LockBit uses automated attack tools to identify tasty targets – Sophos News

Earlier this year, we analyzed the inner workings of LockBit, a ransomware family that emerged a year ago and quickly became another player in the targeted extortion business alongside Maze and REvil. LockBit has been quickly maturing, as we observed in April, using some novel ways to escalate privileges by bypassing Windows User Account Control (UAC).

A series of recent attacks detected by Sophos provided us with the opportunity to dive deeper into LockBit’s tools, techniques and practices. The actors behind the ransomware use a number of methods to evade detection: calling scripts from a remote Google document, using PowerShell in a way that may foil some efforts at monitoring and logging to establish a persistent backdoor—by using renamed copies of PowerShell.exe. The attack scripts also attempt to bypass Windows 10’s built-in anti-malware interface, directly applying patches to it in memory. Internally, we’ve referred to this style of LockBit attack as “PSRename.”

Based on some artifacts, we believe that some components of the attack were based on PowerShell Empire, the PowerShell-based penetration testing post-exploitation tool. Using a series of heavily obfuscated scripts controlled by a remote backend, the PowerShell scripts collect valuable intelligence about targeted networks before unleashing the LockBit ransomware, checking for signs of malware protection, firewalls and forensic sandboxes as well as very specific types of business software—particularly, point-of-sale systems and tax accounting software. The series of attack scripts only deploys ransomware if the fingerprint of the target matches attractive targets.

Aside from the initial point of compromise and registry key entries, these attacks left little in the way of a file footprint for forensic analysis. The ransomware was pulled down by scripts and loaded directly into memory, and then executed. And the attackers did a thorough cleanup of logs and supporting files when the attack was executed.

These highly automated attacks were fast—once the ransomware attack was launched in earnest, LockBit ransomware was executed across the targeted network within 5 minutes, leveraging Windows administrative tools.

Layers of obfuscation

The organizations hit in the eight attacks we analyzed were smaller organizations with only partial malware protection deployed. None of them had public Internet facing systems on their networks, though one had an older firewall with ports open for remote administration by HTTP and HTTPS.

It’s not clear what the initial compromise was across these organizations, as we had no visibility into the event. But it appears all of the activity in the attack we analyzed here were initiated from a single compromised server within the network used as the “mothership” for the LockBit attack.

While analyzing one of the attacks, we found traces of a number of PowerShell scripts that were launched against systems that had malware protection in place. The scripts gave a clear picture of the degree of automation of the attack, and also demonstrated the lengths the LockBit operators had gone to make forensic analysis of their attacks as difficult as possible.

In the first stage of the attack, a PowerShell script connects to a Google Docs spreadsheet, retrieving a PowerShell script encoded in Base64 from the body of the spreadsheet.

malicious Google spreadsheet
The code is hidden in cell B1 of this Google Sheets document.

The script fetches the contents of cell B1 in the sheet and executes it. The retrieved script makes a copy of PowerShell in the system’s TMP folder, and executes Base64-encoded contents with that copy:

The code concealed in the Google Sheets document’s cell, with Base64-encoded content.
decoded bad script screenshot
The contents of the encoded section.

Decoding the script reveals it uses a System.Net.ServicePointManager object to create a session connecting to hxxps://142[.]91.170.6, downloading yet another stream of encoded script. This much larger chunk of code contains a function that creates a persistent backdoor. Using a template, the function selects a new name and path to create copies of PowerShell.exe and the Microsoft Scripting Host mshta.exe, as well as fictional agent descriptions to make them look like other legitimate processes.  It also creates a Task Scheduler manifest file that uses the renamed executables, scheduling a VBscript command to be executed by the scripting host that invokes the backdoor with the renamed PowerShell executable:

We also found the LockBit attackers use another form of persistent backdoor, using an LNK file dropped into Windows’ startup commands folder. The LNK file launches Microsoft Scripting Host, to run a VBScript, which in turn executes a PowerShell script to read data stored in the link file itself encoded in Base64.
The extra LNK bytes decode to yet another encoded chunk of PowerShell, decoded below:

screenshot of code
PowerShell code stored in the end of the LNK file used by Lockbit to create a persistent backdoor.

The script connects to the remote server and pulls down the backdoor script as a stream, then executes the downloaded script with the command line interpreter.

Empire building

The backdoor stub downloads more obfuscated code, establishing a proxy connection to the command and control server, and creating a web request to pull down more PowerShell code.  One of the modules downloaded is a collection functions used to perform reconnaissance on the targeted system and to disable some of its anti-malware capabilities.

One of the functions in the module aims to disable Microsoft Windows’ Antimalware  Scan Interface (AMSI) provider by changing its code in memory.  The backdoor uses a script to load a Base64-encoded DLL into memory, and then executes a PowerShell code that invokes C# code calling the DLL’s methods to patch the copy of the AMSI library already in kernel memory. This code is repeated in another module discovered during our analysis:

A portion of the script used by LockBit actors to attempt to “patch” AMSI.

Another module downloaded by the backdoor checks for anti-malware software and artifacts that indicate it is running on a virtual machine, but also checks for software that may indicate the system is of greater value—using a regular expression to look for tax accounting and point-of-sale software, specific web browsers, and other software:

VM detection function in the scripts downloaded by the LockBit backdoor.
Code that searches the WIndows registry for software that is interesting to the LockBit attackers.

The regular expression parses the local Windows registry, looking for matches to the following keywords:

Keyword Target
Opera Opera browser
Firefox Mozilla Firefox browser
Chrome Google Chrome browser
Tax Search for any tax-related software process
OLT OLT Pro desktop tax software
LACERTE Intuit Lacerte tax software for accountants
PROSERIES Intuit ProSeries tax software
Point of Sale Search for point-of-sale (retail) software
POS Search for point-of-sale (retail) software
Virus Search for anti-malware processes
Defender Microsoft Windows Defender
Secury
Anti Search for anti-malware processes
Comodo Search for Comodo antivirus or firewall
Kasper Kaspersky anti-malware software
Protect Search for anti-malware processes
Firewall Search for firewall processes

 

If and only if the fingerprint generated by these checks indicate the system is what the attackers are looking for, the C2 server sends back commands that execute additional code.

Wrecking crew

Depending on what responses come back from the C2, the backdoor can execute a number of tasks, designated by a numeric value. They include simply forcing a logoff, grabbing hash tables to apparently exfiltrate for password cracking, attempting to configure a VNC connection, and attempting to create an IPSEC VPN tunnel. These tasks are executed using variables and modules pushed down by the C2, obfuscating most of their functionality.

Instrumented backdoor script used by LockBit.

In the attacks we analyzed, the PowerShell backdoor was used to launch the Windows Management Interface Provider Host (WmiPrvSE.exe). Firewall rules were configured to allow WMI commands to be passed to the system from a server—the initially compromised system—by creating a crafted Windows service.

And then, the attackers launched the ransomware via a WMI command, filelessly—without dropping a single file artifact on the disk of the targeted systems. In one case, the WMI commands used port 8530 to reach back to the initially compromised server—the port used for Windows Server Update Service. The server was running Internet Information Server but had never been fully configured to run WSUS. The .ASP file on the server contained a key which was loaded into memory and used to unlock additional operations by the dropper code and trigger the ransomware.

All of the targets were hit within five minutes over WMI. The server-side file used to distribute the ransomware, along with most of the event logs on the targeted systems and the server itself, were wiped in the course of the ransomware deployment. Sophos Intercept X stopped the attack on systems it was installed upon, but other systems did not fare as well.

A moving target

It’s not a surprise to see yet another ransomware operator using repurposed code from the offensive security tools world—we recently saw Ryuk using Cobalt Strike post-exploitation tools to great effect. PowerShell Empire is easily modified and extended, and the LockBit crew appears to have been able to build a whole set of obfuscated tools just by modifying existing Empire modules.

It’s also not a real surprise that ransomware actors would want to target AMSI, the interface used by many anti-malware tools (including Sophos’) to monitor potentially malicious processes running on Windows 10. By combining the use of native tools, logging evasion, and the blinding of AMSI, the LockBit gang has made it increasingly difficult to detect and defeat their attacks once they’ve established a foothold.

The only way to defend against these types of ransomware attackers is to have defense in depth and to have consistent implementation of malware protection across all assets. Not having a handle on what services are exposed on a network makes modeling for threats like these difficult. And if services are misconfigured, they can easily be leveraged by attackers for ill purpose.

Sophos detects these abuses of PowerShell and the LockBit ransomware. A list of IOCs for these attacks is posted on the Sophos GitHub here.

SophosLabs would like to acknowledge the contributions of Vikas Singh, Felix Weyne, Richard Cohen and Anand Ajjan to this report.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

New Enhancements to Central XG Firmware Updating – Release Notes & News – XG Firewall

We’re pleased to announce the addition of bulk firmware updating to Sophos Central firewall management! This feature is available today, for all grouped firewalls, and allows you to trigger immediate firmware updates in one action, for any number of grouped firewalls that have firmware updates available. We’re also pleased to announce the arrival of Scheduled firmware updates! for firewalls running XG v18 MR3 or newer, the time when firmware updates may be installed, may be scheduled from Central.

What’s New and How to Use it:

  • Bulk Firmware Upgrades – On the Group menu, Firmware Upgrades may now be selected. This option will bring up a list of firewalls with pending updates. You may select any or all of the firewalls, then with “immediately” selected for the schedule, click Schedule Upgrade. All selected firewalls will begin upgrading shortly, and you will se a spinning gear icon once the upgrade has started. 
  • Scheduled Firmware Upgrades – Requires firewalls to be running at least v18 MR3 or newer. When upgrading the firmware for a single firewall by clicking the upgrade icon, or when bulk updating firmware, you may now choose to install immediately, or schedule the update to occur at a future time and date. The schedule will be run based on the firewalls local time zone. 

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication





Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication | Yubico




Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication | Yubico




























Scroll to top

Net Universe offers all Yubikeys with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/yubikey.
You can visit our Shop Online

 

Sophos Connect v2 makes remote access VPN easy and fast – Sophos News

Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free!

XG Firewall is the only firewall to offer unlimited remote access SSL or IPSec VPN connections at no additional charge.

And we’ve significantly boosted SSL VPN capacity across our entire product range in XG Firewall v18 MR3 through several optimizations.

Our new Sophos Connect v2 remote access VPN client also adds new features that make remote access faster, better and easier.

What’s new in Sophos Connect v2

  • SSL VPN support for Windows
  • Bulk deployment of SSL VPN configurations (as with IPSec) via an enhanced provisioning file
    • Enhanced DUO token multi-factor authentication support
    • Auto-connect option for SSL
    • Option to execute a logon script when connecting
    • Remote gateway availability probing
  • Automatic failover to the next active firewall WAN link if one link fails
  • Automatic synchronization of the latest user policy if the SSL policy is updated on the firewall (when using the provisioning file to deploy) as well as a manual re-synchronization of the latest policy
  • File extension association for policy files – import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email

XG Firewall v18 MR3 remote access enhancements:

  • Enhanced SSL VPN connection capacity across our entire firewall lineup. The capacity increase depends on your firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-5x improvement in SSL VPN connection capacity.
  • Group support for IPSec VPN connections, which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.

Making the most of Sophos Connect remote access

The first decision you will want to make is whether you wish to use SSL, IPSec, or both. Then set up your firewall to accept Sophos Connect VPN connections before deploying the client and connection configuration to your users.

SSL vs IPSec

With Sophos Connect v2 now supporting SSL (on Windows) and with the enhanced SSL VPN capacity available in XG Firewall v18 MR3, we strongly encourage everyone to consider using SSL to get the best experience and performance for your remote access users.

While macOS support for SSL remote access via Sophos Connect is expected soon, we recommend any organizations using macOS take advantage of the new OpenVPN macOS client in the interim.

XG Firewall setup

SSL VPN Setup is very straightforward:

  1. Follow these initial setup instructions for creating an IP address range for your clients, user group, SSL access policy, and authentication.

2. SSL VPN requires access to the XG Firewall User Portal. For optimal security, we strongly advise the use of multi-factor authentication. Set up two-factor authentication via Authentication > One-time password > Settings to ensure you’re only allowing MFA access to the user portal.

3. Create a firewall rule that enables traffic from the VPN zone to access your LAN zone (or whatever zones are desired).

Deployment of the client is equally easy:

  1. Client installer: The client installer is available by navigating to VPN > Sophos Connect Client on your XG Firewall. Sophos Connect documentation is available here.
  2. Connection configuration: The SSL VPN connection configuration (OVPN) file is accessible via the user portal, but we strongly encourage the use of a provisioning file to automatically fetch the configuration from the portal. This requires a bit more up-front effort, but greatly simplifies the deployment process and enables changes to the policy without redeploying the configuration. Review the full instructions on how to create a provisioning file with samples.
  3. Group Policy Management: The best way to deploy the remote access client and provisioning file is via Microsoft Group Policy Management. You will need the files mentioned in the steps above and then follow these step-by-step instructions.  You can also use any other software deployment tool you have available – even email.

Monitoring active usage:

You can monitor connected remote users from the XG Firewall Control Center…

And click to drill down to get the details…

Sophos Connect resources and helpful links

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

The Human Challenge – Sophos News

Based on a comprehensive survey of 5,000 IT managers across 26 countries, Cybersecurity: The Human Challenge provides brand new insights into the state of cybersecurity skills and resources across the globe.

It reveals the realities facing IT teams when it comes to the human-led delivery of cybersecurity, and explores how organizations are responding to the skills challenges they face.

The study also exposes unique insights into the relationship between an organization falling victim to ransomware and their day-to-day cybersecurity practices.

Key findings

IT teams are showing progress in many battles

  • IT teams are on top of patching. Three-quarters of IT teams apply patches to desktops, servers, applications, and internet-facing assets within a week of release. Servers and internet-facing assets are patched most quickly, with 39% of respondents patching them within 24 hours.
  • Prevention is prioritized. On average, IT teams dedicate nearly half their time (45%) to prevention. After that, 30% of time is spent on detection and the remaining 25% is spent on response.
  • IT managers are keeping up to date with cybersecurity. The majority (72%) say that they and their teams are up to date with or ahead of cybersecurity threats. Just 11% think they are significantly behind.

Improving cybersecurity requires people – who are in short supply

  • There is an urgent need for human-led threat hunting. Forty-eight percent of respondents have already incorporated human-led threat hunts in their security procedures and a further 48% plan to implement them within a year.
  • The cybersecurity skills shortage is directly implementing protection. Over a quarter (27%) of managers said their ability to find and retain skilled IT security professionals is the single biggest challenge to their ability to deliver IT security, while 54% say it is a major challenge.

Organizations are changing the ways they deliver security

  • Improving operational efficiency is a key priority. Four in ten (39%) respondents said that improving operational efficiency and scalability is one of their biggest priorities for the IT team this year.
  • Outsourcing IT security is rising fast. Currently, 65% outsource some or all of their IT security efforts. This is set to rise to 72% by 2022. The percentage of organizations that exclusively uses in-house staffing will drop from 34% to 26%.

Ransomware victims display different behaviors and attitudes than those who haven’t been hit

  • Ransomware victims are more exposed to infection from third parties. Twenty-nine percent of organizations hit by ransomware in the last year allow five or more suppliers to connect directly to their network – compared to just 13% for those that weren’t hit.
  • Ransomware damages professional confidence. IT managers whose organizations were hit by ransomware are nearly three times as likely to feel “significantly behind” on cyberthreats than those that weren’t (17% vs. 6%).
  • Being hit accelerates implementation of human-led threat hunting. Forty-three percent of ransomware victims plan to implement human-led hunting within six months, compared to 33% for those that didn’t suffer an attack.

  • Victims have learned the importance of skilled security professionals. More than one-third (35%) of ransomware victims said recruiting and retaining skilled IT security professionals is their single biggest challenge when it comes to cybersecurity, compared to just 19% who hadn’t been hit.

 

Download the full PDF report for more findings, including results for each of the 26 countries surveyed.

About the survey

Sophos commissioned specialist research house Vanson Bourne to survey 5,000 IT managers during January and February 2020. Sophos had no role in the selection of respondents and all responses were provided anonymously.

Respondents came from 26 countries across six continents: Australia, Belgium, Brazil, Canada, China, Colombia, Czech Republic, France, Germany, India, Italy, Japan, Malaysia, Mexico, the Netherlands, Nigeria, the Philippines, Poland, Singapore, South Africa, Spain, Sweden, Turkey, UAE, the UK, and the US.

Fifty percent of respondents were from organizations of between 100 and 1,000 employees, and 50% were from organizations of between 1,001 and 5,000 employees. Respondents came from a range of sectors, both public and private.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Sophos Firewall Manager SFM 17.1 MR5 Released – Release Notes & News – XG Firewall

Hi XG Community!

We’ve released Sophos Firewall Manager SFM 17.1 MR5. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

This MR is solely to allow limited support for XG v18 MR3 firmware. Please note that v18 support in SFM is very limited, and most SFM features are not supported. Please migrate to Sophos Central to fully group manage firewalls running v18 firmware. 

Updates Included

  • NCCC-10106, NCCC-10125 [SFM] Support for XG v18 MR3 compatibility

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

inside a new Ryuk ransomware attack – Sophos News

The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.

Let the wrong one in

Initial compromise, reconnaissance and lateral movement phase of Ryuk attack

The attack began on the afternoon of Tuesday. September 22. Multiple employees of the targeted company had received highly-targeted phishing emails:

From: Alex Collins [spoofed external email address]

To: [targeted individual]

Subject: Re: [target surname] about debit

Please call me back till 2 PM, i will be in [company name] office till 2 PM.

[Target surname], because of [company name]head office request #96-9/23 [linked to remote file], i will process additional 3,582 from your payroll account.

[Target first name], call me back when you will be available to confirm that all is correct.

Here is a copy of your statement in PDF[linked to remote file].

 

Alex Collins

[Company name] outsource specialist

The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on docs.google.com. The email was tagged with external sender warnings by the company’s mail software. And multiple instances of the malicious attachment were detected and blocked.

But one employee clicked on the link in the email that afternoon. The user opened the document and enabled its content, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader. Buer Loader is a modular malware-as-a-service downloader, introduced on underground forums for sale in August of 2019. It provides a web panel-managed malware distribution service; each downloader build sold for $350, with add-on modules and download address target changes billed separately.

In this case, upon execution, the Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files. Cobalt Strike’s beacon, originally designed for attacker emulation and penetration testing, is a modular attack tool that can perform a wide range of tasks, providing access to operating system features and establishing a covert command and control channel within the compromised network.

Over the next hour and a half, additional Cobalt Strike beacons were detected on the initially compromised system. The attackers were then able to successfully establish a foothold on the targeted workstation for reconnaissance and to hunt for credentials.

A few hours later, the Ryuk actors’ reconnaissance of the network began. The following commands were run on the initially infected system:

  • C:WINDOWSsystem32cmd.exe /C whoami /groups (accessing list of AD groups the local user is in)
  • C:WINDOWSsystem32cmd.exe /C nltest /domain_trusts /all_trusts (returns a list of all trusted domains)
  • C:WINDOWSsystem32cmd.exe /C net group “enterprise admins” /domain  (returns a list of members of the “enterprise admins” group for the domain)
  • C:WINDOWSsystem32net1  group “domain admins” /domain (the same, but a list of the group “domain admins”)
  • C:WINDOWSsystem32cmd.exe /C net localgroup administrators (returns a list of administrators for the local machine)
  • C:WINDOWSsystem32cmd.exe /C ipconfig (returns the network configuration)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company domain name] (returns names of the domain controllers for the company domain name)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company name] (the same, but checking for domain controllers using the company name as the domain name)

Forward lateral

Using this data, by Wednesday morning the actors had obtained administrative credentials and had connected to a domain controller, where they performed a data dump of Active Directory details. This was most likely accomplished through the use of SharpHound, a Microsoft C#-based data “injestor” tool for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments). A data dump from the tool was written to a user directory for the compromised domain administrator account on the domain server itself.

Another Cobalt Strike executable was loaded and launched a few hours later. That was followed immediately by the installation of a Cobalt Strike service on the domain controller using the domain administrator credentials obtained earlier. The service was a chained Server Message Block listener, allowing Cobalt Strike commands to be passed to the server and other computers on the network. Using Windows Management Interface, the attackers remotely executed a new Cobalt Strike beacon on the same server.

In short order, other malicious services were created on two other servers using the same admin credentials, using Windows Management Instrumentation from the initially compromised PC. One of the services configured was an encoded PowerShell command creating yet another Cobalt communications pipe.

The actors continued to perform reconnaissance activities from the initially infected desktop, executing commands trying to identify potential targets for further lateral movement. Many of these repeated previous commands. The nltest command was used in an attempt to retrieve data from domain controllers on other domains within the enterprise Active Directory tree. Other commands pinged specific servers, attempting to gain IP addresses. The actors also checked against all mapped network shares connected to the workstation and used WMI to check for active Remote Desktop sessions on another domain controller within the Active Directory tree.

Setting the trap

Late Wednesday afternoon—less than a day after the victim’s click on the phish— the Ryuk actors began preparations to launch their ransomware. Using the beachhead on the  initially compromised PC, the attackers used RDP to connect to the domain controller with the admin credentials obtained the day before.  A folder named C:Perflogsgrub.info.test2 – Copy was dropped on the domain controller— a name consistent with a set of tools deployed  in previous Ryuk attacks.  A few hours later, the attackers ran an encoded PowerShell command that, accessing Active Directory data, generated a dump file called ALLWindows.csv, containing login, domain controller and operating system data for Windows computers on the network.

Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family.  The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.

A PowerShell script loaded into the grub.info.test folder on the domain controller was executed next. This script, Get.DataInfo.ps1 , scans the network and provides an output of which systems are active. It also checks which AV is running on the system.

The Ryuk actors used a number of methods to attempt to spread files to additional servers, including file shares, WMI, and Remote Desktop Protocol clipboard transfer.  WMI was used to attempt to execute GetDataInfo.ps1 against yet another server.

Failure to launch

Thursday morning, the attackers spread and launched Ryuk. This version of Ryuk had no substantial changes from earlier versions we’ve seen in terms of core functionality, but Ryuk’s developers did add more obfuscation to the code to evade memory-based detections of the malware.

The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server.

They then deployed GMER, a “rootkit detector” tool:

The GMER process hunting tool.

GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server. The Ryuk attackers did this, and then they tried again. Ryuk ransomware was redeployed and re-launched three more times in short order, attempting to overwhelm remaining defenses on the backup server.

Ransom notes were dropped in the folders hosting the ransomware, but no files were encrypted.

The Ryuk HTML ransom note.

In total, Ryuk was executed in attacks launched from over 40 compromised systems,but was repeatedly blocked by Sophos Intercept X.  By noon on Thursday, the ransomware portion of the attack had been thwarted.  But the attackers weren’t done trying—and weren’t off the network yet.

On Friday, defenders deployed a block across the domains affected by the attack for the SystemBC RAT.  The next day, the attackers attempted to activate another SOCKS proxy on the still-compromised domain controller.  And additional Ryuk deployments were detected over the following week—along with additional phishing attempts and attempts to deploy Cobalt Strike.

 

Lessons learned

The Ryuk attack’s exploitation chain.

 

The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar.

The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills. Cobalt Strike’s “offensive security” suite is a favorite tool of both state-sponsored and criminal actors, because of its relative ease of use and broad functionality, and its wide availability—“cracked” versions of the  commercially-licensed software are readily purchased in underground forums. And the software provides actors with a ready-made toolkit for exploitation, lateral movement, and many of the other tasks required to steal data, escalate the compromise and launch ransomware attacks without requiring purpose-made malware.

While this attack happened quickly, the persistence of the attacks following the initial failure of Ryuk to encrypt data demonstrate that the Ryuk actors—like many ransomware attackers—are slow to unlatch their jaws, and can persist for long periods of time once they’ve moved laterally within the network and can establish additional backdoors. The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.

 

IOCs for this attack will be posted on the SophosLabs GitHub here.

SophosLabs would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearney of the MTR team, and Anand Aijan, Sivagnanam Gn, and Suraj Mundalik of SophosLabs to this report.

 

 

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Ping of Death Redux – Sophos News

Microsoft is releasing a substantial number of security fixes again in October’s Patch Tuesday release—with 11 rated “Critical” by Microsoft (including the latest Adobe Flash security update). But two vulnerabilities among those being patched stand out above these others: CVE-2020-16898 and CVE-2020-16899. These vulnerabilities—caused by a bug in Windows’ TCP/IP driver—harken back to the “Ping of Death” vulnerability fixed in Windows in 2013. They make denial of service and potential remote code execution possible with a crafted packet.

The vulnerability in tcpip.sys, a logic error in how the driver parses ICMP messages, can be triggered remotely with a crafted IPv6 router advertisement packet containing a Recursive DNS Server (RDNSS) option. The RDNSS option typically contains a list of the IPv6 addresses of one or more recursive DNS servers. 

The RDNSS option format for IPv6 ICMP packets.

There is a logic flaw in tcpip.sys that can be exploited by crafting a router advertisement packet containing more data than expected, which results in the driver putting more bytes of data on its memory stack than provided for in the driver’s code, resulting in a buffer overflow. In theory, this could be used for both denial of service and remote code execution attacks. But in practice, achieving remote code execution would be extremely difficult.

SophosLabs developed its own proof-of-concept for an attack, based on information provided by Microsoft. It leverages the vulnerability to cause a “blue screen of death” on the targeted computer.  The details of the POC are being withheld to prevent exploitation by attackers.

 

Once we understood the bug, developing a “Blue Screen of Death” proof-of-concept was fairly straightforward. But taking it to the level that Microsoft has warned is possible—remote code execution (RCE)—is not. Modern defensive coding standards and practices would slow down an effort to build a reliable generic RCE exploit, for two reasons.

First, TcpIp.sys is compiled with GS flag— which prevents a typical stack overflow from directly controlling the return address.

The stack cookie, also known as a stack canary, is a random value generate at loading time. Its value is XOR’d with the stack pointer, making it extremely hard to predict reliably—especially in a full remote exploitation.

There are two typical techniques used to bypass stack canaries, neither of which really apply in this case:

  • Using another information leak vulnerability (arbitrary read)—which won’t help much in exploiting tcpdrv.sys, because the canary value is XOR’d with the stack pointer.
  • Overwriting a Structured Exception Handling (SEH) handler, which would be useful only if a structured exception record has been set—which is not the case here.

The second roadblock to an effective RCE exploit is kernel Address Space Layout Randomization (kASLR). Even if it was possible can reliably predict the stack canary (big if) landing back to a system shell in user mode would require to correctly (and again remotely) determine the base address of the Windows kernel.

That means that even when the exact nature of the bug in tcpdrv.sys becomes more widely known, it may be some time before anyone can exploit it in a way that reliably injects code into the Windows kernel space. Even so, the threat of denial of service at will with a relatively easily-crafted packet should be enough by itself to prompt rapid patching—which is the only real fix for this vulnerability.

Sophos is in the process of deploying signatures for attacks based on this vulnerability to XG Firewall and Endpoint IPS (in EAP). The signature IDs are sid:2304055 and sid:2304163, respectively. Other short-term mitigations fir potential denial of service attacks include:

  • Disable IPv6 if not used, or
  • Make Windows discard router advertisement packets using the netsh command (netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable).

The rest of this month’s critical vulnerabilities patched are all potential remote code execution bugs as well:

  • CVE-2020-16891: Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2020-16911: GDI+ Remote Code Execution Vulnerability
  • CVE-2020-16915: Media Foundation Memory Corruption Vulnerability
  • CVE-2020-16923: Microsoft Graphics Components Remote Code Execution Vulnerability
  • CVE-2020-16947: Microsoft Outlook Remote Code Execution Vulnerability
  • CVE-2020-16951 and CVE-2020-16952: two Microsoft SharePoint Remote Code Execution Vulnerabilities
  • CVE-2020-16966: Open Enclave SDK Remote Code Execution Vulnerability
  • CVE-2020-16967: Windows Camera Codec Pack Remote Code Execution Vulnerability

Windows Spoofing Vulnerability

Another interesting bug fixed in this Patch Tuesday’s release is CVE-2020-16922 , a bug in Windows’ verification of digital signatures of Security Catalog (.CAT) files that could potentially be used to spoof verification of trust for a potentially malicious file.

Normally, any modification done to a digitally signed file should result in the invalidation of its signature.  However, it was discovered that appending arbitrary data of any size onto the end of a signed .CAT file does not invalidate its signature in the eyes of Windows, which fails to account for the extraneous data.

This bug bears a resemblance to the Curveball vulnerability from earlier this year, but is not as critical and poses a lesser threat to users—because unlike with Curveball,  “Man-in-the-Middle” attacks are not of concern. The bug could be exploited in malware deployments, however—for example, in the crafting of a  malicious Java Archive (.JAR) file.

By taking an existing Microsoft-signed .CAT file, appending the contents of a .JAR file to it, and changing the file’s extension to .JAR, a file is produced that looks and runs like a .JAR file, but has a “spoofed”, valid digital signature. This works because the Java Runtime will search a given .JAR file for Java contents to execute, even if they are present in the middle of the file.

Most other file types do not work this way, and cannot be abused for this purpose. Attackers might use this type of vulnerability to circumvent security software around their handling of malware: a file with a spoofed digital signature can fool security software into regarding it as a legitimate Microsoft-made file and therefore increase its “reputation,” potentially to such an extent that a blind eye would be turned to an actual malware file that would have otherwise get detected.

Sophos protection

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.

CVE-2020-16898 SID:2304055,2304163
CVE-2020-16899 SID:2304058
CVE-2020-16922 SID:2304140,2304142
CVE-2020-16915 SID:2304212

This and all the other vulnerabilities revealed in October’s Patch Tuesday release—especially the critical ones—offer plenty of reasons to patch as quickly as possible.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.

Responding to the rising wave of social engineering attacks against remote workers

By now, it’s clear the pandemic has provided perfect conditions for many types of social engineering attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

If history has taught us one thing it’s that hackers will always capitalize on the human element. Uncertainty, fear, distraction, isolation, and confusion can all contribute to increased vulnerabilities among users. And as we continue to face a rapidly shifting global news agenda, we can’t possibly anticipate the next twist in the pandemic or major news event that opportunistic hackers will exploit. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

We expect to see continued social distancing and increased virtual interactions long after the pandemic subsides, which means that enterprises must rely on strong authentication to protect against the rising wave of social engineering attacks. As we lose confidence in the security of systems and information with an increasingly decentralized work environment, it’s critical to re-establish trust with your users. Here’s how:

Employee education and training is not enough.

Educating employees to be on the look-out for COVID-related scams, while essential, is not a comprehensive response. No matter how much user education about phishing or social engineering takes place, some attacks will still succeed. As long as user action is required, and there is a reliance on users to identify phishing and man-in-the-middle attacks, vulnerabilities will continue to be an issue. 

It’s time to overhaul your 2FA strategy.

Organizations cannot afford to continually rely on passwords, recovery questions, or basic two-factor authentication (2FA) to protect against future social engineering attacks. These are methods proven time and time again to fall short in the face of mobile malware, SIM swapping, and phishing attacks. Hackers are getting more savvy, and we must as well. 

User experience is critical to your organization’s safety.

In a world where we are physically remote from coworkers or IT, and juggling home and work life, strong authentication must work at scale on a variety of devices, across business-critical applications, and within different environments. The better the user experience, the easier it is to deploy across and to secure the enterprise — unlike complex point solutions that only protect a niche set of users.

So, yes, the rise in COVID-related attacks is a real and present danger. But we can’t assume this is a temporary threat or unique to COVID. It is simply the latest version of an ongoing rise in social engineering attacks that demands a stronger response. Every day we are helping businesses large and small adapt to their new normal. Are you ready for yours?

Accelerate your digital transformation with hardware-backed strong authentication for your leading cloud-based services. Google Cloud, Microsoft Azure Active Directory, and many other day-to-day business applications offer built-in and seamless integration with the YubiKey.

Net Universe offers all Yubikeys with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/yubikey.
You can visit our Shop Online

 

XG Firewall v18 MR3 is now available – Sophos News

The product team is pleased to announce a major new update for XG Firewall v18 with several great new enhancements.

Security emphasis

Given how much working environments have changed this year, we have accelerated our product security investments, taking a more proactive approach.  As a result, this new maintenance release for XG Firewall v18 includes several security and hardening enhancements to better protect your firewall and your data stored within, including SSMK (Secure Storage Master Key) for the encryption of your sensitive data.

There’s also a new CLI option to disable Captcha authentication that was previously introduced as a security hardening measure:

console> system captcha-authentication-global enable/disable/show for userportal/webadminconsole

Remote access VPN

Working from home and makes remote access VPN a vital tool for all organizations these days, and there are important enhancements to remote access VPN in this release:

Sophos Connect v2 makes SSL remote access VPN easy to deploy and use
  • Increased SSL VPN connection capacity across our entire firewall lineup. The capacity increase depends on your Firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-6x improvement in SSL VPN connection capacity. Check the latest numbers for your XG Series model.  Remember that Sophos XG Firewall is the only firewall that provides remote access VPN up to the capacity of your device – at no extra charge.
  • Group support for our Sophos Connect VPN client, which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.

Cloud (AWS/Nutanix) enhancements

Cloud and hybrid network infrastructure continues to grow in importance, and we’re also investing heavily in public cloud support:

  • Support for newer AWS instances – C5/ M5 and T3 (#)
  • Support for CloudFormation Templates, removing the need to run the installation wizard in some cases (#)
  • Virtual WAN Zone support on custom gateways for post deployment single arm usage
  • Single-arm deployments are now possible on AWS deployments thanks to an option to assign a zone to your custom gateway objects. This allows you to create access and security rules for traffic going into those zones.
  • XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure. Learn more.
  • Also be sure to check out Sophos Cloud Optix to enhance your security and optimize costs for your cloud environments

Central management and reporting

We are seeing rapid adoption of Sophos Central management and reporting for XG Firewall thanks to rich features that make managing all your XG Firewalls easy.  It’s important to note that legacy central management and reporting platforms including CFM/SFM and iView are coming to end of life soon.

Now is the time to move to Sophos Central for your central management and reporting needs, as it offers a modern, scalable, secure platform with a great feature set and an aggressive roadmap.

What’s new:

  • XG Firewalls running in an HA configuration (either A-A or A-P) can now be fully managed within Firewall Group Management
  • An Audit Trail feature is now available within the Task Queue
  • Central Firewall Reporting has recently added the option to save, schedule, and export reports. Learn more.

Coming soon: Next month, a couple of other great enhancements are coming to Sophos Central, including group firewall management from the Partner Dashboard that greatly simplifies multi-customer firewall management, and cross-firewall reporting for better insights into activity across your entire multi-firewall protected network.

sophos central firewall reporting
Central Firewall Reporting now includes the option to save, schedule, and export reports

HA and other enhancements

XG Firewall v18 MR3 also addresses a number of reported issues with high-availability deployments, SD-RED devices support, and other areas.  See the release notes for a full list of fixes.

Upgrade as soon as possible

While we always encourage you to keep your firewalls up to date with the latest firmware, over the next few months we are recommending you rapidly apply maintenance releases to ensure you have all the important security, performance, and feature enhancements applied as soon as possible.

Also ensure you have automatic pattern updates enabled so that you can be assured you have the latest protection updates.

XG Firewall v18 MR3 is an easy upgrade from XG Firewall v17 (MR6+), but be sure to check supported platforms.

How to get it

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled out automatically to all systems over the coming weeks, but you can access the firmware anytime to do a manual update through the Licensing Portal. You can refer to this article for more information.

Learning more about upgrading to XG Firewall v18

And if you still haven’t upgraded to v18, or are still exploring many of the new features, be sure to take advantage of all the resources available, including the recent “Making the Most of XG Firewall v18” article series that covers all the great new capabilities in XG Firewall v18:

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.