Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Okta Data Breach Update

March 29, 2022

Okta Data Breach Update

Industry: Technology | Level: Tactical | Source: Okta

Okta provides an update on the company blog regarding their security breach by Lapsus$. The Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer’s workstation. Despite the support engineer’s privileges identified as “SuperUser,” Okta emphasizes the role “is limited to basic duties in handling inbound support queries.” The forensic investigation conducted by Sitel and a third-party security firm extensively reviewed activity from “January 16-21, 2022 when the threat actor had access to the Sitel environment.” From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for “a new factor was added to a Sitel employee’s Okta account from a new location.” The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.

  • Anvilogic Scenarios:
    • Okta Suspicious Login then Priv Esc and AOO
    • Okta Suspicious Login then Account Manipulation
  • Anvilogic Use Cases:
    • Okta: Security Threat Detected
    • Okta: API Token Created
    • Okta: User/Group Privilege Grant
    • Okta: Application Modified or Deleted
    • Okta: Update or Delete sign on policy
    • Okta: MFA Reset or Deactivated
    • Okta: Policy Modified or Deleted
    • Okta: Policy Rule Modified or Deleted
    • Okta Multiple signins from Same IP address
    • Okta Impossible Travel Sign-In
    • Okta: Auth from Suspicious Country
    • Okta: Profile Updated
    • Okta: User Created

Okta Shares Investigation Update – 2022-03-24

March 24, 2022

Okta provided an update on the company blog regarding their security breach by Lapsus$. Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes.

Diavol Ransomware – DFIR Report

December 29, 2021

Diavol Ransomware – DFIR Report

Industry: N/A | Level: Operational | Source: DFIR-Report

Intrusion analysis from The DFIR Report identified a BazarLoader infection leading to the deployment of Diavol Ransomware. The threat actor associated with Diavol ransomware is suspected to be Wizard Spider. The intrusion spanned over the course of three days in which the threat actors initial access was obtained from BazarLoader, delivered through a phishing email containing a malicious OneDrive link and following the infection, internal reconnaissance activity was initiated along with the execution of a batch script obtaining credentials located in the registry hives. Following an 18 hour break in activity, additional reconnaissance activity was initiated along with usage of the Rubeus tool, lateral movement with RDP and AnyDesk, with data exfiltration using FileZilla. Lastly, along with ransomware deployment a batch script was executed removing volume shadow compiles and stopping services.

  • Anvilogic Scenarios:
    • Diavol Ransomware
    • BazarLoader Behaviors

APT31 Intrusion Set from ANSSI

December 21, 2021

APT31 Intrusion Set from ANSSI

Industry: N/A | Level: Tactical | Source: Cert.Fr

French national cyber-security agency ANSSI, provided details about a APT31 intrusion, the agency has been tracking since January 2021. Tactics observed are mapped based on the MITRE ATT&CK framework. Initial intrusion vectors are observed through brute force, valid accounts, and exploitation of vulnerabilities (Proxylogon, Fortinet, and SQL injection). The threat group is persistent scheduling tasks, creating accounts and web shells. They also move laterally with the use of RDP, FTP, and SMB to transfer code and tools. Additional threat activity and detection areas include the use of native discovery commands, creating firewall rules, and disabling AV/monitoring solutions like Windows Defender. The groups endgame has been data exfiltration through email, DNS, and/or SMB after collection.

  • Anvilogic Use Cases:
    • Potential Web Shell
    • Cscript or Wscript execution
    • Create/Modify Schtasks
    • Create/Add Local/Domain User
    • Windows Firewall Rule Creation
    • Modify Windows Defender
    • Common Reconnaissance Commands
    • RDP Hijacking
    • Utility Archive Data

Cuba Ransomware

December 01, 2021

Cuba Ransomware

Industry: Critical Infrastructure | Level: Tactical | Source: FBI

The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.

  • Anvilogic Scenario: Hancitor & Cuba Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • PSexec Service Creation
    • Remote Admin Tools