Technical analysis of LockBit 2.0 affiliates’ SonicWall exploit that bypasses MFA  

We outline the tactics, techniques and procedures of the threat actor, and share the technical details of the indicators of compromise for one of our incident response experiences in 1H2022.

In the previous blog post, we reported on the novel technique leveraged by LockBit 2.0 affiliates to  exploit SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSL VPN) appliance to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the multi-factor authentication (MFA) access control. We identified at the point in time from open source internet search engines that over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances.

We follow-up on that blog post with a technical analysis that outlines the LockBit 2.0 affiliates’ Tactics, Techniques and Procedures (TTPs) as observed in our incident response experiences. In addition, we set the scene for our final blog post which will explore the potential factors that enables the LockBit Ransomware-as-a-Service (RaaS) group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Analysis and Exploitation in the wild

Reconnaissance

We observed through analysis on the SSLVPN appliance and firewall network traffic logs that either CVE-2019-7481 or CVE-2021-20028 was exploited twice prior to initial access. The first recorded instance was in late 2021, in which the affiliate obtained the credentials of an administrative account. We conclude this with high confidence given this credential had not been leaked via data breaches or to the Dark Web previously, while the user had adopted a strong password given its length and use of four password complexity character classes.

Over the next three months, each login attempt originated from a unique external IP address and were unsuccessful due to the enforcement of MFA. The exploit was executed again prior to successful initial access, again from a different IP address. The use of a different external IP address each time spread over a sporadic timeframe is a strong indication of likely malicious intent by a threat actor that sought to remain stealthy to avoid detection and triggering of the victim’s incident response protocols.

The list of known malicious IP addresses are listed below, and we posit with high confidence they are utilised by the same threat actor for the following reasons:

  • 91.219.212[.]214 – the first observed exploiting an SQLi vulnerability. This IP address has been reported multiple times as malicious from reputable sources to have conducted suspicious malicious activities, including spam, brute-forcing, web application abuse, and vulnerability exploitation.[1] 
  • 5.206.224[.]246 – the first unsuccessful attempt to login as an administrative user, suggesting that this IP address is associated with 91.219.212[.]214 to obtain and utilise the strong and complex password.
  • 51.91.221[.]111 – which resolves to 213.186.33[.]5 and has been flagged by the security community to be malicious and has served as a command-and-control infrastructure, i.e., Cobalt Strike server.[2]
  • 194.195.91[.]29 – the second observed exploitation of the SQLi vulnerability, with the subsequent login attempt being successful, indicating that the threat actor likely had chained it with the undisclosed zero-day vulnerability.

Initial Access

The threat actor gained access to the victim network by chaining an SQLi vulnerability – one of CVE-2019-7481 or CVE-2021-20028 – with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSLVPN. Details of the vulnerability chaining are illustrated in the below diagram.

Figure 1 – Holistic vulnerability chaining of SQLi vulnerability with undisclosed post-authentication zero-day vulnerability

Through our systematic method for discovering and analysing attack paths, we were able to replicate the exploited zero-day vulnerability performed by the threat actor. A summary of the undisclosed post-authentication local file inclusion zero-day vulnerability is provided below:

CVE(s)CVE-2022-22279
First Published Date11 March 2022
CVSS v34.9
Affected VersionsSonicWall SMA100 version 9.0.0.9-26sv and earlier.[3]
DescriptionPost-authentication vulnerability that enables threat actors to download the persist.db database on their local device by targeting endpoint’s /cgi-bin/sslvpnclient. extract valid user credentials from the settings.json file, including the username, encrypted passwords, and the TOTP.[4]
Potential ImpactSensitive information disclosure that enables threat actors to circumvent the MFA access control to impersonate valid users and obtain initial access to the victim’s network.
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. DarkLab reported the security vulnerability along with their PoC exploit code to SonicWall’s Product Security Incident Response Team (PSIRT), and on 12 April 2022 observed the release of the advisory acknowledging the vulnerability which we had disclosed.
Exploited in the WildAt the time of writing, this vulnerability is not known to be exploited in the wild.
Patch AvailableNo
Workaround AvailableNo

However, the threat actor required valid user credentials to exploit the post-authentication zero-day vulnerability. Based on this requirement and the victim’s firmware, we identified to two pre-authentication SQLi vulnerabilities – CVE-2019-7841 and CVE-2021-20028 – that the threat actor may have leveraged to obtain a valid session. A summary of these vulnerabilities are provided below:

CVE(s)CVE-2019-7841
First Published Date18 December 2019
CVSS v37.5
Affected VersionsPer SonicWall’s PSIRT, SMA100 version 9.0.0.3 and earlier.[5] However, we noted from a cybersecurity consultancy firm that devices with version 9.0.0.5 firmware and earlier were still vulnerable.[6]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[7]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. However, security researchers have reportedly reproduced the exploit based on samples obtained from in-the-wild exploitation.[8]
Exploited in the WildThis vulnerability has been actively exploited in the wild reportedly since 8 June 2021.[9] SonicWall’s PSIRT published a notification on 13 July 2021 detailing an incident leveraging this vulnerability to perform a targeted ransomware attack.[10]
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[11]
Workaround AvailableNo
CVE(s)CVE-2021-20028
First Published Date14 July 2021
CVSS v39.8
Affected VersionsSonicWall SRA appliances running all 8.x firmware, an old version of firmware 9.x (9.0.0.9-26sv or earlier), or version 10.2.0.7.[12] However, we noted from a cybersecurity consultancy firm that devices with version 10.x firmware were potentially vulnerable.[13]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[14]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailablePer Twitter trails, we understand that the PoC was leaked on paste bins[15] by an alleged DarkSide and LockBit affiliate that goes by the name “Wazawaka” on 25 January 2022.[16] While the leak site is now inaccessible, we noted that security researchers have reportedly reproduced the exploit. [17], [18], and [19]
Exploited in the WildNo known mass exploitation in the wild.
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[20]
Workaround AvailableNo

Establishing Persistence

Upon login via the built-in SonicWall SRA SSLVPN administrative account, the threat actor did not require to perform privilege escalation as the threat actor obtained an account which, under the configurations at the time, was integrated with the victim’s Active Directory, and had been assigned domain administrator privileges. Thus, the threat actor cemented their position was to create an Active Directory account “audit” with similar privileges, and proceeded to perform the majority of subsequent malicious activities by leveraging this user.

Discovery

The threat actor transferred the SoftPerfect Network Scanner tool, which is a publicly available network scanner used to discover hostnames and network services, via various network protocols such as Hypertext Transfer Protocol (HTTP), Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), and Secure Shell (SSH).[21] The threat actor was able to launch the scanner to map out the internal network topology and identify additional critical systems.

Filenamenetscan.exe
SHA-256a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789
File typeWin32 EXE
File size16,539,648 bytes

Lateral Movement

Subsequent to identifying the critical systems such as backup servers and the management information system, the threat actor leveraged the stolen administrative account as well as the created account “audit” to initiate a Remote Desktop Connection to access those endpoints.

Defense Evasion

The kavremover tool was staged and executed to disable the endpoint anti-virus solution Kaspersky on the critical systems.[22] This helped to set up the next stage of the campaign, which focuses on the exfiltration of victim data that will later be used for ransom.

Filenamekavremvr.exe
SHA-256c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275
File typeWin32 EXE
File size14,143,976 bytes

In addition, the executable file YDArk.exe was located on selected endpoints. This open source tool was first observed in the wild on 11 June 2020[23], with the commit available on GitHub for download.[24] From public sources, we note that it is a multi-purpose toolkit offered with English and Chinese modules that allow the threat actor to evade defenses through various techniques, including process injection and rootkit.[25] As a result, we posit this tool was downloaded with the intention of disabling the anti-virus solution such as Windows Defender, alongside the kavremover tool.

Exfiltration and Extortion

Initially, the threat actor makes it known to the target network that it has encrypted the network by leaving a ransom note on the impacted systems. In some cases, LockBit affiliates have been observed to stage hacking tools and to exfiltrate data to cloud storage platforms such as AnonFiles that enables users to anonymously access and share contents.[26] and [27]  

Exfiltration and Extortion

Ransomware deployment was observed to have been done manually, with the threat actors executing on the critical servers. Following the execution of Lockbit 2.0, threat actors typically move onto the extortion phase of the campaign, which is broken down into two stages; initial ransom note, and leak website.

FilenameLockBit_9C11F98C309ECD01.exe
SHA-256822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7
File typeWin32 EXE
File size982,528 bytes

We provide a sample of the Lockbit 2.0 ransomware and several behaviours observed in our incident from available logs.

  • The ransomware enumerated connected drives and read the root path of hard drives other than the default C: drive and discovered additional drives connected to the infected system that the ransomware was able to propagate to and encrypt.
  • The ransomware deleted the Volume Shadow Copy Server (VSS), likely by running the following command:
    • C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  • Successfully encrypted files from Lockbit 2.0 had their file extension changed to .lockbit. Unlike typical cases, we did not observe the user background being modified using the \REGISTRY\USER\Control Panel\Desktop\Wallpaper registry

Finally, we observed that all the Active Directory accounts were disabled by the threat actor subsequent to the execution of Lockbit 2.0. In performing this action, legitimate users (e.g., administrators) were inhibited access to accounts, thereby delaying the actions that could be taken to restore the impacted systems and network.

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.

Recommendations

As mentioned in the previous blog post, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
  • Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
  • Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as through deployment of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.

In addition, we strongly urge organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN to execute the remediation actions outlined in the previous blog post, if not already completed.  Details can be found here.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Reconnaissance: Active Scanning – Vulnerability Scanning (T1595.002)
  • Reconnaissance: Gather Victim Network Information – IP Addresses (T1590.005)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Persistence: Account Manipulation (T1098)
  • Persistence: Create Account: Domain Account (T1136.002)
  • Privilege Escalation: Domain Accounts (T1078.002)
  • Defense Evasion: Impair Defenses: Disable or Modify Tools (T1562.001)
  • Defense Evasion: Indicator Removal on Host: File Deletion (T1070.004)
  • Credential Access: Credentials from Password Stores (T1555)
  • Discovery: Network Service Scanning (T1046)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Remote System Discovery (T1018)
  • Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001)
  • Collection: Data from Local System (T1533)
  • Command and Control: Remote File Copy (T1544)
  • Impact: Account Access Removal (T1531)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Inhibit System Recovery (T1490)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275SHA-256
a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789SHA-256
49bac09d18e35c58180ff08faa95d61f60a22fbb4186c6e8873c72f669713c8cSHA-256
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address
kavremvr.exeExecutable File
netscan.exeExecutable File
LockBit_9C11F98C309ECD01.exeExecutable File
YDArk.exeExecutable File
.lockbitEncrypted Files Extension
Restore-My-Files[.]txtFilename

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.