CyberWire Daily - Every time we get smarter, the bad guy changes something. [Research Saturday]
Episode Date: July 18, 2020Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is n...ot clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec. The research can be found here: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We were looking at two separate things. We were looking at the previous project of looking at
cobalt strike infections, and we were also looking at new exploit kits that were being used in the wild.
That's John DiMaggio. He's a senior threat intelligence analyst at Symantec.
The research we're discussing today is titled Wasted Locker. Symantec identifies wave of attacks against U.S. organizations.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. request based on identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So what we found was there's an exploit kit called Sock Ghoulish, and I don't make these names.
And while it itself is not so much that it is, it's brand new as much as it has sort of been updated and there was an increased presence that we began to see, which is what caught our attention in the first place.
It turned out that there was quite a large footprint of infrastructure across the internet as a whole in comparison to other exploit kits in which we were seeing it.
The interesting part of it is it was being delivered as a browser update.
So right then, that was sort of an indicator that this was a larger attack than regular exploit kits.
The reason I say that is a lot of times these will be used just by phishing emails and things like that. It's much more manual, but when you're using it to deliver
as a browser update, that's usually indicative of that it's attached to a watering hole or a
compromised website. As you can imagine, the more you dig and you see things like compromised
websites and larger infrastructure to deliver something, you know, you probably have a more advanced attacker because obviously it takes time and resources to compromise not just one
legitimate website, but many. And that's what we were seeing. So we didn't know at first it was a
ransomware attack, but we did know that it was at least an adversary with a medium level of
sophistication that had the ability to compromise legitimate websites, create and
package this as a browser update, and then infect victims. Where we went from there,
we actually started to look into what happened to systems once that malware was executed,
once that browser update was executed. And what we found was it was downloading some shell code, but it was also
being used to sort of profile the victim. So it was collecting the network name, the system names,
the user's name that was logged in and sending it back. And the reason that's relevant is,
you know, that is information that can be used to determine who the victim organization is. So let's say it's a mom and pop shop versus being a major retail chain or a major technology company.
That's going to make a difference to an adversary.
So seeing that there was a bit of profiling going on, seeing that there was compromised websites involved,
and that this was being packaged as a browser update we knew we
had something interesting uh we didn't know it was this was ransomware let alone a brand new uh
ransomware variant that hadn't been seen before uh you know wasted locker had just been first
reported a couple days prior um to us figuring out what we had was similar in its binary and its behaviors.
And then we validated that it in fact was that.
The difference is we had a lot of good information now on the life cycle of this, not just how it was being used to infect,
but the actual mechanisms of once they were on a network or a system, what the bad guys did.
And I can continue on from there. I want to take a sort of step back to let you sort of ask
questions. I know I gave you a lot of information. Yeah. Well, before we dig into the details of what
exactly happens here, you're pretty confident in your attribution here. This is being attributed to a group that we
have heard of before. Yes, yes, it is. So there's a group called Evil Corp. The name actually comes
from the TV show, Mr. Robot. It's the hacking group that in the TV show is used to sort of
attack the financial industry and disrupt credit card companies and things of that nature.
attack the financial industry and disrupt credit card companies and things of that nature.
This was along the same lines, you know, that they're attacking major companies and they're stealing large amounts of money or extorting large amounts of money. And hence the name
sort of stuck. I honestly don't know whether they gave themselves that name or whether it was
something that was applied to them. But yeah, Evil Corp
actually started out as a cyber criminal group that was in the banking malware business. So they
actually used a very famous malware known as Drydex. That malware would sit on the victim's
computer and it would simply act as a middleman and it would watch as you use your
browser and you went to various websites. When it saw that you browsed to a banking website,
however, it would inject itself and it would present what to the user looked like the legitimate
website. However, it actually was a fake website that captured your credentials and then sent them back to Evil Corp.
And they would liquidate your account, take all your money, and move on to the next victim.
Over time, though, the cybersecurity community began to keep up with that, began to identify these injects before they could even be used in some cases.
And they got less and less of an opportunity to actually have success with that.
So knowing that and being, I'll call them sophisticated attackers, they evolved.
That evolution changed to ransomware. Now, it wasn't Wasted Locker, however. What they did is
they still leveraged the Drydex malware. That malware by this time
had been in existence for years and it had a large footprint. It had infected massive amounts
of victims. So they used that as sort of a step into profiling and finding good victims for ransom.
And there was components built into Dridex since it was module-based that they could use that were completely separate from any sort of banking compromise.
So they would use that to gain privileges, to steal passwords, things of that nature.
That footprint and that sort of infrastructure, they then applied to what was called BitPaymer ransomware.
And that was the initial variant that was being used by these guys for years.
BitPamer became very popular.
It was reported by the media.
Law enforcement took a big interest in it.
And in December of 2019,
the United States government issued some,
the Department of Justice issued indictments
against two members of Evil Corp
for that activity involving both Dridex and the BitPamer ransomware.
That sort of is likely what led to this kind of change in tactics, change in malware, change in infrastructure, and that's where we saw Wasted Locker.
So Wasted Locker is not an evolution of BitPamer, or at least it doesn't appear to be.
It appears to be a new instance of ransomware.
We're also seeing this new delivery method.
It doesn't mean we won't see them still use Dridex, but in this particular campaign, as I mentioned, they're using this new exploit kit, and they're using legitimate compromised infrastructure to deliver it.
So in tandem, it's a whole new attack life cycle, brand new ransomware,
ransomware, brand new infection vector. What is similar is some of the tactics when the adversary
is actually on the victim network. But besides that, they really spent the time, money and
resources to sort of reinvent themselves. And it does take time, money and resources. That's not
just, you know, something I'm saying. It actually is an
operation and all of that has a cost to it. So this was important enough for them to retool and
to spend the time and money to do. Well, let's walk through it together. Can you take us through
step-by-step from the very beginning? What happens when these folks get you in their crosshairs?
What happens when these folks get you in their crosshairs?
Absolutely.
So it starts where the user browses to a compromised website. What we found was most or many of the legitimate websites that were compromised belonged to a U.S. newspaper or U.S. news organization.
Their infrastructure had many different news-related websites, and
we believe that the adversary was specifically looking to target U.S. companies and organizations,
so a U.S. newspaper and their infrastructure would sort of make sense as a good starting
place anyway to begin entry into obtaining access to victims. So they compromised these websites,
and what they did is they used the exploit kit
to so that when the browser, when the user
or the potential victim went to the legitimate website,
they were then redirected in the background
to adversary controlled infrastructure,
where they actually delivered the exploit kit, SOC Ghoulish,
that payload onto their systems.
So they're browsing through the website.
A little window pops up and says,
hey, you need to update your browser in order to continue viewing our website.
You know, that happens every day for legitimate purposes.
It looks legit.
They select OK.
It downloads and infects them.
They still don't know they're infected. What happens at this point is, like I said, that initial profiling takes place where information is sent back to the bad guy, and they then can choose to continue the operation or to not continue and just let that victim go about their way.
or to not continue and just let that victim go about their way.
If the victim meets their requirements and it is of interest to them,
now the exploit kit will download PowerShell.
PowerShell is, I'm sorry, it uses PowerShell in the victim system to download Cobalt Strike. I apologize, I misspoke.
And that Cobalt Strike is compiled in memory.
It also downloads what's called a.NET
injector. So the PowerShell and the.NET injector allow them to inject any payload they want. So
any sort of malicious malware that they want to run, they can now do in memory of the victim
system. Again, it's important to understand that that makes it fileless it's fileless is important because it doesn't touch the disk which makes it much harder
for defenders antivirus software endpoint detection to identify it doesn't mean it won't get identified
but it makes it harder to identify so at that point there's there's two javascripts so one we
already talked about that's the update piece where it does the initial infection and the other piece is is is a script basically and between the two you have cobalt
strike compiled and then you have another uh payload that's placed on the system so now that
the adversary actually has access um at this point they need to enumerate the network and identify servers. They need to
identify all the relevant file systems that they would want to infect with a ransomware payload.
So they use legitimate tools that are present in the network. Now, a lot of those are sort of
common across the dozen or so larger enterprise ransomware attackers, but there were some interesting
aspects that were a little bit different here. So Cobalt Strike, as I've mentioned before,
we see them all the time. That's a tool that's commonly used. But some of the things that stuck
out that we saw in this particular attack was they used a tool called PowerView, which is a
legitimate tool that was probably used because it was present in a lot of the victim systems.
And what that would do is it would allow them to a lot of the victim systems. And what that
would do is it would allow them to do active directory enumeration. So it's a tool that's
meant to administrate and to do processes and services via active directory, all legitimate
used by administrators. And they use that to sort of further their compromise. Another very
interesting thing with this that differed from some of their previous
attacks is, you know, what we saw before was where they'd actually identify some of the defense
software and systems, and they would actually, once they had administrative privileges, they would
disable it. And what we saw this time was they took Microsoft's built-in UAC, which is what it uses to give the user access, controls, limit what they can do, sort of privilege, monitoring and deploying sort of privileges to a user.
So it's a part of Windows Defender.
And what they actually did is they used it to alter privileges, and then they changed Windows Defender to not be disabled.
They just changed it to not scan their files, and that I thought was interesting.
And the reason I think that's interesting is because before they would just disable a service.
Let's think about it.
If you're a bad guy and you want to do everything you can to not get detected, they've sort of – while it's minor, they've improved their process.
An administrator might recognize that a service has been turned off. They're not as likely to recognize that you simply blocked it from
scanning specific files. So I thought that was interesting that they took these smaller steps
to just, again, tweak their attack to make it a little bit more difficult to detect.
Right. So once they did that, now they knew that they would be able to deploy other tools,
run scripts, and more importantly, actually drop and execute ransomware.
They used other legitimate tools. They used a thing called the WMIC, which is a Windows Management Instrument Console.
So that allows them to actually add users, execute commands.
And what was interesting here is they also used it to run a tool called ProcDump.
So the WMIC was used to run a tool called ProcDump.
ProcDump actually dumps the log files.
So again, log files are used where we could
identify them, see that they're on the system, used for forensic evidence, things of that nature.
They're deleting those now. That was also something that was a little bit different
that was interesting about this, these extra steps they were taking to delete their tracks
or to hide their tracks. Adding legitimate users, that's another issue because now they have
a legitimate account on the network that they're using to traverse. It's so much harder to find a
bad guy when they have legitimate credentials than it is when they just have a remote shell
and are sort of poking around. So with that legitimate access, using the legitimate tools,
setting up defenses to simply not scan their malware.
They created the perfect storm to sort of take over that network and encrypt your data.
At that point, they used a tool called PSExec.
Again, it sounds familiar here.
It's another legitimate administrative tool.
And that tool was used to actually place and copy and drop the ransomware
payload onto all the servers and systems that they had identified that they wanted to execute
the malware. Just prior to executing the malware, the last step that they do is, again, using that
WMI console, they delete all the shadow volumes. Shadow volumes are used in Windows to sort of
restore to a previous state.
So you can see where that would be bad for a ransomware adversary if the victim could simply restore to a previous state.
So they delete that. And then once all of that is done, the shadow volume has been deleted.
The environment's been staged and prepped and everything is sort of perfectly set up for the attack.
That's when they execute the payload across all of the servers instantaneously and systems instantaneously and present the victim with a ransom note.
that Evil Corp has not done is, we've seen some other adversaries do, is, you know, threatening to post the victim's data publicly or embarrass the victim. You know, we've not seen them do
anything like that, which we have seen other victims do. So that could be the next evolution
that we see, but it hasn't happened yet. Just again, just something I noticed when comparing
this attack to other recent attacks. But that's sort of the life cycle of the attack.
Yeah. Are they even making an attempt to exfiltrate any data?
They're not. No, we have not seen any evidence of that.
And that's sort of what I was getting at is that, you know, we saw other recent ransomware attackers doing that.
And I think I've mentioned before, there's only about a dozen or so of these, you know, organized enterprise attackers out there.
And, you know, so seeing there's two or three that we've seen start this trend.
And, you know, Evil Corp is one of the most professional and unfortunately successful attackers in the ransomware business.
So it could be that they have sort of a, you know, a doctrine of what they do and when they go in for these attacks, and it works for them, and they don't want to deviate it.
And or they really want to sort of test the boundaries of before they change anything they do to ensure that they don't get caught.
It's important to mention just because the U.S. indictments were placed against them, that doesn't mean we arrested anyone.
So these guys are still out there. No one was arrested. But what was interesting is this
time we only saw U.S. companies attacked. So who knows if that's by design or just happened to be
that that's where the victims were physically present during the attacks. But, you know, it is interesting that the U.S. has indictments and then the next major iteration of their attack lifecycle involves all
U.S. companies. Do you have any sense for the amount of time that passes between that initial
infection when the victim, you know, clicks on that link and when ransomware gets executed? Yeah. So it's about three to seven
days with this group. We've been looking at a lot of groups and I think the longest that I've seen
out of, like I said, the dozen or so enterprise attackers is 14 days. So keeping that in mind,
that's a pretty good average in comparison to that.
It's about half. So, you know, the shorter amount of time, the smaller window of time that it takes
them to execute the payload from their, you know, from the time they gain initial access,
that's a smaller window that they can be identified, caught, or prevented from being
successful in their attacks. Just as an example,
you know, that window of time is what allowed us, you know, to identify what was taking place. And,
you know, these are 31 companies, but they're 31, you know, big companies, most of which,
you know, the average American has heard of. 11 of them were publicly traded companies,
but all of them were large organizations that, you know, are common
names or commonly known. So these were big targets. And because we were able to identify it within
that window of time, we were able to prevent the success of this. I mean, you're talking
each one of these companies, the ransom is usually in the millions. So this is a lot of money that
we were able to prevent going out the door. But the truth lot of money that we were able to prevent going out the door.
But the truth is that we were able to prevent it this time.
Ransomware is a big problem, and especially when you have creative attackers,
it is something that's very difficult to defend against and identify.
You know, every time we get smarter, you know, the bad guy changes something.
So I don't want to come across as too headstrong or
arrogant trying to say that, you know, we're going to stop this. You know, they don't have a chance.
We really, defenders, we really got to be on their toes and keep sort of reinventing their
defensive posture in order to identify adversaries such as this.
And the ransomware itself, does it seem to be fairly well-constructed, sophisticated,
not much hope of coming up with a key to unlock it?
Yeah, that's the worst part of this is the encryption itself.
Once that payload is executed to this date, there's not a way to decrypt it without the key.
So it's too late once that happens.
Once you are hit and the payload is
actually executed, there's not a way to decrypt it without the key. So then you're either at the
mercy of paying the ransom or you have to, you know, rebuild your systems and hopefully you have
offsite data that you can reinstate. Because as I mentioned, you know, they delete a lot of the local backup
that you might have for your data. Now, so that other organizations can learn from the success
that you all have had here heading this off, what was the key to your ability to be able to
detect this and stop it before you actually got to the ransomware phase?
So it was a combination.
It was a little bit of the sort of proactive threat hunting.
So we know Cobalt Strike is a tool.
We went and looked at the big ransomware, enterprise ransomware groups, and we looked
at tools that are used by all of them sort of across the whole threat landscape.
And there are several things that they use.
It's difficult for us as a defender to go in and identify all of the legitimate tools that are being used.
It's a little bit – it's not impossible, but it is a little bit more difficult. It is easier
to identify some of the rarer penetration testing tools that are still used for legitimate purposes,
but aren't as prevalent on networks. So cobalt strike being one of those was something that we
just started looking at all cobalt strike activity. Again, there's a lot of legitimate
activities, so it's not the easiest task.
But by looking at that, that sort of led us to the SOC Ghoulish framework, which I've
kind of already explained that story, how we pivoted from this.
But what you could do, again, that's my view, so our view, where we're looking at many organizations.
It's a little bit different if you're an organization protecting yourself because you can use, I mean, there's obviously the security vendors like Symantec where we help
our customers and we do proactive threat hunting, but we're doing it for a lot of companies. So what
companies really need to do is with their own, everybody usually has their own internal people
as well for security. And they really have to look at those legitimate administrative tools
and see how they're being used.
That's really what it's going to take in order to identify this.
And there's software.
There's a targeted tech analytics and different tools that you can use that sort of monitors legitimate tools and takes logs and can present them to defenders to sort of audit and to look through, especially if something's suspicious or it's used at a weird
time or it's using to drop a file that has a low prevalence, meaning it's not normally seen on your
network. All of those things that are not malicious, but they're things that you can sort of dive into
and identify and research, and that would allow you to see this activity. And that's usually how
we identify it, to be honest with you. So, I mean, is it fair to say that the, I guess the leading edge of the type of work that you all
are doing and the folks who do, you know, the types of things that you're doing is,
it's more about looking for behaviors than actual stuff than looking for files that,
you know, a particular file that's written to a hard drive.
files that, you know, a particular file that's written to a hard drive.
Yeah, it's, so you can't, you no longer can you just look for the malicious file that's going to set off, you know, an alert or fire on a signature because the only, really, there's only, there were
only two malicious files here used and one was the initial exploit framework and then the next was
the actual ransomware payload. But there's about
a dozen or so tools that were used for malicious purposes in between that were all legitimate.
They're all tools that would be used that were already present in the network or were present
on the internet and can be downloaded by anyone and also used for legitimate purposes. So it
really does take looking at how those tools are being
used, not just looking for a malicious tool, if that makes sense. Yeah, it does. So in terms of
take-homes and recommendations, what do you have to say there? What's the best approach for folks
to protect themselves against this sort of thing? Yeah, a couple of things. One,
you know, ensuring that, you know, privileges are really broken out by each administrative
need and that there's no one role within your network that has sort of keys to the kingdom.
Another is to monitor and heavily audit any newly created accounts on your
network. While not all adversaries do this, you know, Evil Corp is one of the ones that do,
you know, create their own users. You know, so that's another opportunity. And that one's an
easier one to flag and to identify. And then the third is to only allow your administrative tools, many of which are present by default when Windows is installed, but to remove them and or lock those down so that they cannot be used or accessed by anyone but your administrators. of legitimate administrator activity. And you can, you know, you can audit that you can,
you know, you can monitor that easier and you can hopefully identify things that, uh, just don't look right. And the last piece of it is, you know, there are, you know, there,
there are systems and software and defensive components out there that do help with the
legitimate tools, uh, monitoring them. None, all of it's a little bit difficult because none of
it's directly malicious, but a combination of those sort of three or four things I just said, many of which
just take time, not necessarily money, are all things that you could do that would really
decrease the opportunity for an adversary to be successful with this, especially because they have
to spend so much time on your network. They're spending at least a week in most cases, you know, three to seven days, three days.
That's sort of the quickest. But there's there's a window of time where you can identify this.
But you have to look at the legitimate activity, not just the malicious stuff.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io.
Our thanks to John DiMaggio from Symantec for joining us.
The research is titled Wasted Locker.
Symantec identifies wave of attacks against U.S. organizations.
We'll have a link in the show notes.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.