It’s always interesting to read about the devastation that Ransomware brings about to organizations around the globe. Recently, on May 7, Colonial Pipeline fell victim to a Ransomware attack orchestrated by the DarkSide group. Check out this ZDNet article and this Security Intelligence post summarizing the incident.
While the investigations (and aftermaths) are ongoing, I came across this emergency webcast organized by Black Hills Information Security presented by John Strand on YouTube.
In this post, I wanted to list the key takeaways (trends, tools, and techniques) from the webcast. They are:
Rather than targeting organizations limited to having IT environments, attackers have understood the value and impact of targeting critical infrastructure with OT environments. The reasoning is simple - more chaos and destruction - forcing organizations to pay the ransom to ensure that critical infrastructure and lives continue.
As seen in the Tweets below from Patrick De Haan (@GasBuddyGuy), this is a classic example of chaos - limited resources leading to panic-buying of fuel.
BREAKING: 71% of gas stations in metro Atlanta are without fuel.
— Patrick De Haan ⛽️📊 (@GasBuddyGuy) May 13, 2021
South Florida- you'd be well advised to stop panic buying- you're creating something from nothing.
— Patrick De Haan ⛽️📊 (@GasBuddyGuy) May 13, 2021
NATIONAL AVERAGE REACHES $3/GAL, FIRST TIME IN NEARLY 7 YEARS
— Patrick De Haan ⛽️📊 (@GasBuddyGuy) May 12, 2021
The national average price of gasoline has reached $3 per gallon for the first time October 30, 2014.
John says that Deception is no longer a “nice to have”. In fact, Deception is core and essential.
EDR in itself is not sufficient to protect. We spend too much effort and time securing the endpoint. However, companies are still getting compromised with EDR solutions deployed.
Deception should be more than just Honeypots. We need to be looking at the attack pathways that attackers take post-exploitation to move laterally in an environment to take over that enivornment. The attackers are practicing tried-and-tested techniques which are the same techniques used by red teams/pen-testing professionals.
Put Deception in the right places to detect when something has gone awry.
Set bait for attackers. Word documents are great because we can put them on:
Set in the right place to get triggered when an attacker accesses it. You can extract multiple valuable fields, such as:
Bonus: Easy alternative to DLP solution
HoneyDoc creates a “honey” document including things like fake names and social security numbers to look appealing to would be attackers. It also includes a 1x1 pixel png file called
hello.pngas the tracking image so that you can see the IPs of who opens the document in your web server logs. To install the image, place it in your web servers root directory (or any other directory you want to use) and specify your URL using the--urlflag when generating the document.Once the document is generated it can be edited and personalized to make it look any way you want.
Check out HoneyDoc’s GitHub repo for more information about installation and usage.
You’ll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page’s image tag, and monitoring incoming
GETrequests.Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
How Canarytokens work (in 3 short steps):
- Go to
canarytokens.organd select your Canarytoken (supply an email to be notified at as well as a memo that reminds you which Canarytoken this is and where you put it).- Place the generated Canarytoken somewhere special (read the examples for ideas on where).
- If an attacker ever trips on the Canarytoken somehow, you’ll get an email letting you know that it is happened.
Check out Canarytoken’s excellent documentation to view examples and more.
Useful to detect attackers trying to fly under-the-radar of SIEM and UEBA when they use a technique such as password spraying. As soon as they attempt to login to the honey account, a rule is triggered to shutdown the machine and alert the SOC/IR team.
The idea is that when someone does breach your network perimeter, some of the first steps in performing recon is collecting information from Active Directory. In this recon, they stumble on a DA account called ‘helpdeskDA’. They even discover a password in the description! Well this looks like an easy win and a critical finding. In order to figure out how to leverage this new found user, the attacker attempts to RDP or use psexec to move to a higher value target. In doing so, AD checks the credentials and returns to the attacker that his newfound account is not allowed to login during this time. Meanwhile, this login attempt has triggered an alert and is being investigated.
Check out this post from Jordan Potti for steps and more information.
Threat actors can abuse the Kerberos protocol to recover passwords related to service accounts using a tactic called Kerberoasting. In a Windows domain, the authentication protocol Kerberos uses a Ticket Granting Ticket (TGT) to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain.
In Kerberoasting, threat actors abuse valid Kerberos TGTs to make a request for a TGS from any valid Service Principal Name (SPN) within your Microsoft Active Directory domain. These TGSs are vulnerable to offline password cracking, which can allow a threat actor to recover the plaintext password of the associated service account mapped by the SPN.
To avoid false positive detections, you can create a service account honeypot (honeycred) to detect Kerberoasting.
Check out Blumira’s Guide To Cybersecurity Deception Techniques for more information.
Command-and-Control (C&C or C2) beaconing is a type of malicious communication between a C&C server and malware on an infected host. C&C servers can orchestrate a variety of nefarious acts, from denial of service (DoS) attacks to ransomware to data exfiltration.
Often, the infected host will periodically check in with the C&C server on a regular schedule, hence the term beaconing. This pattern can differentiate it from normal traffic because of the regularity of intervals. But beaconing on common ports and protocols (such as
HTTP:80orHTTPS:443) often obscures malicious traffic within normal traffic and helps the attacker evade firewalls. Another evasion tactic, notably used by SUNBURST, involves waiting long, randomized periods of time before communicating.Check out ExtraHop’s quick primer on C&C Beaconing for more information.
RITA (Real Intelligence Threat Analytics) is a framework for detecting command and control communication through network traffic analysis.
The framework ingests Zeek logs in
TSVformat, and currently supports the following major features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
Check out RITA’s GitHub repo for more information about installation and usage.
John says that Ransomware was typically seen in two categories:
However, trends reveal a third kind of Ransomware - one using which attackers steal files and threaten to release them to the public. This is done for a couple of reasons:
We see Ransomware delete all shadow copies using
vssadminpretty often. What if we could just intercept that request and kill the invoking process? Let’s try to create a simple vaccine.
Neo23x0/Raccine is a simple yet powerful tool created by Florian Roth which can prevent Ransomware disaster. It works as follows:
We register a debugger for
vssadmin.exe(andwmic.exe), which is our compiledraccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.
vssadmin?The Volume Shadow Service Administration Tool (
vssadmin.exe) is a default Windows process that manipulates volume shadow copies of the files on a given computer. These shadow copies are often used as backups, and they can be used to restore or revert files back to a previous state if they are corrupted or lost for some reason.vssadminis commonly used by backup utilities and systems administrators.As such, the people responsible for Ransomware campaigns often attempt to delete them so that their victims can’t restore file access by reverting to the shadow copies. As a note, interacting with
vssadminshould require administrative privileges.Check out this article from Red Canary explaining more about
vssadminand how to detect malicious usage.
- The method is rather generic
- We don’t have to replace a system file (
vssadmin.exeorwmic.exe), which could lead to integrity problems and could break our raccination on each patch day- Flexible YARA rule scanning of command line params for malicious activity
- The changes are easy to undo
- Runs on Windows 7 / Windows 2008 R2 or higher
- No running executable or additional service required (agent-less)
- The legitimate use of
vssadmin.exe delete shadows(or any other blacklisted combination) isn’t possible anymore- It even kills the processes that tried to invoke
vssadmin.exe delete shadows, which could be a backup process- This won’t catch methods in which the malicious process isn’t one of the processes in the tree that has invoked
vssadmin.exe(e.g.via schtasks)Check out Raccine’s GitHub repo for more information about installation and usage.
Controlled folder access helps protect your valuable data from malicious apps and threats, such as Ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on
Windows Server 2019andWindows 10 version 1709 and laterclients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders (including boot sectors), and you can add more folders. You can also allow apps to give them access to the protected folders.
Windows system folders are protected by default, along with several other folders:
c:\Users\<username>\Documentsc:\Users\Public\Documentsc:\Users\<username>\Picturesc:\Users\Public\Picturesc:\Users\Public\Videosc:\Users\<username>\Videosc:\Users\<username>\Musicc:\Users\Public\Musicc:\Users\<username>\FavoritesYou can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
Check out this page on Microsoft docs to learn more about Controlled Folder Access and its features.
John referred to this Tweet from Florian below and commented about the over-reliance on IOCs to detect Ransomware.
Instead, organizations should focus on hardening using generic rules to detect known malicious techniques. This is due to the fact that IOCs (file hashes, IP addresses, etc) can vary in instances of targeted attacks due to customization and obfuscation by the attacker.
The typical approach #Ransomware pic.twitter.com/0RXF1RE4fd
— Florian Roth (@cyb3rops) May 11, 2021