Ransomware again dominated the threat landscape, while BEC grew
Once again, ransomware was the most dominant threat observed in Cisco Talos Incident Response (CTIR) engagements this quarter.
CTIR helped resolve several significant ransomware events this quarter, including ones that involved the REvil ransomware leveraging a vulnerability in the Kaseya VSA software (CVE-2021-30116) against managed service providers (MSPs) and their downstream customers. REvil, along with Vice Society, were the only ransomware groups observed more than once this quarter. This highlights the greater democratization of emerging ransomware variants. This is the first quarter in which we had no observations of the Ryuk ransomware, a variant that was often the most often observed variant from previous quarters. CTIR also engaged in several pre-ransomware incidents in which ransomware was never deployed.
The next most commonly observed threat between July and October 2021 was business email compromise (BEC). The dominance of BEC and ransomware incidents, which also frequently use phishing and malspam as a means of initial infection, illustrate the importance of properly implementing multi-factor authentication (MFA).
Other threats observed this quarter include the Solarmarker malware, which Talos has covered extensively, as well as the Redline information-stealer, with leaked information observed being sold in Russian dark web forums.
Actors targeted a broad range of verticals, including manufacturing, non-profit, health care, hospitality, local government, financial services, IT, entertainment, retail, heavy equipment manufacturing, utilities, food manufacturing, real estate and telecoms. Attackers targeted local government organizations the most often, breaking a three-quarter streak in which health care was the most targeted sector.
Ransomware was the clear top threat this quarter, accounting for about 38 percent of all threats. This is a continuation of last quarter, though ransomware took up a bigger share of all threats with 46 percent. There were a number of new ransomware families observed this quarter:
- Vice Society
Vice Society and REvil were the only ransomware variants observed in more than one engagement this quarter, highlighting greater democratization of emerging ransomware variants. This is the first quarter in which we had no observations of Ryuk ransomware, a variant that was often the most frequently observed variant from previous quarters. Many security researchers believe the Conti ransomware family is a successor to Ryuk, potentially explaining the decline in observations of Ryuk activity.
CTIR is also currently engaging in several suspected pre-ransomware incidents where ransomware was never deployed. The pre-ransomware behavior includes the use of red team frameworks such as Cobalt Strike and Sharphound, publicly available utilities such as PCHunter and Process Hacker, as well as a variety of remote access tooling, such as TeamViewer or AnyDesk. In most cases, affected assets, such as domain controllers and System Center Operations Manager (SCOM) servers, are also a good indication of what the actor may be targeting and how they persist and move laterally in the environment once compromised. CTIR notes that timely detection of these behaviors along with quick remediation efforts can contain incidents before encryption occurs.
BEC was the next most commonly observed threat. More BEC incidents occurred this quarter than during any other quarter since we’ve begun compiling these reports in late-2019. BEC scams occur when an adversary gains credentials to a user’s email at an enterprise and leverages that access to send out spam, engage in fraud, or any number of additional malicious activities. One organization that fell victim to BEC had multi-factor authentication implemented, but the adversaries were able to circumvent using “basic authentication” when logging in to 0365. This illustrates that MFA can be defeated by unsophisticated methods which make proper implementation of MFA vital. For more information on BEC, see the Talos deep dive here.
Other observed threats this quarter included the exploitation of vulnerabilities, distributed denial-of-service, drive-by downloads, and the spread of Solarmarker, a highly modular .NET-based information stealer and keylogger, which affected a local government organization. A compromised user had downloaded the initial Solarmarker dropper file while web browsing, a typical infection vector for this threat.
CTIR engaged in two incidents in short succession, both involving the information stealer Redline. Redline is a relatively new information-stealer that emerged in 2020 and is primarily being spread via COVID-19-themed malspam, malicious Google advertisements, and NFT-themed spear-phishing emails. In both instances, the adversary used Redline to scrape domain controller credentials from a browser cache. Talos identified stolen information derived from Redline being sold in Russian dark web forums.
For the vast majority of incidents, CTIR could not reasonably determine the initial vector because of logging deficiencies. CTIR encourages all organizations to save their logs to make any potential incident response engagements more efficient and effective.
However, when initial vectors were identified or assumed, email was the most common initial vector targeted. This is not surprising given the rise in BEC incidents, along with the large number of ransomware adversaries that leverage phishing as an initial means of infection.
The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services. All organizations should implement MFA solutions, such as Cisco Duo, wherever possible.
Top-observed MITRE ATT&CK techniques
Below is a list of the most common MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple categories, we grouped them under the most relevant category in which they were used. This represents what CTIR observed most frequently and is not intended to be exhaustive.
Key findings from the MITRE ATT&CK appendix include:
- Ransomware engagements were high again this quarter, as were the associated software and tools we typically observe alongside ransomware attacks. For example, this quarter we saw a rise in the use of remote access software, such as AnyDesk and TeamViewer, and command line utilities like PsExec.
- We observed an uptick in user execution techniques this quarter compared to the previous quarter. This is likely related to the amount of BEC engagements, where we saw more phishing attempts to lure users to click and execute malicious links and attachments.
|Initial Access (TA0027)||T1078 Valid Accounts||Adversary leveraged compromised credentials.|
|Persistence (TA0028)||T1053 Scheduled Task/Job||Scheduled tasks were created on a compromised server.|
|Execution (TA0041)||T1059.001 Command and Scripting Interpreter: PowerShell||Executes PowerShell code to retrieve information about the client's Active Directory environment.|
|Discovery (TA0007)||T1083 File and Directory Discovery||Explore contents of a certain directory.|
|Credential Access (TA0006)||T1003 OS Credential Dumping||Use tools such as Mimikatz to compromise credentials in the environment.|
|Privilege Escalation (TA0029)||T1055 Process Injection||Uses process injection to hide aspects of a malware’s execution chain.|
|Lateral Movement (TA0008)||T1021.001 Remote Desktop Protocol||Adversary made attempts to move laterally using Windows Remote Desktop.|
|Collection (TA0035)||T1114 Email Collection||Access email accounts.|
|Defense Evasion (TA0030)||T1562.001 Impair Defenses: Disable or Modify Tools||Disable security tools.|
|Command and Control (TA0011)||T1219 Remote Access Software||Remote access tools found on the compromised system.|
|Impact (TA0034)||T1486 Data Encrypted for Impact||Deploy REvil ransomware.|
|Exfiltration (TA0010)||T1048 Exfiltration Over Alternative Protocol||Actor moved GBs of customer information via SMB to an attacker-controlled IP.|
|Software/Tool||PsExec||Adversary made use of PsExec for lateral movement.|