A company contacted the incident response firm Sygnia to investigate suspect activity on its network. Sygnia rapidly concluded the company was experiencing a ransomware attack and was in imminent danger of having its entire environment encrypted. It recommended immediate and bold action to disconnect from the internet. This is one of the oldest defenses against hackers and disconnects from the internet. Just as in the previous century, a user would notice something unexpected downloading into their computer and pull the power cord.
The company (the victim) complied. The attack was blocked, and the attacker could neither continue to the encryption phase nor delete its trail. The attacker was BlackCat, and Sygnia now had access to the detailed history and progress of the attack and has reported on its analysis. It was a supply chain attack. The supplier (the vendor) provided technical assistance to the victim and the BlackCat entry route. For customer confidentiality reasons, Sygnia’s CEO, Ram Elboim, declined to give the name of either the victim or the vendor. It has, however, now published a detailed analysis of the progress and outcome of the BlackCat attack.
See: https://redskyalliance.org/xindustry/the-black-cat-stikes-again
The attack started with attempts to access the victim from the previously compromised vendor. On day one, the attackers attempted to log on to two of the victim’s servers using RDP and SMB. Three successful logins were achieved on one of the servers. On day two, the attacker attempted brute force authentication attacks. On day three, it connected over RDP with a victim server that became the ‘pivot’ server for reconnaissance and lateral movement.
The primary history of the attack is not unfamiliar. The victim’s security controls rapidly provided alerts to abnormal activity. Still, the victim did not immediately recognize the alerts as severe as it is the standard problem of alert fatigue and possible false positives. Still, on day three of the attack, the attacker rapidly consolidated its position. A cat-and-mouse game between live attackers and automated security controls began. “The ‘C:\Intel\exp.exe’ file was created on the pivot-server during the RDP session, and its execution was detected and blocked by MDE,” reports Sygnia. “An analysis of ‘exp.exe’ indicated that it is a privilege escalation tool based on the exploitation of CVE-2022-24521, a vulnerability in the Windows Common Log File System (CLFS) driver, known to be used by several ransomware groups.”
The attacker created a new file and executed it using PowerShell. This injected malicious code into the ‘drfgui.exe’ process, which contacted a Cobalt Strike C2 server on a domain that resolved to a Cloudflare CDN. It then created a malicious file named ‘C:\Intel\svchost.exe’ on the pivot server, trying to mask the malware as benign activity. Reconnaissance continued with the attacker using a version of the SoftPerfect Network Scanner, searching for passwords, accessing remote folders via Windows Explorer, and ping-testing network connections.
On day five, Cobalt Strike Beacon was downloaded and injected into ‘drfgui.exe’. On the same day, the attacker executed ‘BG00Q.exe’, a renamed version of AccountRestore that performs dictionary attacks to extract passwords and a Kerberoasting attack to retrieve password hashes from Active Directory.
On day six, the lateral movement, the second phase of the attack, began. This phase lasted another two weeks. Numerous tools were used, including Netscan and Stowaway, an open-source tool for creating a chained proxy service between a series of hosts.
The bottom line, however, is that it had become a noisy battlefield by the time the victim called on Sygnia for help. The victim knew it was under attack, and the attacker knew its presence was probably known or at least suspected. This alone adds urgency to both sides, which Sygnia immediately recognized. “When responding to an incident, one of the areas that should be looked at is ‘What will the attacker understand and how will they react?’ this is one of the areas that makes IR work for professionals,” Elboim explained. “On one hand, response activities should do the maximum to contain and remediate, but on the other, they should be done carefully so that the attacker will not know that activity is taking place or at least not fully understand the type and scope of activities that are being done.”
It was too late in this instance. “Cutting the Internet connection is a severe action that was unavoidable in this specific case, but there are many cases where we have taken a more careful approach and planned our activities so that the attacker isn’t informed of our activities until we and the company we assist, are fully ready,” he added.
The important point here, however, is that the victim’s senior management was brave enough to take that severe action. By now, the attackers had succeeded in exfiltrating data but had not yet commenced encryption. That encryption was blocked. It did not prevent BlackCat from attempting to extort the victim over the stolen data, and for the next three weeks, the attacker tried to do so. Details of this process are unknown, or at least undisclosed, but some inference may be deduced by the subsequent disclosure of victim data on BlackCat’s leak site. “Attackers always exaggerate the importance of the data they steal,” Elboim said. “In this case, it was not as important as they thought. If they could have continued, they would have exfiltrated more data.”
There are numerous takeaways from this case. Early and expert incident response is always advisable, but decisiveness and the courage to take drastic steps can save the day, even very late in the day. Whether the victim would have succumbed to the double extortion of system encryption and more expansive data theft is questionable. Still, survival is more likely if an attack that cannot be prevented can be limited to a questionable single extortion attack.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. LinkedIn. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments