By David Liebenberg and Kendall McKay.
This summer’s most popular malware families were common and used in unsophisticated attacks, with phishing being the top infection vector, according to Cisco Talos Incident Response (CTIR) data. In addition to threat actors repeatedly deploying common threats like ransomware as final payloads, we found that adversaries also leveraged similarly well-known open-source frameworks post-compromise to enable activities such as traversing victim networks, reaching out to command and control (C2) nodes, and exfiltrating data. These findings indicate that organizations across a variety of industry verticals continue to face challenges in defending against common threats and attack methods, most of which have the potential to cause critical damage if not detected and remediated quickly and effectively.
The discoveries outlined in this blog were observed during CTIR engagements between May and July, which corresponds to Cisco’s fourth quarter in fiscal year 2019. These reports, which we intend to publish quarterly, are intended to provide executives and network defenders with regular updates and analysis on the threat landscape.
Top threats The top threats that we observed between May and July included ransomware, commodity banking malware such as Emotet and Trickbot, and illicit cryptocurrency miners. Although adversaries’ use of ransomware initially appeared to slow down following the rise of cryptocurrency miners, ransomware was by far the most commonly observed threat in incident response engagements during the time period in question. We also frequently saw commodity banking trojans acting as a dropper for ransomware.
Ransomware Based on our findings, ransomware was the most common threat affecting organizations, with Ryuk being the most frequently deployed type of ransomware. Ryuk infections targeted companies in the retail, media and entertainment, software and internet, and healthcare industries, severely impacting business-critical services and operations. In at least one case, the Ryuk infection occurred months after the initial Trickbot compromise, indicating that the threat actor avoided detection and maintained access to the victim system for a prolonged period of time.
In most of our incident response engagements, we observed multiple threats being deployed on victim systems at various stages of the operation. Ryuk, for example, was typically dropped by banking trojans such as Trickbot, which is consistent with the ransomware’s known TTPs. In one such incident, a company experienced a Trickbot-Ryuk infection, after which the adversary used the open-source framework PowerShell Empire to pull down Sodinokibi ransomware binary code from a Pastebin page. However, some Ryuk infections were not accompanied by a commodity malware dropper. One such company was infected with Ryuk via a malicious decoy Microsoft Word install, causing Microsoft Exchange servers and domain controllers to lose availability and impacting business operations.
Banking trojans Modular banking trojans were also observed in several incident response engagements, often as a dropper for ransomware. The most commonly observed variants were Emotet and Trickbot. Other banking trojans observed between May and July included Qakbot, Cridex and Dridex and affected organizations in the retail, business services, media and entertainment, software and internet, manufacturing and health care industries.
As mentioned above, several incident response engagements involved Trickbot dropping Ryuk. During at least one case, in which the adversary used PSExec and RDP to stage, spread, and execute the malware, the infection was widespread and progressed over time. Emotet was also observed in several engagements this past quarter. In one instance, a manufacturing company fell victim to an Emotet infection that was caused by malicious spam sent from one of their regional offices. An employee received a high-quality spoofed email that appeared to come from another employee and contained a malicious attachment, which likely led to an Emotet infection.
The actors behind banking trojans such as Trickbot and Emotet have shown a willingness to continually update their malware, adding new modules for increased lateral movement and data exfiltration. They also have been increasing commodification of their malware, engaging in malware-as-a-service by providing access to their tools and infrastructure to other malicious actors. Given adversaries’ propensity to target enterprise networks, they remain a consistent threat observed by responders.
Coinminers Between May and July, we observed a number of illicit cryptomining attacks in our telemetry and CTIR engagements, several of which involved prominent Chinese botnets and the collaboration of multiple threat actors. Cryptomining malware was observed in CTIR engagements with organizations in the education, health care, business services, telecommunications, and retail industries. Following a dramatic drop in cryptocurrency values in 2018, the market appears to be slowly rebounding with gradual price increases since in early 2019. Despite the fluctuating market, threat actors have largely remained undeterred from targeting cryptocurrency exchanges, suggesting that the currency’s monetary value has little to do with their decision to carry out these types of attacks. As the value of cryptocurrencies continue to rise, we expect illicit cryptoming attacks to remain constant and possibly increase in frequency.
Prominent Chinese cryptocurrency botnets were observed in several engagements. A company in the business services industry had an internet-facing server exploited and was infected with malware associated with cybercriminal group Rocke. The threat actor, which Cisco Talos wrote about in 2018, is linked to the Iron cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, and ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure.
In another engagement, a telecommunications company was compromised with a Monero miner associated with another prominent Chinese-language botnet that Talos has been following since February 2019. This actor had been observed exploiting unsecured ElasticSearch clusters to drop cryptocurrency miners, as well as targeting Oracle WebLogic and Hadoop YARN. During the CTIR engagement, the actor conducted a brute-force authentication attack, after which automated adversary scanners attempted to install cryptocurrency mining malware. Several Hadoop virtual machines (VM) became infected with mining malware that reached out to a known C2 used by the group.
Our findings also indicated that mining malware is usually delivered by relatively unsophisticated means such as mass exploitation campaigns or brute-forcing. These types of common infection vectors are often used by various other threat actors to carry out a range of unrelated threat activity, suggesting that the presence of mining malware can sometimes be an indication that more sophisticated malware is also present on the victim’s environment.
Top entry vectors We were unable to determine the entry vector during the majority of engagements due to the victim organization having insufficient logging and security instrumentation. However, when the entry vector could be reasonably determined or assumed, phishing, brute-forcing and exploitation of web applications were the most frequent entry methods.
Phishing With the prevalence of banking trojans that mostly spread via malspam and phishing campaigns, it should be no surprise that email was one of the top initial vectors we observed. Several engagements saw Emotet and Trickbot delivered via malicious emails. This included emails sent from one victim within an organization to another, which can make detecting a phishing incident much more difficult by both the victim and security appliances.
Brute-force Brute-force attacks occur when an attacker continuously attempts to log in to an application until they find the correct ID-password combination that grants them access. These processes are typically automated and happen at a rapid pace. In addition to our CTIR team uncovering evidence of brute-force attacks in their engagements, we also frequently observed this type of activity in our Talos honeypot infrastructure.
Web application compromise Another common initial vector was the exploitation of unpatched internet-facing applications. Threat actors commonly scan for unpatched servers to exploit using publically available proofs-of-concept soon after vulnerabilities are announced. We frequently observed this activity in our telemetry and have seen it in incident response engagements as well. For instance, a business services company had cryptocurrency miners dropped onto their environment after actors exploited vulnerabilities in their Jenkins servers, while an organization in the education industry had their SharePoint servers breached with a web shell.
Actions after compromise In addition to completing their primary objectives – for example, encrypting files during a ransomware attack – we observed threat actors carrying out a variety of secondary actions post-compromise, such as reaching out to a C2 for follow-on malware or instructions, traversing the network, compromising user accounts, establishing persistence and exfiltrating data. This type of malicious activity after compromise shows how adversaries can leverage common and relatively unsophisticated tactics, including the use of widely available open-source tools, to carry out successful operations.
Cisco Talos also observed some common lateral movement methods. For instance, we frequently observed exploitation of SMB and internal spam as a means of a lateral movement, typical actions of banking trojans such as Trickbot and Emotet. We also observed attackers in several engagements leveraging readily available open-source post-exploitation tools to traverse the network and execute malware. This includes Mimikatz, a post-exploitation tool that dumps passwords from memory, as well as other sensitive data.
We also observed PowerShell Empire, an open-source post-exploitation framework that leverages PowerShell and includes modules ranging from keyloggers to credential dumpers, to execute malware, traverse the network, and reach out to C2s. Defenders should not underestimate the damage an attacker can cause through the use of these tools. Evidence of Mimikatz in particular potentially indicates that an organization’s critical services may be severely compromised. During an engagement with a manufacturing company, we observed the presence of Mimikatz in a local administrator account’s remote interactive session. We also found compromised accounts from this organization and another CTIR response victim for sale on the dark web.
We also observed common persistence techniques such as establishing a cron job to reach out to the payload hosting domain and execute the payload, installing multiple copies of a payload on a host, creating scheduled tasks, and creating registry keys in the Autorun locations in the registry.
Multiple actors compromising the same victim An organization vulnerable to compromise may be attacked by multiple adversaries, each with different objectives, and these adversaries may even battle one another for control of the victim network. In one instance, we observed a malicious threat actor named Rocke, another cryptomining actor named Watchbog, as well as the longrunning China.Z botnet on the same victim. In another case, we observed a ransomware event that ran parallel to an adversary who had compromised credentials via Mimikatz. During a ransomware event, a second adversary compromised the victim’s externally facing SSH server to drop IoT botnet malware. It is important to consider the implications of finding multiple actors, mainly how organizations can address the underlying security weaknesses to prevent these attacks as well as improvements in visibility to help increase detection.
This one reason why a common threat, like a ransomware event, banking trojan outbreak, or illicit mining attack can be considered a canary in the coal mine, showing that a low-effort, low-sophistication attack successfully bypassed an organization’s defenses, which could indicate the presence of other actors.
What to watch for and mitigations The fact that these common threats prevail shows that adversaries are able to take advantage of typical weaknesses in an organization’s security architecture. Since phishing was a top entry vector, Talos urges a multi-pronged approach to address email security, including user training (how to identify and report suspected phishing), technical anti-spoofing controls, intelligence-based email security filtering, and configuring end-points to be less vulnerable to common attacks.
The lack of monitoring for deployed network detection tools/systems was a key weakness as well. This was especially true in some of these incidents where tools like Cisco AMP were deployed in “audit” mode but were not being reviewed by a person or aggregated into SIEM software.
Post-compromise, the lack of logging was a weakness present in almost every engagement. A lack of logging makes it difficult for responders to put together a complete picture of what adversaries achieved post-compromise. This was also one of the reasons why in the majority of engagements we were unable to exactly pinpoint the initial vector of attack.
Other common weaknesses we observed included lack of multi-factor authentication, sensitive servers exposed to the internet or not properly segmented, lack of patching, and ineffective security products.