This week has recorded multiple ransomware attacks against major companies in various industries. The trends have remained unchanged, which are: rapid encryption of files; lateral movement; and taking advantage of weak and compromised backup systems and exposed RDP ports.
Analyzing these incidents will give you valuable information regarding how to detect and respond to these types of cyber-attacks.
Attack Pattern 1: Exploitation of Exposed RDP
Observed Incident:
An attacker has compromised a medium-sized manufacturing business by utilizing weak RDP credentials. They silently installed a variant of ransomware.
Indicators:
Repeatedly failed logons; connections from geographic locations that are out of the ordinary; usage of accounts that have not been seen in some time.
Tools and techniques to use
1. RDP logs from Windows Event Viewer.
2. Sysmon to watch for newly created processes.
3. Powershell commands to see who logged in on their sessions.
Sample detection command:
Get-EventLog -LogName Security -InstanceId 4625 | Where-Object {$_.Message -match "RDP"}
This command allows you to pinpoint unsuccessful RDP login attempts allowing you to investigate them to reduce the potential for future cyber-attacks on your organization.
Attack Pattern 2: Compromise via Supply Chain
Observed Incident:
A software supplier was compromised through the following example; The ransomware used in later attacks on customers was developed by an attacker who infiltrated the software developer's build system.
Indicators of Compromise:
1. Unusual/Unexpected binaries were digitally signed with the vendor's digital certificates.
2. Timestamps on build artifacts have been tampered with.
3. Build server networks have connections that appear abnormal.
Hunting Tools to be Used:
1. Sigcheck to verify the digital signatures of binaries.
2. nmap and netstat used to identify any unusual outbound network traffic.
3. Hashing for validation of binary integrity.
Example of Verification Command:
sigcheck.exe -u suspicious.exe
To determine whether or not this binary is signed by a valid, known vendor and that the binary signature is valid.
Attack Pattern 3: Fileless Execution
Observed Incident:
Ransomware payloads were deployed against client workstations utilizing PowerShell script execution directly within memory. Therefore, minimal disk images containing artifacts were left behind following the execution of these scripts.
Hunting Tools Used:
1. Sysmon to monitor all execution of PowerShell command lines.
2. Use Process Explorer or Process Hacker in order to inspect live processes.
3. Perform memory analysis with Volatility3 or LiME.
Example Volatility Memory Check:
volatility3 -f memory.raw windows.malfind
Identifies injected code in processes without relying on files.
Attack Pattern 4: Backup Deletion Before Encryption
Observed Incident:
Attackers guarantee blocking of all recovery paths through the deletion of data snapshots and by deleting all cloud backup files from the cloud (where all backups should have been stored).
Indicators Used:
1. API requests not made during expected hours for cloud backup services.
2. Removal of Shadow Credited Copies via Command Line Interface.
3. Backups that use compromised usernames+passwords to connect to the backup services hosted on the cloud.
Hunting Tools Used:
1. Review Audit log of cloud platforms.
2. PowerShell enumeration of Shadow Copies.
Example Shadow Copy Enumeration:
vssadmin list shadows
Reveals if backups were removed or tampered with.
Characteristics common to attacks during This Week:
1. Attackers gained access to an organization by exploiting publically available services or by using stolen credentials.
2. Attackers moved laterally within the organization by utilizing “living-off-the-land” binaries.
3. Execution was completed by executing malware from memory or executing scripts.
4. Backup systems were intentionally disrupted by attackers.
5. Attackers tend to remain inconspicuous until the time for encrypting files or demanding ransom.
It appears that attackers will utilize established methods to develop more complicated, multi-stage ransomware attacks.
What can security teams do?
As security teams monitor their networks, they should consider:
1. Auditing all Remote Access and Multi-Factor Authentication (MFA) processes.
2. Monitoring for anomalies or trends related to PowerShell and Memory usage.
3. Periodically validating a copy of backups, preferably offline.
4. Tracking all Service Accounts generated within an organization.
5. Identifying and eliminating any deviations from a Vendor’s Build Pipeline process as soon as possible.
The best way to hunt for ransomware attacks, is to analyze how attackers breaks down and isolate each technique to execute a full ransomware attack.
Key Takeaways
1. Ransomware continues to be opportunistically targeted by security teams, but attackers are becoming more strategic in how they put their plans into action.
2. Detailed memory analysis and/or script analysis is critical to detecting ransomware attacks.
3. The first priority of attackers is to gain access to an organization's Backups; therefore, the protection and monitoring of Backups are essential.
4. Credentials have been compromised and publicly available services are where attackers commonly gain access to an organization.
5. Studying and documenting each step of an attacker’s sequences will help security personnel take appropriate preventive action.
While some attackers will create new or innovative methods of attacking an organization, the majority of attacks are completed utilizing known methodologies/tools with timing and precision to succeed.