA fatigue) to achieve VPN in the context of the targeted employee. The threat actor escalated their administrative privileges, planted a variety of hacking tools such as Cobalt Strike and Mimikatz, and added backdoor accounts for future persistence efforts.

Cisco noted that while the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory, no ransomware was deployed and there was no business nor customer impact in this particular event. Cisco’s article did however report that after the group was removed from the environment, they tried to establish email communications with company executives and attempted to regain access in weeks following the initial breach, though all subsequent attempts were unsuccessful.

Lessons Learned from the Cisco Breach

According to Cisco, they were unable to identify losses to any of their products, sensitive customer data, IP, nor supply chain operations. However, this successful identity-based attack is worth discussing from an educational perspective.

This particular type of attack is growing in number and businesses mobilizing their remote workforces on cloud services must be properly equipped to detect when attacks exploit, misuse, or exfiltrate digital identities. The COVID-19 pandemic especially highlighted many organization’s lack of knowledge when it comes to their attack surface. For example:

• Businesses began or accelerated their migration from on-premises to cloud to support more remote workers than they had ever planned for. Cloud environments are particularly susceptible to identify-based threats such as phishing, credential stuffing, and password spraying.

• Smart devices continue to become enmeshed in professional workflows and processes. In the early stage of the pandemic, some businesses loosened their bring-your-own-device policies in an attempt to get back to normal operation levels. Businesses that lack proper IoT security (internet of things) inherit the risk of adding more points of access for threat actors, weak password hygiene, unencrypted connections, and more.

It is clear that identity-based attacks are severe and require our attention as more human and non-human identities continue to increase. Identity Threat Detection and Response (ITDR) seeks to address this issue amongst the various threat vectors that make up the greater cybersecurity landscape. The Cisco breach discussed in this post shows the possible impact that a single failure in identity security could have, even on large-scale corporations with robust security measures.

What sets ITDR apart from other detection and response solutions (EPP, MDR, EDR, and NDR) is its ability to detect credential theft and privilege misuse on Active Directory and other vulnerable entitlements that may create avenues for attack. The primary benefits of ITDR solutions are gaining visibility to credential misuse, and exposing poorly managed access entitlements and privilege escalations from the endpoint through to Active Directory and, finally, the cloud environment.

Based on analysis shared by the networking company’s threat intelligence team, Cisco Talos, we break down the specific tactics used by the threat actor and how Singularity Identity could have thwarted both the initial access and the subsequent persistence mechanisms.

Solution:

• Singularity Identity hides credential storage from unauthorized application access to stop credential theft early in the attack cycle.

• Singularity Identity prevents unauthorized access by binding credentials to critical applications across the network.

• Singularity Identity deploys deceptive domain accounts on endpoints. Threat actors attempting to steal valid domain accounts from endpoints will get redirected to the decoys for engagement.

Solution:

• Singularity Identity detects bypassing attempts and privilege escalation and alerts on multiple failed attempts to perform a privileged operation by the same user.

Solution:

• Singularity Identity detects user account enumerations against Active Directory. In addition, it includes any targeted Active Directory objects a threat actor may query to understand the privileges and groups.

Solution:

• Singularity Identity detects credential dumping tools. Once identified, it injects deceptive credentials across the enterprise at the actual endpoints. These credentials are strategically cached for threat actors to discover, leading them to decoys for engagement.

• Singularity Identity scans and reports the credentials exposed on the endpoints. It can also remediate such exposure to address the risks of theft.

Solution:

• Singularity Identity prevents the discovery of AD objects using tools like ADfind and stops the dump of credentials from different credential stores.

• Singularity Ranger AD detects suspicious Service Creation on DCs and reports abusing system services or daemons to execute commands or programs.

Solution:

• Singularity Ranger AD Assessor detects the modification of authentication mechanisms on a domain controller, thwarting threat actors that attempt to patch the authentication process to bypass the authentication mechanisms.

  

Solution:

• Singularity Hologram deploys decoys host production applications (e.g., SSH Servers, VNC, RDP servers).

• Singularity Identity distributes deceptive keys and credentials to these decoy servers to lure attackers away from production systems, including RDP and other remote access tools.

Solution:

• Singularity XDR agents detect dropping payloads using behavioral and static AI engines. Once detected, the connection is terminated, blocking the ability of an attacker to gain access to the remote system. SentinelOne autonomous agents would then remediate the entire chain of activities leading to remote execution attempts.

Solution:

• Singularity Identity DataCloak prevents unauthorized applications from reading and exfiltrating protected data and storage locations from endpoints.

Learn More About Singularity Identity

The attack on Cisco discussed in this post shows that identity-based attacks are a leading threat vector used in data breaches. From the perspective of a threat actor, targeting identity and access management gaps through compromised credentials is the quickest path to reaching a target’s resources and critical data. Attackers are very aware that Active Directory is the crown jewel of a business, granting them the ability to exfiltrate sensitive information, install backdoors, alter security policies, and more.

With the rapid shift to remote working environments and the adoption of hybrid and cloud environments, identity has become the new perimeter, highlighting the importance of visibility. Businesses must be able to detect and respond effectively and protect all of their various digital identities through a comprehensive identity security solution. SentinelOne identifies Identity Threat Detection and Response (ITDR) as the missing link between holistic XDR and zero trust strategies in the mission to protect organizations from threats at every stage of the attack journey.

Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne delivers comprehensive identity security as part of Singularity XDR for autonomous protection including:

• Singularity Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity Identity defends Active Directory & Azure AD domain controllers and domain-joined assets from adversaries aiming to gain privilege and move covertly.

• Singularity Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.

• Singularity Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

SentinelOne extends Singularity XDR capabilities to identity-based threats across endpoint, cloud workloads, IoT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption. To learn more about SentinelOne’s identity and deception solutions, please request a demo.