Cisco Talos & BlackByte Ransomware Group

May 24, 2022

Cisco Talos & BlackByte Ransomware Group

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos reports activity associated with the BlackByte ransomware group. The threat group has targeted victims worldwide including North America, Colombia, Netherlands, China, Mexico, and Vietnam. Initial access has typically come from exploiting vulnerable services from Microsoft Exchange, such as ProxyShell or SonicWall VPN. Cisco Talos documented an intrusion that had taken place in March 2022. The infection starts with a BAT script executing and installing AnyDesk. A few hours following, a new account is created for persistence, and once again the attackers lay dormant for a few hours until proceeding to tamper with system services, modifying the registry, and creating firewall rules to ultimately deploy the Blackbyte ransomware. The entire infection takes 17 hours to achieve encryption. Commonalities in attacks with Blackbyte have identified a preference for the use of AnyDesk software along with utilizing living-off-the-land binaries (LoLBins).

Anvilogic Scenario:

  • Blackbyte: BAT Script & New Acct to Attacker Objectives

Anvilogic Use Cases:

  • Potential ProxyShell
  • Executable Create Script Process
  • Create/Add Local/Domain User
  • Service Stop Commands
  • Suspicious Executable by Powershell
  • Create/Modify Schtasks
  • Inhibit System Recovery Commands
  • Registry key added with reg.exe
  • Windows Firewall Rule Creation
  • Executable Process from Suspicious Folder
  • System Shutdown or Reboot
  • Remote Admin Tools
  • Windows Defender Disabled Detection

Trend Micro Analyzes BlackCat Ransomware

April 26, 2022

Trend Micro Analyzes BlackCat Ransomware

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro shares details of an incident involving BlackCat ransomware to provide an insight into the infection sequence. The attack began with the identification of suspicious web shells on Microsoft Exchange Servers having exploited ProxyLogon and ProxyShell vulnerabilities. Activity following involved PowerShell having been spawned from Internet Information Services (IIS) worker process (w3wp.exe) to download a Cobalt Strike Beacon and a DLL file that was executed with rundll32.exe. Through process injection of Windows error reporting process, WerFault.exe the attackers initiated commands for discovery, credentials access with CrackMapExec dumping NTDS.dit and spreading laterally in the environment through SMB. Prior to ransomware execution, the attackers launched batch scripts however, the script was not captured by Trend Micro for analysis.

  • Anvilogic Scenario: BlackCat Ransomware: Post-Exploitation of Exchange
  • Anvilogic Use Cases:
    • Exchange New Export Request
    • Potential Web Shell
    • Potential ProxyShell
    • IIS Worker (W3WP) Spawn Command Line
    • Suspicious File written to Disk
    • Rundll32 Command Line
    • Common Active Directory Commands
    • SharpHound Enumeration
    • SharpHound Keywords
    • Python Execution
    • Rare Remote Thread
    • NTDSUtil.exe execution
    • Potential Lateral Movement via SMB
    • Executable Create Script Process
    • Encoded Powershell Command

UNC2596 & Cuba Ransomware

March 01, 2022

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential PHP Webshell
    • Mimikatz
    • Create/Add Local/Domain User
    • Potential Ping Sweep
    • Common Active Directory Commands
    • Remote Admin Tools
    • RDP Hijacking

Emissary Panda Attack Insight

February 22, 2022

Emissary Panda Attack Insight

Industry: N/A | Level: Tactical | Source: HVS-Consulting

A case study was provided by HVS Consulting’s report, detailed a nine-month campaign threat group, Emissary Panda conducting in three distinct phases;

  1. Initial compromise with privilege escalation, lateral movement and data exfiltration
  2. Maintaining persistence and moving through the environment
  3. Attackers collecting and exfiltrated additional data

HVS, assessed major vulnerabilities for 2021 including ProxyLogon, Confluence and Log4Shell. ProxyLogon became the more widely exploited vulnerability following the discovery of additional Exchange vulnerabilities such as ProxyShell. Threat actors that have exploited Exchange vulnerabilities included Hafnium, Emissary Panda, Fancy Bear and Winnti Group.

  • Anvilogic Scenario: APT27/Emissary Panda
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential Confluence: CVE-2021-26084
    • Potential CVE-2021-44228 – Log4Shell
    • Msiexec Abuse
    • New AutoRun Registry Key

ProxyShell Exploited with DatopLoader Leading to Qakbot

January 18, 2022

ProxyShell Exploited with DatopLoader Leading to Qakbot

Industry: N/A | Level: Operational | Source: Cybereason

A threat report from Cybereason and security researcher, Orange Tsai, investigates a new malware loader – DatopLoader that emerged in September 2021. The malware loader was observed to be a payload dropping following the attacker’s successful exploitation of ProxyShell and Exchange vulnerabilities. Once the loader is executed, Qakbot/Qbot lands on the victim’s workstation to set up persistence and conduct reconnaissance activity, using largely native tools with the exception of AdFind. Cobalt Strike is also launched, using PsExec to move laterally in the environment. In addition, credential access has been identified through gathering from registry hives.

  • Anvilogic Scenario: DatopLoader & Qakbot
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Common Exchange Recon cmdlets
    • Exchange Remove Export Request
    • regsvr32 Execution
    • Credentials in Registry

BlackByte Ransomware from RedCanary

December 01, 2021

BlackByte Ransomware from RedCanary

Industry: N/A | Level: Tactical | Source: RedCanary

RedCanary presented research from a BlackByte ransomware incident response engagement with Kroll. The attack sequence covered initial access from ProxyShell and web shell through post-exploitation with cobalt strike, impairing defenses with process monitoring, windows defender, and firewall modifications to ransomware and file exfiltration.

  • Anvilogic Scenario: BlackByte Behaviors

Squirrelwaffle + ProxyShell and ProxyLogon

November 23, 2021

Squirrelwaffle + ProxyShell & ProxyLogon

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro has shown research, of Squirrelwaffle loader, that emerged in September 2021, has likely been utilizing ProxyLogon and ProxyShell exploits, in order to send malicious emails from preexisting email chains. Observed threat actors utilizing this email thread hijacking technique, did not drop or use tools for lateral movement after gaining access to vulnerable Exchange servers, nor was any malware installed prior to the spread of the malicious email across the targeted network. Upon the victim executing the attached macro-enabled Excel file, a malicious Qbot DLL is downloaded from hardcoded URLs and the DLL is executed with regsvr32.

  • Anvilogic Scenario: SquirrelWaffle – Behaviors

ProxyShell & Web Shells

November 23, 2021

ProxyShell & Web Shells

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant investigations continue to identify exploitation of Microsoft Exchange vulnerabilities as recently as November 2021, with estimates of up to 30,0000 internet-facing servers vulnerable. Threat actor exploits of these vulnerabilities have slightly shifted, “most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA)” states the investigation. Three attack paths were observed following the second stage exploitation: a web shell, Microsoft cmdlet (New-ExchangeCertificate to write web shell files) and New-Mailbox/New-RoleGroupMember/Add-MailboxPermission to create a new user to achieve full Exchange administrative capabilities.

  • Anvilogic Use Cases
    • Potential ProxyShell
    • Potential Web Shell
    • Web Application File Upload
    • Exchange New Export Request