Lockbit 2.0 affiliate’s new SonicWall exploit bypasses MFA

Increasing Capabilities of LockBit 2.0 Gang Per Our Incident Response Experience in Q1 2022 Impacts Over One Hundred Hong Kong and Macau Organisations; Exploit Acknowledged by SonicWall as CVE-2022-22279

In the first quarter of 2022, DarkLab responded to several ransomware incidents impacting organisations in the financial services, real estate, and manufacturing sectors across Hong Kong, China and Asia Pacific. In all such incidents, the presence of the LockBit executable file, .lockbit extension files, and the StealBit malware suggests that affiliates of the cybercriminal group that operates the LockBit 2.0 Ransomware-as-a-Service (RaaS) was likely behind the incidents.

LockBit 2.0 RaaS is a well-documented group with established tactics, techniques and procedures (TTPs) that has been active since 2019.[1] During our incident response investigations, we found LockBit affiliates exploiting two victims’ SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSLVPN) appliance to establish a foothold in their networks. In the first instance, the affiliate exploited a known SQL injection (SQLi) vulnerability to obtain valid usernames and passwords. Given the multi-factor authentication (MFA) access control was not enabled, they were able to achieve initial access relatively easily. In the second instance, the affiliate performed follow-up actions to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the MFA access control.

In this blog post we will report on their novel technique to exploit SonicWall SSLVPN appliances and bypass MFA. According to results from open source internet search engines, over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances. This exploit disclosed by DarkLab has since been acknowledged by SonicWall as CVE-2022-22279.

A second blog post will then outline the LockBit affiliates’ TTPs as observed in our incident response experience. The final blog post will explore the potential factors that enables the LockBit RaaS group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Initial Access

The typical modus operandi of LockBit 2.0 affiliates is to gain access to a victim network by exploiting known vulnerabilities of public-facing services, including vulnerable SSLVPN. In particular, CVE-2018-13379 [2] has been the preferred vulnerability in many incidents, including those DarkLab responded to in January and February 2022. The vulnerability is several years old, and LockBit 2.0 affiliates were still able to capitalise on the exploit that allows for unauthenticated users to download system files through crafted HTTP resources requests. Other affiliates have been reported to gain initial access by conducting Remote Desktop Protocol (RDP) brute forcing[3] or through purchasing access to compromised servers via underground markets.[4]

However, in two incidents that DarkLab responded to in March 2022 we observed a new infection vector.  Affiliates were observed to exploit a known but relatively obscure SQLi vulnerability – either CVE-2019-7481 [5] or CVE-2021-20028 [6] – in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance to the affiliate’s local endpoint. Retrieved data included valid usernames, passwords, and the TOTP. In doing so, the affiliates could circumvent the MFA access control, impersonate any user to gain initial access, and subsequently deploy ransomware.

Figure 1 – LockBit’s initial attack chain

The latter incidents we responded to in March 2022 were noteworthy for two reasons. First, LockBit affiliates were not reported to have exploited SonicWall SSLVPN products in the past. Second, this was the first publicly observed instance that the known SQLi vulnerability could be exploited by threat actors to extract the TOTP SHA-1 tokens of onboarded users. Affiliates could then generate the QR code containing the required information to generate one time passwords (OTP) in an authenticator app of their choice.[7] This proved to be an innovative way to circumvent the existing MFA access controls. The observation of the exploitation suggests the affiliates of LockBit now have additional tools in their arsenal, and indicates the importance they place in continuous improvement as the group looks to differentiate itself from competitors.

Impact to Hong Kong and Macau

DarkLab replicated and verified the novel exploitation method of the post-authentication vulnerability through internal testing of several known impacted SonicWall SSLVPN firmware. We have shared all relevant details, including the technical exploit code, with the SonicWall Product Security Incident Response Team (PSIRT) in March 2022 to ensure organisations are protected. We will not publicly disclose exact exploitation details to avoid replication by malicious actors.

Per subsequent communications with SonicWall PSIRT, we understood that the upgrades to SonicWall SMA firmware 10.2.0.7-34sv or above, and 9.0.0.10-28sv or above in February 2021 to address CVE-2021-20016 included comprehensive code-strengthening that proactively prevented malicious attackers from exploiting this vulnerability to circumvent the MFA access control.[8] On 12 April 2022, SonicWall PSIRT released the following advisory acknowledging the vulnerability CVE-2022-22279 which we had disclosed.[9]

As of the time of writing, we have not observed from our deep and dark web monitoring any specific intentions by threat actors to leverage this post-authentication vulnerability to target organisations in Hong Kong and Macau. However, we observed that Russian-speaking threat actors had been discussing this vulnerability in early February 2022, with posts from two underground forums – exploit[.]in and xss.[.]is – containing conversation details of purchasing the exploit code and outlining at a high-level the follow-up actions that can be taken to extract the TOTP from the active sessionid

Figure 2 – Screenshot of exploit[.]in underground forum
Figure 3 – Screenshot of xss[.]is underground forum

As a result of the LockBit incidents and various hacker chatter, we were concerned that local organisations may have missed SonicWall PSIRT’s advisory note; after all, we still observed compromises that resulted from the exploitation of CVE-2018-13379 on unpatched Fortinet SSLVPN appliances in February 2022. To that end, we conducted a passive, non-intrusive scan of both CVE-2019-7481 or CVE-2021-20028 on the full Internet Protocol address (IP address) range of Hong Kong and Macau. The preliminary results indicated that at least 100 organisations were vulnerable to CVE-2021-20028, with half of those also vulnerable to CVE-2019-7481.

DarkLab has since proactively contacted dozens of potentially affected organisations to alert them of the potential risks they faced. However, given there were a series of critical vulnerabilities pertaining to SonicWall SSLVPN appliances released in June 2021, it is likely that those may be exploited through other innovative methods by threat actors. For example, the Cybersecurity & Infrastructure Security Agency (CISA) listed CVE-2021-20016 as another SQLi vulnerability that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information in SMA100 build version 10.x. [10], which aligned with our communication with SonicWall’s PSIRT. We foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability.

CVE NumberProductVulnerability NameDate Added to CatalogueShort Description
CVE-2021-20021SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20022SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to upload an arbitrary file to the remote host.
CVE-2021-20023SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to read an arbitrary file on the remote host.
CVE-2021-20016SonicWall SSLVPN SMA100SQL Injection Vulnerability3 November 2021A vulnerability in SMA100 build version 10.x allows a remote unauthenticated attacker to perform SQL query to access username, password and other session related information.
CVE-2021-20018SMA 100 AppliancesStack-Based Buffer Overflow Vulnerability28 January 2022SonicWall SMA 100 devices are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
CVE-2021-20028SonicWall SRASQL Injection Vulnerability28 March 2022SRA products contain an improper neutralisation of a SQL Command leading to SQL injection.
Table 1 – CISA known exploited vulnerabilities catalogue listing various critical SonicWall CVEs that were being exploited in the wild as of 2 April 2022

The ongoing evolution of TTPs allowed LockBit’s affiliates to become the most prolific ransomware actors in 2022. Between 1 January and 31 March 2022, the group claimed 223 victims on their dark web leak site, compared to Conti’s 125. This equates to more than one-third of all known ransomware incidents for Q1 2022. To put it in another way, over the same period LockBit’s affiliates claimed almost 10 percent more victims than the other 24 known ransomware groups combined (223 compared to 164). LockBit’s reported activities have also increased over the course of the first three months of 2022. The gang claimed 112 victims in March, while it published details of 111 companies in the previous two months combined. This suggest an ongoing trend highlighting how LockBit will likely remain the most active ransomware-as-a-service offering for the coming months.

Figure 4 – Number of victims published on ransomware dark web leak sites between 1 January 2022 and 31 March 2022

Conclusion

Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. At least 100 organisations in Hong Kong and Macau are at potential immediate risk, and we foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability. We will continue to monitor the situation and assist organisations as needed. In the next blog post, we will also share further details on the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience with reference to the MITRE ATT&CK Framework, such that organisations can better prevent and detect malicious activities related to this RaaS group.

Recommendations

For organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN, we recommend the following actions immediately in the following order:

  • Upgrade legacy SRA SSLVPN device(s) running firmware 8.x given they are not supported by SonicWall; apply patches to the impacted versions of the 9.x or 10.x firmware.
  • Reset all user account Active Directory credentials that had previously authenticated via the SonicWall SRA SSLVPN. In particular, the Active Directory credentials that is tied to the SonicWall SRA device for authentication purpose should be changed.
  • Re-bind users’ second authentication factor (e.g., Google or Microsoft Authenticator) app with an updated TOTP, and ensure that users store their newly generated backup codes securely.[11]
  • Review the privileges granted to the Active Directory account tied to the SonicWall SRA device for user authentication purpose, and remove excess permissions where possible to adhere to the principle of least privilege. In general, Domain Administrator privilege should not be used.
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers).

Meanwhile, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed:

  • Require multi-factor authentication for all services to the extent possible, especially on external remote services. 
  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically:
    • Maintain regular cybersecurity patching hygiene practices, including a robust baseline that patched known exploited vulnerabilities and aims to reduce known attack surface. 
    • Leverage cyber threat intelligence to prioritise the remediation scale and timeline on a risk-based approach, through the incorporation of indications and warnings regarding trending threats per available proof-of-concept code, active exploitation by threat actors, and Darknet chatter.
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site.
  • Develop and regularly test the business continuity plan, ensuring that the entire backup, restoration and recovery lifecycle is drilled to ensure the organisation’s operations are not severely interrupted.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Impact: Data Encrypted for Impact (T1486)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

IndicatorType
7fcb724c6f5c392525e287c0728dbeb0MD5
adead34f060586f85114cd5222e8b3a277d563bdSHA-1
822b0d7dbf3bd201d6689e19b325b3982356c05bc425578db9aa4ce653deaaa7SHA-256
LockBit_9C11F98C309ECD01.exeExecutable File
.lockbitEncrypted Files Extension
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

What to expect in 2022

We do not have a crystal ball to predict the future. However, we have plenty of experience in researching, responding, and mitigating cyber threats for our clients. The last eighteen months saw a dramatic evolution of the cyber security challenges companies face. Based on what we are observing in the threat landscape and the conversations we are having with industry leaders across sectors, here we outline what DarkLab cyber threat analysts assess will be some of the most relevant issues in 2022. 

Ransomware profits will ensure ongoing exploitation by lesser-known gangs 

Human operated ransomware with a double extortion tactic exploded in 2020, kept growing in 2021, and we expect it to continue to pose a high threat to organisations in 2022. Our analysis of ransomware groups’ posts on the darkweb show no sign of the underground industry slowing down.  

What we expect to change is criminals’ branding tactics. Well known ransomware-as-a-service outfits like BlackMatter and REvil exploited their fame to attract affiliates and threaten victims into meeting their ransom demands. However, their high profile attracted law enforcement attention, including in their domestic countries like Russia, and has led to these groups’ downfall. A logical reaction will likely see cybercriminals avoiding the same mistakes and maintaining a lower profile. Expect a larger number of smaller ransomware gangs in 2022. 

Increased threat to cryptocurrency businesses  

While extortion has been the main profitable enterprise for cybercriminals in 2021, the profits will likely be reinvested in diversifying operations. Sophisticated groups like APT38 and individual hackers have in 2021 shown the potential profitability of targeting cryptocurrency exchanges and start-ups. Laundering millions of dollars worth of cryptocurrency is, for now at least, easier for criminals than to move large sums across the traditional financial system.  

As more and larger companies join the cryptocurrency business, and regulators still lag behind in imposing strict anti-fraud controls, there is a likely window of opportunity for criminals to exploit.  

Increased emphasis on private sector players in espionage operations 

Security researchers have warned of the threat posed by private sector spyware providers for a long time, although governments have only recently acted on it and imposed sanctions on some of the best known companies in the field. Israeli companies like NSO and Candiru are the highest profile names in a crowded industry providing many shades of services, from legitimate offensive toolsets to hack-for-hire operations, particularly in South and South East Asia.  

Even though governments worldwide have allegedly used private sector contractors in part of their offensive operations’ supply chain, last year’s increased media and government interest has put a spotlight on the issue. We expect more such campaigns to be highlighted in 2022.

Cloud supply chain is a potential single point of failure 

This prediction is, we truly hope, one that is not going to happen in the coming year, but rather a wider concern based on the dynamics we are observing in the IT industry and the cyber  threat landscape.  

Companies have moved to the cloud at an unprecedented speed during the last two years, and we are not seeing any deceleration on the horizon. However, increased data crunching in the cloud is not always met with a proportional increase in cloud security spending, best practices for which are still in their relative infancy.  

The number of trusted cloud vendors are also limited, with a few very large companies hosting most of the world’s data. Granted, companies like Microsoft, Amazon, Tencent and Alibaba have very good security teams and large security budgets. However, they also represent obvious central systems linked to many large organisations of interest to threat actors. Cloud systems’ outages, like those affecting a major US-based provider in December 2021, demonstrated the potential impact an attack on these companies could have on their customers.  

The mass and rapid exploitation of MS Exchange, ProxyShell and Log4shell also showed how adept threat actors are at weaponising vulnerabilities in widely used digital systems, and how these campaigns can paralyse security teams worldwide for weeks.  

Finally, the most sophisticated among threat actors, like APT29/Nobellium, have already demonstrated their intent and capability to successfully exploit cloud supply chain to gain access to high profile targets. Our experience suggests that where sophisticated state-sponsored threat actors go, criminals eventually follow.  

As such, the exploitation of cloud supply chain is likely among the highest threats to organisations in 2022 and beyond. Fortunately, much can be done to mitigate this threat by careful planning, including thorough application of zero-trust architecture and a shift-left approach to cloud devsecops. 

Recommendations to secure your 2022

We do not expect the challenges facing cyber security professionals in the coming year to be less ominous that those we just put behind us. Nonetheless, 2021 taught us plenty of useful lessons that can equip companies with the right strategies and tools to successfully mitigate cyber threats we may face in 2022.  

  • Comprehensive intrusion defense strategy: Our incident response and threat hunting experience suggests that a few best practices go a long way to prevent most  network intrusions:  
    1. Attack surface hardening: enterprises should focus on profiling their attack surface including services open and technologies used, and reducing their internet-exposed infrastructure.  
    2. Identifying and protecting critical internal systems: threat actors, especially ransomware operators, actively look for systems in their victims’ network that serves crucial functions and holds sensitive data  (e.g. Domain Controllers, backup servers, file servers). Securing these systems would reduce the impact of an intrusion and increase likelihood of detection, while increasing costs for attackers. 
    3. Defending against lateral movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, and disabling Windows Remote Management, among others. 
    4. Protecting user accounts and privileged access: good credentials protection and management are key measures in limiting credential theft and abuse. Security measures should include multifactor authentication for remote access or sensitive access, house-keeping of user and system accounts, credentials hardening for privileged accounts by using managed service accounts (MSA) and protected user group.  
  • Risk-based security controls help overcome limitations: budget and human resources are finite resources. Prioritising them in the most efficient way is crucial to a timely and effective security strategy. Companies should understand intent and capabilities of the most likely threats they face. Assessing the likelihood of threats to a critical systems and their potential impact is what makes a risk-based approach to security effective. By understanding the most likely TTPs threat actors will use against your most important systems, companies can prioritise the application of the most urgent security controls.  
  • Cloud security needs a strategy: as threats to cloud mature, so should organisations’ strategies to secure their cloud systems. Cloud posture monitoring and cloud-specific Mitre ATT&CK TTPs detection use cases can help in identifying ongoing threats. Using existing blueprints for cloud deployment, a shift left approach to DevSecOps, and enhancing automation with infrastructure-as-a-code are important preventive measures that also help alleviate the ongoing scarcity of cyber talent.  

Crypt ‘n’ Leak

New ransomware trend exploits vulnerability in Hong Kong’s VPNs

The fast pace of criminals’ innovation is an ever-recurring theme in cyber security. When the cybercriminal underground economy is particularly saturated, threat actors will likely be driven to explore new ways to differentiate their offering in the illicit cybercriminal market and increase revenue. This is what we are currently observing among ransomware operators. Many ransomware variants have been released in recent years. In the last several months, however, a smaller group of ransomware-as-a-service providers emerged with new a tactic to extort their victims.

DarkLab’s Threat Intelligence team is currently tracking multiple ransomware groups that, in addition to encrypting victims’ data, also steal sensitive files and threaten their public release if ransom demands are not met. The extortionists’ goal is to apply additional pressure on victims by threatening reputational damage and potential regulatory fines if sensitive data is leaked, on top of hindering systems availability.

DarkLab incident response team has observed multiple such incidents affecting Hong Kong organisations, highlighting how ransomware leak attacks are a significant and current threat for companies in the region as well as globally. DarkLab has experience in dealing with Maze and NetWalker ransomware attacks in Hong Kong. This article aims to first shed light on each malware’s background, and then to discuss some of the tactics, techniques, and procedures (TTPs) we observed in our incident response investigations.

The RaaS model and its implications

Maze and NetWalker ransomware variants are developed by a core group of cybercriminals and then leased to other criminal operators, called affiliates, on deep and dark web forums. This model is usually referred to as ransomware-as-a-service (RaaS), where operators and developers share profits in an agreed percentage.

RaaS means that different operators of the same ransomware group can target multiple companies at the same time, regardless of their size or geographical location. Ransomware operators are independent actors, so they may differ in the attack tactics exploited. This makes the job of network defenders more challenging because of the larger set of potential tactics, techniques, and procedures (TTPs) to mitigate.

Some RaaS developers, like those of NetWalker, only accept affiliates with proven technical skills and existing access to multiple corporate networks. Stricter cybercriminal candidate screening is leading to an increase in targeted ransomware attacks exploiting external network systems. Exposed remote desktop protocol (RDP) and vulnerable internet-facing services are increasingly more likely entry points than untargeted phishing emails.

The rise of crypt and leak

Since the end 2019, some ransomware groups have begun threatening to release sensitive victim’s data if their ransomware demand are not met. Maze went a step further and set up a dedicated website to publicly shame victims and leak data. More groups, including NetWalker, are now maintaining their own leak websites on the clearnet or on tor hidden services. DarkLab is currently tracking 13 ransomware leak websites, highlighting the rapidly increasing scale of this crypt and leak trend.

This new pressure tactic by ransomware operators has significant implications for companies. Previously, an efficient back-up policy would potentially guarantee a timely recovery from ransomware attacks. Now that ransomware groups also leak data, back-ups are not enough anymore. Organisations must ensure that sound cyber security hygiene is maintained at all times to prevent a ransomware intrusion from taking place at all.

Maze

Maze ransomware appeared in May 2019, but it began leaking victim’s data only in 2020. The group maintains two sites, one to publish victim data (see figure 1), the other to communicate with its victims and let them decrypt some test files (see figure 2). Both have a back-up tor hidden service counterpart to avoid take down by law enforcement.

Figure 1 – redacted screenshot of Maze ransomware leak site

Figure 2 – Screenshot of Maze ransomware chat site

Figure 3 – Geography of Maze’s victims posted on their site

Figure 4 – Sectorial breakdown of Maze’s victims posted on their site

NetWalker

NetWalker ransomware is based on a previous variant called Mailto and was rebranded in its current name in March 2020, despite little change in its code. The developers of NetWalker recruit affiliates on Russian-language cybercriminal forums and particularly look for individuals with network intrusion experience. The group has allegedly been very successful since its inception. NetWalker developers claimed to have gained millions of US dollars since March, although it remains unclear whether this is just an exaggeration to attract more affiliates to their program or not.

NetWalker also operates a website that lists their victims and leaks their data. We noticed that the group behind NetWalker selectively deletes victims’ entries from their website overtime, so the range of targeted organisations is likely more extensive than that presented in the graphs below.

Figure 5 – Redacted screenshot of NetWalker ransomware leak site

Figure 6 – Geographical breakdown of NetWalker’s victims posted on their site, more have likely been targeted and not posted online or deleted from existing victims’ list

Figure 7 – Sectorial breakdown of NetWalker’s victims posted on their site, more sectors have likely been targeted

Observed tactics, techniques, and procedures

DarkLab incident response investigations found that operators of both Maze and Ransomware exploited a known Pulse Secure VPN vulnerability – CVE-2019-11510 – to gain initial access to victims in Hong Kong. The same vulnerability has been exploited by multiple ransomware groups against other high profile targets, including by Sodinokibi against Travelex in January.

In both cases, the remote access technology SSLVPN was Active Directory (AD) authenticated, giving attackers a legitimate network account early on in their intrusion. Once inside the victim’s network, the attackers would conduct enumeration and other reconnaissance activities by, for instance, searching for password files in share folders. The attackers will also actively look for idle and vulnerable servers with intentions to expand their foothold.

During our investigations we found that both intruders used common hacking tools, although with some differences. Tools observed include windows administration tools like psexec, open source tools for lateral movement like crackmapexec, PowerShell versions of Mimikatz and PowerView for credential theft, further enumeration and privilege escalation, as well as off-the-shelf network scanners. 

The Maze and NetWalker operators eventually managed to obtain access to administrator accounts, which allowed them in both cases to disable anti-virus solutions on network end points. Similarly, creation of new domain administrator accounts allowed them persistence on the network. 

From such privileged positions the operators staged malware and other required artefacts on accessible locations in the victims’ networks, such as shared folders – for NetWalker – and NETLOGON folders – for Maze. We suspect that in both incidents scripts were used to automatically spread the ransomware in the network.

In the case of Maze, the deployment script would also disable endpoints’ protection software, and enable services, such as Windows Remote Management, that would allow re-entry. Maze operators also abused group policy objects (GPOs) to weaken their endpoint defences by changing configurations, and to redeploy the malware to new machines. The latter would ensure that the ransomware would also spread to endpoints after they shut down or if they joined the network at a later time.

Conclusion

The double extortion of crypt and leak groups and the growing trend of targeted attacks against external network infrastructure makes ransomware leaks one of the most significant threats to companies, regardless of sectors. The recent targeting of Hong Kong organisations by Maze and NetWalker also reaffirms how the SAR’s threat landscape is closely associated with threat trends worldwide.

Companies in Hong Kong should therefore adopt a proactive approach to review their security posture and avoid targeted network intrusions in the first place. Presence of timely back-ups can help restore system availability but it is not an effective mitigation against the increasing threat of ransomware data leak. Organisations should also focus on maintaining situational awareness on developments in the global threat landscape, as threats to companies abroad are likely to quickly become threats to Hong Kong organisations too.

Indicators of Compromise

HashFile nameDescription
c45ebccb7dc2bbc34c51c82c3eba6448apply.ps1Generates GPO package to disable AV, settings
16b5ddd25bb610270e52c1663931ef4csystem.dllMaze ransowmare
0e7d5d16e03393605f5f4862f1b9cc37crackmapexec.exeLateral movement tool
d6a246a98a0387e2a5f9d95ddd8ae164syspool.exeLightweight network scanner
696bb8648eceaa187cbc1f06205a23cecity.exeNetWalker ransomware
84ddf23d4307b1a9989352f4845d0edecity.ps1NetWalker PowerShell script

Phobos ransomware

Incidents affecting Hong Kong organisations

In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.

There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.

Intrusions analysis

Phobos shares many similarities with the Dharma ransomware, and has been sold as  ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to. 

According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.

Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.

Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.

Conclusion

Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.

Recommendations

To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:

  • Ensure visibility over public-facing RDP servers via external scans
  • Limit exposure of public-facing systems whenever possible
  • Enforce use of multi-factor authentication for remote access, particularly RDP
  • Ensure your organisation has and follows an effective back-up policy
File NameMD5Description
20.09.2019Taskmgr.exeb8351ba02dbce02292a01a6e85112e2bPhobos ransomware
Mouse Lock_v22.exefc9c80e1767e1266056b1b2c89a74ce5Blocks mouse cursor on screen
5-NS new.exe597de376b1f80c06d501415dd973dcecNetwork shares scanner