Threat Research Team Archives

Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Dark Reading: US Aerospace Contractor Hacked With 'PowerDrop' Backdoor

June 6, 2023/in Articles/by Adlumin Staff

Bleeping Computer: New 'PowerDrop' PowerShell malware targets U.S. aerospace industry

June 6, 2023/in Articles/by Adlumin Staff

PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry

June 6, 2023/in Blog Post/by Adlumin Staff

Key Takeaways

The Adlumin Threat Research discovered a new malicious PowerShell script called PowerDrop, targeting the U.S. aerospace industry.
This novel malware straddles the line between basic a “basic off-the-shelf threat” and tactics used by Advanced Persistent Threat Groups (APTs).
PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption.
Adlumin has not yet identified the threat actor behind the malware, but suspects nation-state aggressors as the discovery comes at time of increased R&D into missile programs as the war in Ukraine continues.
Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

Introduction

The Adlumin Threat Research Team recently discovered and analyzed a new type of malware targeting the U.S. aerospace defense industry. The discovery comes at a time when more research and investment are put into missile programs as the war in Ukraine continues, and partners around the world remain on high alert.

“PowerDrop” is the name Adlumin researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding.

The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.

Upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.

In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.

The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.

Adlumin has not yet identified the threat actor behind the malware, but nation-state aggressors are suspected.

“This latest attack shows the evolution of ‘living off the land’ tactics by threat actors,” said Adlumin’s Vice President of Strategy, Mark Sangster.

“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” Sangster added.

Kevin O’Connor, who heads Adlumin’s Threat Research Team said that the malware uses triggers and exfil patterns which are easily flagged by intrusion detection systems, but that the malware also appears to be a “custom” development, using advanced techniques to evade detection such as deception, encoding, and encryption.

“Adlumin’s Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,” O’Connor added.

Threat Analysis

Adlumin first identified the PowerDrop malware based on a machine learning detection which looks at the content of executed PowerShell scripts versus the command line arguments typically analyzed by other security software.

“This allowed our detection algorithms to see through the encoded layer enabling machine learning-based detection on the actual content of the script which is acting as a backdoor or RAT,” O’Connor said.

The malware is a PowerShell command that is executed by the WMI service. The “script,” passed as a single command line argument to the native Window’s binary and subsystem. PowerShell is encoded using Base64 and UTF-16 Little Endian and is not persisted on disk as a .ps1 script file.

Sample of Base64 UTF-16LE encoded PowerShell payload:

Execution and Persistence

Adlumin analyzed the PowerShell process execution context to identify that the malicious PowerShell script/implant was being executed by the WMI service using previously registered WMI event filters and consumers.

The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant.

The WMI event filter and consumer registrations are created using the WMI command line tool ‘wmic.exe’ and are executed using the ‘wmic.exe’ command line tool.

PowerDrop registers itself as a WMI event filter and consumer as observed in these Windows Event Logs:

The WMI event filter triggers the PowerShell command queries for updates made to the WMI class Win32_PerfFormattedData_PerfOS_System in the root\cimv2 namespace.

The Win32_PerfFormattedData_PerfOS_System class is the Windows Management Instrumentation (WMI) class that contains performance counters which monitor the performance of the Windows operating system.

The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated. In Windows, this WMI class is regularly updated with information such as processes, threads, queue length, and system calls per second, and therefore execution every 120 seconds is reliable and guaranteed on most systems.

WMI filter and consumer registrations for persistence and execution of PowerShell payloads have been seen in many other malware families as has the usage of the PerfOS_System WMI class as a reliable trigger for execution.

The EventFilter and CommandLineEventConsumer are both registered under the name, SystemPowerManager.

The WMI event consumer is a CommandLineEventConsumer which executes the PowerShell command line with the encoded PowerShell script as a command line argument.

We were unable to identify the source of the WMI event filter and consumer registrations, but we believe that the malware is likely using a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic.exe command line execution.

The Script/Implant

Once decoded the PowerShell script is a single line of PowerShell code made up of multiple statements, functions, and usually static variables.

Analysis of the decoded content shows that the script is a backdoor/RAT, which can execute remote PowerShell commands against the victim computer and exfiltrate the results of those commands.

Initially, PowerDrop attempts to reach out to a hard-coded IP address over an ICMP Echo Request message.

This request is originated by Windows PowerShell and has detectable attributes such as the ICMP Type and Code (8 and 0), the IPv4 Time to Live (TTL) being 128 as natively seen on Windows devices, the ICMP Identification number is set to ‘0x0001’ and the ICMP payload.

The ICMP trigger payload is a UTF16-LE encoded string that is not obfuscated, obscured, or encrypted. Observed examples used the simple string “!” as the trigger for the malware C2 beacon. We believe this simply signifies to the command-and-control infrastructure that this is a malware implant beacon and not a randomly received probe, which are common occurrences against Internet-facing devices.

Once the beacon has been sent, the victim machine waits 60 seconds for a response. This 60-second dwell time is varied from the typical default 10-second request timeout for ICMP Echo Request messages on Windows. This is likely to ensure that the malware can receive a response from the C2 server even if the network is experiencing high latency or packet loss especially given that there is no guaranteed delivery or acknowledgment for the ICMP Echo Request message.

In response to the PowerDrop beacon, the command-and-control server responds with an encrypted payload that is also padded with static data at the beginning and end of the message.

PowerDrop uses AES encryption with a 128-bit key and a 128-bit initialization vector (IV) to encrypt the payload. The AES key and IV are static symmetric keys that are hard coded into the PowerShell script and are not dynamically generated. The AES key and IV are also not obfuscated, obscured, or encrypted beyond the initial PowerShell script encoding.

PowerDrop is using the PowerShell provided interface, “CreatEncryptor” and “TransformFinalBlock” to encrypt and decrypt the payload.

PowerDrop will then receive a response from the C2 server in the form of an encrypted command. The implant will then decrypt the command, strip the prepending and postpending values, and execute the command using the Invoke-Expression cmdlet in PowerShell.

The implant will then take the results of the command and encrypt them using the same scheme used for decryption and send the results back to the C2 server.

Any oversized responses, those greater than 128 bytes, are split into multiple messages. The first message is sent with the first 128 bytes of the response and the subsequent messages are sent with the remaining bytes of the response in 128-bytes chunks. The C2 server is responsible for reassembling the response:

PowerDrop uses the strings “DRP” and “OCD” as prepending and postpending values bookmarking the response content to the C2 server. The prepending and postpending values are used to indicate the start and end of the response content.

If the response is split into multiple messages, then all messages with have the prepending “DRP” value, and only the final message with have both the “DRP” prefix and “ORD” suffix. The prepending and postpending values are not encrypted and are static values in the PowerShell script. Example of the prepending and postpending values:

“PowerDrop’s robust detection evasion characteristics is what makes this interesting,” said Sangster.

“This discovery by the Adlumin Threat Researchers shows that a master chef can make a Michelin-star meal with even the most basic ingredients. Infiltrating a critical aerospace defense contractor only makes this malware all the more appetizing,” he added.

Detections

Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic.

Snort Detection

This detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration.

SIGMA

This SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware:

Conclusion

Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,” Ledesma added.

Beauty Is in the Eye of the Deceiver: Deception Technology for Your Zero-Trust Arsenal

March 23, 2023/in On-Demand, Webinars/by Ellen Loughlin

Event details:

Thursday, March 16, 2023
On-Demand Webinar

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

Traditional security measures are no longer enough to keep up with the increase in sophisticated cyber threats. Join Adlumin’s experts in discussing zero trust and complementing detection and response capabilities with deception technology. Deception provides not only early-warning detection but insight into criminal tactics and techniques. This threat intelligence is critical to protecting your business.

What you will learn:

An understanding of how zero trust applies to cyber risk management
How to use deception technologies to detect threats quickly and gain threat intelligence into criminal tactics and techniques
Ways to complement detection and response capabilities with deception technologies to strengthen your security posture

Watch On-Demand

Learning from Your Adversary: An Inside Analysis of the Latest Cyber Threats

March 15, 2023/in Events, On-Demand, Webinars/by Adlumin Staff

Event details:

Thursday, April 20, 2023
1:00 PM EST

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

Understanding which industries criminals target, how they exploit their victims, and why they prefer these organizations is key to protecting your business or operations. Join Adlumin experts as they look inside the latest threats, criminal tactics, and techniques and reverse engineer defensive measures organizations can take to protect themselves from top-tier ransomware gangs and state-sponsored hackers.

To Catch a Cybercriminal: Honeypot Usage Considerations and Benefits

March 2, 2023/in Blog Post/by Adlumin Staff

By: Kevin O’Connor, Director of Threat Research

We returned to the basics in our most recent blog, Honeypots 101: Origin, Services, and Types covering the evolution of honeypots, how organizations are deploying them, and the different types that can help lure away cybercriminals from key assets. Deception tools, like honeypots, add another layer of defense to protect your system while drawing attackers away from where you don’t want them.

We are diving deeper into usage considerations and why deception technology expands security defenses.

Business and IT Systems Benefits

Honeypots are beneficial inclusions in an IT System’s Security Plan for many reasons, including^[1]:

Early warning and detection of attacks: Honeypots can detect attacks before they reach critical systems allowing security personnel to respond quickly and minimize damage.
Intelligence gathering and analysis of attack methods: By observing attackers’ behavior on a honeypot, businesses can gain insight into attackers’ methods and techniques to compromise the system. They can provide valuable information about the TTPs used by attackers, which can be used to develop more effective security measures and assist in incident response.
Detecting new threats: Honeypots can detect new and emerging threats as attackers leverage new TTPs, which the honeypot may observe in detail.
Improving security posture and reducing risk: Honeypots can improve an organization’s security posture by better understanding the TTPs used by attackers and developing more effective security solutions. Luring attacks on a decoy system can help reduce the risk of an actual attack on the organization’s networks and systems.

Honeypots can also be used to help meet industry-specific compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants who accept, process, store or transmit credit card information to implement security measures to protect sensitive purchase-related data. While honeypots are not explicitly mentioned by PCI DSS or any other compliance requirements, Adlumin tracks, they can be used as part of a comprehensive and broader security strategy to detect and respond to security threats.

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare organizations implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI). Again, while honeypots are not explicitly mentioned in HIPAA, they can be used as part of a comprehensive security strategy to detect and respond to security threats to ePHI.

Honeypot Usage and Deployment Considerations

When deciding as an organization to implement and use honeypots as part of a layered security defense, some key considerations can help ensure the honeypot is safe and effective^[2].

Placement – a honeypot’s placement is critical to its effectiveness. Honeypots must be strategically positioned within the network to offer potential attackers a target while appearing as legitimate services. Placement also needs to consider the network space in which you are allowing the attacker to gain a foothold. Additionally, decisions to deploy the honeypot on external vs. internal facing infrastructure will determine the types, frequency, and severity of detected attacks. External-facing honeypots are subject to frequent scanning, rogue exploitation by botnets, and attacks of convenience by many different threat actors. This can increase the noise in the logging signals and make it hard to separate real and targeted threats.
Isolation – the honeypot should be isolated from the rest of the network and not contain any sensitive information. This minimizes the attacker’s risk of leveraging access to the honeypots to continue their attack throughout the network using the honeypot as an initial foothold. Honeypot configurations must ensure the attacker is trapped and actions monitored appropriately.
Monitoring – the honeypot should be monitored closely to gather information about the attacker’s TTPs which can be fed into the network and security defenses. It’s not enough to just deploy a honeypot – the honeypot’s logs must be analyzed and used to create detections for malicious activity to warn the organization of potential attacks.
Management & Maintenance– the honeypot should be managed by experienced security personnel who can effectively configure, monitor, and maintain it to ensure its effectiveness in detecting and responding to attacks. Additionally, the honeypot should be regularly updated to ensure that it continues to mimic real-world systems and applications and remain attractive to attackers.
Integration with other Security Measures – the honeypot should be integrated with other security measures such as firewalls, intrusion detection systems, incident response plans, SIEMs, MDRs, and detection alert management, investigation, and response systems. This ensures that the honeypot contributes to the network’s security and helps increase its value by generating detections and alerts to activity. Some honeypots can be used to build detections dynamically based on attacker compromise.
Legal Considerations – the legal implications of using a honeypot must be considered, as some countries have strict laws regarding the monitoring and interception of communications. Organizations should comply with relevant laws and regulations when using a honeypot. There is also the potential to attract and trap innocent users, which should be carefully considered before deploying a honeypot.

Honeypots and Zero Trust

Zero Trust is a cybersecurity approach that assumes all network traffic is untrusted and consequently subject to strict security controls and monitoring. The Zero Trust model assumes that every user, device, and application is a potential threat and should be verified and authenticated before being granted access to sensitive data or systems.

In a Zero Trust model, network access is never automatically granted, even if a user or device is within the network’s perimeter. Instead, all access requirements are subject to multi-factor authentication (MFA) and monitored for suspicious activity. The Zero Trust approach protects against various threats, including malware, phishing attacks, and unauthorized access. By verifying and monitoring all network traffic, organizations can more expediently detect and respond to security incidents, reducing the risk of data breaches and more severe attacks.

Zero Trust and honeypots are security measures used to protect against security threats. While Zero Trust focuses on identity verification and attestation of all users, devices, and applications before allowing access to sensitive data and systems, honeypots detect unauthorized access to sensitive data by creating decoy targets that appear valuable and vulnerable to attackers.

Honeypots can be part of a multi-layered, defense-in-depth security strategy to detect threats to the organization and its networks. If a honeypot is accessed, it can trigger an alert which can be used to investigate potential incidents which complement other Zero Trust security measures such as MFA, continuous monitoring, and network segmentation. Honeypots can highlight where Zero Trust measures have failed and provide early warning against attacker operations and compromise.

Expand Your Security Defenses

The evolution of honeypots is a testament to the creativity and ingenuity of cybersecurity professionals and their commitment to staying ahead of the ever-evolving threat landscape. Honeypots can provide deep insight into attackers’ methods and motivations. However, thought needs to be given to what type of honeypot is best for an organization, what services should be simulated, and how to maximize value through proper deployment and usage.

Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.

References

Andress, J., & Andress, J. (2015). Chapter 10 – Network Security. In The Basics of Information Security: Understanding the fundamentals of infosec in theory and Practice (pp. 151–169). essay, Syngress.
Sanders, C., Randall, L., Smith, J., & Sanders, C. (2014). Chapter 12 – Using Canary Honeypots for Detection. In Applied Network Security Monitoring: Using Open Source Tools (pp. 317–338). essay, Syngress, an imprint of Elsevier.

Honeypots 101: Origin, Services, and Types

February 23, 2023/in Blog Post/by Adlumin Staff

By: Kevin O’Connor, Director of Threat Research

The Origin of the Honeypot

In the 1980s, honeypots became a permanent fixture in cybersecurity, riding the lines of defensive and deception technologies. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, published by Clifford Stoll in 1989, details the hunt for a computer hacker (later identified to be Markus Hess) who digitally broke into Lawrence Berkley National Laboratory (LBNL) in 1986^[1]. Stoll provides one of the first descriptions of what is known today as a honeypot.

To catch the hacker, Stoll set up an elaborate ploy by inventing a fictitious department under an imaginary contract within a real organization under LBNL that Stoll suspected the hacker was targeting. Creating a fake user working for the faux organization, Stoll filled the user’s digital assets with attractive-looking documents designed to gain the hacker’s attention and lure them into grabbing the files. His efforts would ultimately lead to discovering the hacker’s identity as Hess and the following arrest in Germany.

After Stoll flew to Germany and testified against Hess, it became public that Hess had been selling the bounty of his hacking operations against organizations like LBNL to the Soviet Union’s KGB intelligence agency. They would also work out that a Hungarian agent had contacted the fictitious LBNL department using information that could have only been sourced from Hess. This was part of the KGB’s standard routine to verify Hess’s information.

Later, in 1991, Bill Cheswick, considered one of the pioneers of computer security, published An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied^[2]. The Chronicle, one of the earliest technical descriptions of a honeypot, details leading a hacker on a “merry chase” to trace his location and learn his techniques. It details the bait and traps used to lure him and is the work that first applied and popularized the terminology of “jail” in cyber security. Cheswick had created a digital jail to trap the actor and watch their actions in detail^[3].

The concept of a honeypot has come a long way since its first use in the 1980s. Pioneers like Stoll and Cheswick were instrumental in laying the foundation for what has become an essential component of modern cybersecurity strategies. With the advancements in technology and the increasing sophistication of cyber-attacks, the use of honeypots has evolved over the years. Today, honeypots are used for defense, research, threat intelligence gathering, and incident response. Let’s explore the current usage landscape of honeypots in the field of cybersecurity and some considerations in deployment and usage.

What is a Honeypot?

Honeypots are security systems that lure cyber attackers and track their activities in a secure, isolated, and monitored environment. Honeypots can distract potential attacks from a target’s critical resources; act as an intelligence-gathering platform about attacks and their tactics, techniques, and procedures (TTPs); and strengthen security overall. Information collected by honeypots can also be used to identify vulnerabilities in a system, software, or protocol. They are, in essence, a decoy computer system meant to attract, trap, and expose potential attackers. As attackers are drawn to the honeypot and focus their efforts there, more valuable systems and data are protected by the attacker’s exposure through the honeypot. A well-designed and implemented honeypot is isolated from the rest of the network. It does not contain any sensitive information, so there is no risk of the attacker compromising it and accessing sensitive data.

Common Honeypot Services

Modern honeypots will typically work to provide “jailed” access to systems over specific protocols and their related applications, such as email, web services, and network administration services. These targeted applications may present high-value access to the target, data collection, theft opportunities, or an easy way to compromise and pivot through an organization’s and network’s systems.

Common services that are often developed into honeypots include:

File Transfer Protocol (FTP)
Telnet
Secure Shell (SSH)
HTTP Web Services
MySQL or Database Specific Applications
Administrative Applications
Other Remote Access Methods (VPNs, Remote Desktops, and remote support apps)

Most network and computer services can be adapted into a honeypot with the proper modifications. Which honeypot services your organization deploys will depend on its legitimate services, attack surface, and known attacker motivations.

Types of Honeypots

Honeypots come in various forms and have evolved to meet the changing threat landscape. Several types of honeypots are designed to cater to specific security needs.

Low-interaction honeypots are designed to simulate a limited number of services and are less complex to implement, making them ideal for small-scale organizations. On the other hand, high-interaction honeypots offer a much more realistic and complex environment and are designed for organizations with larger security teams^[4].
Another type of honeypot is a hybrid honeypot, which is a combination of low-interaction and high-interaction honeypots. This honeypot balances complexity and ease of deployment, making it ideal for medium-sized organizations.
Virtual honeypots simulate a network environment and lure attackers into a virtual and often restricted or more heavily monitored network enclave.
Honeypots can also be combined to create a honeynet or honeyfarm, a network of honeypots used to monitor and track attacker activities. Honeynets are often used to gather information about and monitor large-scale attacks, such as distributed denial-of-service (DDoS) attacks.

Through pioneers like Stoll and Cheswick, honeypots have evolved from simple traps used to study and track hackers to complex security solutions that detect, prevent, and respond to cyber threats. The term “honeypot” has become synonymous with deceptive security technologies, and the concept is widely used in various industries, from financial services to healthcare, to protect against cyberattacks. And regardless of the type, honeypots are an indispensable tool in any cybersecurity arsenal that is crucial in detecting and mitigating cyber-attacks.

Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.

References

Stoll, C. (1989). The Cuckoo’s Egg: Inside the world of Computer Espionage. Doubleday.
Cheswick, B. (n.d.). Biography. Bill Cheswick’s bio. Retrieved January 30, 2023, from https://www.cheswick.com/ches/bio.html
Cheswick, B. (1992). https://cheswick.com/ches/papers/berferd.pdf. Winter USENIX Conference, San Francisco, 20–24. https://doi.org/https://cheswick.com/ches/papers/berferd.pdf
Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security. Syngress, an imprint of Elsevier.

The Need to Know: Black Basta Ransomware Gang

January 26, 2023/in Blog Post/by Adlumin Staff

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

CIS Control 7: Continuous Vulnerability Management (CVM)
- CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
CIS Control 8: Audit Log Management
- Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
CIS Control 14: Proactive Security Awareness
- Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
CIS Control 18: Penetration Testing
- A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

New Fortinet FortiOS SSL VPN Exploit Observed in the Wild

December 14, 2022/in Blog Post Kevin O’Connor/by Adlumin Staff

FortiOS Vulnerability

On December 12th, 2022, Fortinet issued a PSIRT Advisory (FG-IR-18-384)¹ for CVE-2022-42475², which identifies a heap-based buffer overflow vulnerability in the sslvpnd service leaving affected systems vulnerable to exploitation. sslvpnd is responsible for providing SSL-based VPN functionality in FortiOS devices and, if exploited, may allow for remote code execution by unauthenticated attackers on the FortiOS device.

Affected versions include devices with:

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

This vulnerability has been observed being exploited in the wild since before the release of the PSIRT Advisory and patch availability. Therefore, Fortinet recommends that administrators immediately validate their system by checking the following indicators:

Exploit Log Artifacts

Successfully leveraging this exploit results in a crash of the sslvpnd daemon, which can be observed in device logs as:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

Exploit System Artifacts

The presence of the following artifacts may indicate that a FortiOS device has been exploited:

/data/lib/libips.bak

/data/lib/libgif.so

/data/lib/libiptcp.so

/data/lib/libipudp.so

/data/lib/libjepg.so

/var/.sslvpnconfigbk

/data/etc/wxd.conf

/flash

Known Associated Malicious Infrastructure

The following IP Addresses and Ports have been observed using the exploit against potential victims:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

Adlumin Response

To ensure the continued protection of our customers, Adlumin’s Threat Research group reviewed stored data for evidence of exploitation of the vulnerability. To search for Indicators of Compromise (IOC), Threat Research used Adlumin’s MDR capabilities, allowing for centralized-logging and querying of data across multiple security relevant devices and platforms.

By searching Firewall and Network Device events, Adlumin was able to observe multiple instances of attempted attacker exploitation of potentially vulnerable FortiOS devices. Proper security practices and configuration resulted in over 96% of the attempted connections being blocked. Adlumin’s Threat Research group also investigated completed connections to identify if exploitation was successfully conducted from the attacker IPs. We notified customers where appropriate to help remediate systems and defend their network.

Adlumin’s Threat Research group also searched for evidence of sslvpnd application crashes on the devices. Observation of logs associated with sslvpnd crashes is a good first indicator that a device was exploited. While we observed crashes for other VPN services, no sslvpnd crashes were found.

Recommendations

Adlumin recommends that all customers using Fortinet FortiOS products immediately update their systems to the latest patched versions, which fixes the current vulnerability:

Please upgrade to FortiOS version 7.2.3 or above
Please upgrade to FortiOS version 7.0.9 or above
Please upgrade to FortiOS version 6.4.11 or above
Please upgrade to FortiOS version 6.2.12 or above
Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
Please upgrade to FortiOS-6K7K version 6.4.10 or above
Please upgrade to upcoming FortiOS-6K7K version 6.2.12 or above
Please upgrade to FortiOS-6K7K version 6.0.15 or above

Adlumin’s Continuous Vulnerability Management (CVM) solution can help your business manage the CVM Lifecycle, including Patch Management. Implementing automated and best CVM practices can help minimize the gap between exploitation capability detection and system defense.

Alternative

If users are unable to patch affected devices, disabling the SSL VPN service should shield the device from exploitation. Migration to other unaffected VPN services, such as IPSEC is also possible.

Resources

Fortinet, PSIRT Advisories – FortiOS – heap-based buffer overflow in sslvpnd https://www.fortiguard.com/psirt/FG-IR-22-398
MITRE, CVE Record – CVE-2022-42475. https://www.cve.org/CVERecord?id=CVE-2022-42475

‘Tis the Season.
The Twelve Gifts of Cyber.

November 1, 2022/in On-Demand, Webinars/by Adlumin Staff

Event details:

Thursday, December 15, 2022
On-Demand Webinar

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

On the first day of access, the criminal deployed to me… ransomware delivered remotely!

Watch Chief of Strategy Mark Sangster and Director of Threat Research Kevin O’Connor as they take a whimsical look at 12 cyber trends and lessons covering ransomware attacks, GootLoader gang activity, and cyber stocking stuffers. You’ll also hear directly from customers how Adlumin’s helping them enjoy and relax over the holidays.

What you will learn: