The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim’s network in just five hours. That breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug (CVE-2020-1472) less than two hours after the initial phish.
The Zerologon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. It was patched in August 2020, but many organizations remain vulnerable.
In this particular attack, after the attackers elevated their privileges using Zerologon, they used a variety of commodity tools like Cobalt Strike, AdFind, WMI and PowerShell to accomplish their objective, according to the analysis from researchers at the DFIR Report, issued on 18 October 2020. The attack started with a phishing email containing a version of the Bazar loader, researchers said. From there, the attackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. However, they needed to escalate their privileges to do any real damage, so they exploited the recently disclosed Zerologon vulnerability.
Having gained elevated admin privileges, the cybercriminals were able to reset the machine password of the primary domain controller, according to the analysis. Then, the attackers moved laterally to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module. Lateral movement was initiated via Server Message Block (SMB) and Windows Management Instrumentation (WMI) executions of Cobalt Strike beacons. SMB is a networking file-share protocol included in Windows 10 that provides the ability to read and write files to network devices. WMI meanwhile enables management of data and operations on Windows-based operating systems.
Cobalt Strike belongs to a group of dual-use tools that are typically leveraged for both exploitation and post-exploitation tasks. Other examples in circulation include PowerShell Empire, Powersploit and Metasploit, according to recent findings from Cisco. Once on the main domain controller, another Cobalt Strike beacon was dropped and executed. The analysis of the attack revealed that after about four hours and 10 minutes, the Ryuk gang pivoted from the primary domain controller, using RDP to connect to backup servers.
For the final phase of the attack, the Ryuk operators first deployed their ransomware executable onto backup servers. After that, the malware was dropped on other servers in the environment, and then workstations. Ryuk is a highly active malware, responsible for a string of recent hits, including a high-profile attack that shut down Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals.
The use of Zerologon made the cybercriminals’ efforts much easier, since the attack did not need to be aimed at a high-privileged user who would likely have more security controls. In fact, the toughest part of the campaign was the start of the attack, which was the successful installation of Bazar from the initial phishing email, which required user interaction. Researchers note that the user was a Domain User and did not have any other permissions, but that proved to be a non-issue, thanks to Zerologon.
The attack shows that organizations need to be ready to move more quickly than ever in response to any detected malicious activity. A victim would need to be ready to act in less than an hour to be able to effectively disrupt the threat actor.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.