The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats.
What’s Surging? Our Picks of The Most Thunderous News From May 2023
(1) Royal Ransomware Continues to Spread, With US Organizations Hit Hardest
Category: Ransomware News | Source: Unit42
Since its emergence in September 2022, the Royal ransomware gang has established itself as a clear and proficient threat group. A threat assessment released by Unit 42 details recent activity and metrics involving the notorious threat group. Royal ransomware is identified as a "private group made up of former members of Conti," said Unit 42. The group has not operated or recruited members under a Ransomware-as-a-Service (RaaS) model, unlike other renowned ransomware gangs like LockBit and ALPHV/Blackcat. Royal ransomware has affected many industries, the most prominent being manufacturing, wholesale and retail, professional and legal services, education, construction, and healthcare. By country, cases in the United States accounted for "64% of the impacted organizations'' measured at 100 cases out of 155. In comparison, second place Canada measured at a distant 13 cases, followed by Germany with 11, the United Kingdom with 6, and Brazil with 4 to round off the top five.
Infections from Royal ransomware have observed the abuse of search engine optimization (SEO) poisoning and malvertising campaigns to drop malware. Unit 42 observed these lures initiate a “complex infection chain with multiple stages, including PowerShell scripts and MSI files. In certain cases, this leads to infection with BATLOADER." Subsequently, the BATLOADER malware is capable of setting up additional payloads, which include Cobalt Strike, batch scripts designed to disable security monitoring, reconnaissance tools like NetScan, and PsExec to aid with lateral movement, information-stealing malware, and system and remote management tools such as NSudo and Syncro. For data exfiltration, Rclone is commonly known as a tool relied upon by Royal threat actors. The Windows variant of Royal's encryptor is noted not to employ any "not employ anti-analysis tricks or string encryption" based on samples observed, "as of late April." The Royal ransomware gang also incorporates a Linux variant of their encryptor to expand their attack surface.
(2) #StopRansomware: Highlights BianLian Ransomware
Category: Ransomware News | Source: CISA
The latest #StopRansomware advisory highlights the activities of the BianLian ransomware gang. The advisory is a result of collaborative intelligence efforts between US agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as the Australian Cyber Security Centre (ACSC). Intelligence gathered up to March 2023 from these agencies has shed light on the operations and tactics of the BianLian ransomware gang. This ransomware group is found to have a particular interest in targeting critical infrastructure organizations of all sizes. Notably, their tactics shifted in January 2023 from double-extortion with ransomware encryption to "exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion." said CISA. BianLian focuses on extorting its victims with the threat of compromised data getting leaked.
Federal agencies uncovered a variety of tactics, techniques, and procedures (TTPs) used by BianLian. The group employs the typical methods needed to obtain initial access, like phishing and RDP through compromised accounts, often purchased from initial access brokers. For persistence and command and control, the operators drop custom implants, remote access software, and create new administrator accounts. Living-off-the-land binaries (LOLBins) like Windows Command Shell and PowerShell are crucial to disable monitoring and security services. Native Windows commands are used to enumerate the system and active directory, although several reconnaissance tools like Advanced Port Scanner, SoftPerfect Network Scanner, and others aid with discovery efforts. Credentials were harvested from LSASS, an Impacket script - secretsdump.py, along with copying the Active Directory domain database, NTDS.dat. PsExec and RDP accounts are used for lateral movement to spread through the victim's network. Firewall rules were created to enable RDP if disabled, and the threat actors demonstrated the ability to abuse the ZeroLogon vulnerability, CVE-2020-1472.
Once threat actors have identified and collected relevant data, tools like Rclone, FTP, and Mega exfiltrate the victim's data. Ransom notes on the victim’s workstations provide them with communication methods to contact BianLian for ransom negotiation. "BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with the BianLian group," as reported by CISA.
(3) FIN7 Operators Seek Out Veeam Backup Servers for Network Compromise
Category: Threat Actor Activity | Source: WithSecure
Financially-motivated threat group, FIN7, was discovered to exploit Veeam Backup and Replication software vulnerabilities for data compromise. In a report from WithSecure Intelligence, researchers observed an attack on March 28th, 2023, with shell commands executed from a Veeam Backup instance. WithSecure attributed the attack to FIN7 operators or attackers with access to "FIN7 tradecraft." With "low-to-medium confidence," WithSecure assesses the attackers exploited CVE-2023-27532, which allows unauthorized users within the network perimeter to access encrypted credentials stored in the configuration database of the exposed Veeam server. Additional observations of the exploited server found probing activity a few days prior, such as communication port 9401 for Veeam Backup Service over SSL was opened, servers were vulnerable to CVE-2023-27532, and the release of a proof-of-concept (POC) CVE-2023-27532 by Horizon3 on March 23rd preceded the attack by a few days. "The POC contains remote command execution functionality. The remote command execution, which is achieved through SQL shell commands, yields the same execution chain observed in this campaign," said WithSecure.
The shell commands initiated the download and execution of a PowerShell script from a 'sqlservr.exe' process. Analysis of the PowerShell scripts found they were POWERTRASH, "an obfuscated loader written in PowerShell that has been attributed to FIN7." The naming convention of the scripts aligns with files that FIN7 has deployed in other campaigns. WithSecure's incident timeline indicates the intrusion spanned two days, reconnaissance commands were launched to identify network connections, running processes, IP configurations and registry settings for Veeam, and then for persistence, a new account was created using WMIC. Several PowerShell scripts launched from the operator also aided in creating persistence in the registry. Lateral movement was first tested using WMI method invocations. WithSecure identified attackers transferring two of their PowerShell by dropping them into ADMIN$ share of the remote host using SMB and executed "through remote service creation." The scripts were used to enumerate the target host and "performed remote injection into the ‘PlugPlay’ service, which made a network connection to a remote host on port 443." WithSecure has not determined the attacker's objective in this campaign, and the specific exploit of Veeam remains unknown. However, it is clear that the Veeam software is within the threat actor's attack scope, underscoring the urgency for administrators to patch and defend their servers.
Grounding the Storm with Detections from the Forge
Chinese Hackers Compromised US Infrastructure for Data Collection and Disruption
The Chinese espionage group, Volt Typhoon, has been actively targeting critical infrastructure organizations in the United States and Guam since 2021. In addition to intelligence collection, the group shows interest in weaponizing its capabilities within compromised organizations. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," said in Microsoft Threat Intelligence team's advisory. A wide range of industries is in the scope of their campaign, including verticals in communications, construction, government, education, manufacturing, maritime, technology, transportation, and utilities. US agencies released their own advisory to share their tactics, techniques, and procedures (TTPs) observations from Volt Typhoon, highlighting their stealth capabilities, notably leveraging living-off-the-land binaries (LOLBins) "almost exclusively" to evade system defense monitoring.
Initial access has been obtained through exploiting public-facing Fortinet FortiGuard devices, although specific exploits to the devices were not mentioned. Volt Typhoon operators add to their acumen for employing stealth by proxy communication through network devices. According to Microsoft, "Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet." Not only is stealth afforded to Volt Typhoon, but the management cost of attaining network infrastructure is also spared.
During the post-exploitation stage, operators use LOLBins such as CMD, PowerShell, and WMIC to execute commands on-keyboard. Malware deployment is a rarity during their intrusion, opting for native processes instead. Although Volt Typhoon does deploy modified versions of open-source tools like Impacket and Fast Reverse Proxy (FRP). For their command and control (C2), the native Windows command "netsh portproxy'' was also used. The discovery stage of the intrusions was all done with command-line utilities such as arp, dnscmd, ipconfig, net, netsh, reg, wmic, tasklist, and systeminfo, among others. Valid accounts are leveraged by Volt Typhoon for persistence, leveraging compromised credentials or brute-forcing accounts. For credential access, operators dump the LSASS process with comsvcs through an encoded PowerShell command and gather credentials from registry hives. They also have a penchant for utilizing the Ntsdutil.exe tool, specifically to "create installation media from domain controllers, either remotely or locally." Data of interest were found to be staged in a password-protected zip file.
Volt Typhoon displayed strong technical acumen to evade security monitoring, making detection challenging. Organizations are urged to closely monitor for suspicious logins from unknown locations, off-hour logins, and signs of potential brute force. The advisories shared by Microsoft and US agencies are offered to aid organizations in defending their own networks. We can utilize this intelligence and craft a high-fidelity threat scenario based on the information shared. Our two-stage scenario offers to capture commonalities seen in their attacks. While stealth increases the difficulty of detecting adversary behaviors, understanding their behaviors thwarts their cloak of invisibility.
The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.