While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data encryption as new levers to compel victims to pay.
Targeting A wide variety of verticals were once again targeted, including media, government, healthcare, and manufacturing, with the latter representing the top vertical targeted. The number of engagements closed out was around the same as the previous quarter.
Threats Although we observed some new trends this quarter — including an uptick in web application exploits, a website defacement incident, and some new evasive tactics — this quarter demonstrated the continued threat posed by Trickbot, especially when it is leveraged as a dropper for ransomware such as Ryuk. The top threats for fall 2019 remained Trickbot and Ryuk. In a typical engagement, the target would receive a phishing email with a malicious link or document attached that would lead to the victim downloading Trickbot. The adversaries would use Trickbot and open-source tools such as PowerShell, Empire, or Bloodhound to profile the victim, eventually dropping Ryuk after some dwell time (in one engagement, this lasted up to nearly a year) and demanding a ransom.
We also observed an instance of threat actors using an unusual method to deploy Ryuk. Following a Trikbot infection, the adversaries deployed Ryuk throughout the Active Directory environment as a group policy object, whereas adversaries typically leverage PsExec to deploy the ransomware.
The top threats observed this quarter are relatively consistent with those from the last quarter, though the commodity trojan Emotet appeared much less frequently. In another change, we did not observe any incidents related to illicit mining, though there was a reemergence in the winter. We did, however, observe some malware that we had not seen in the previous quarter, including infostealers like Lokibiot and Avemaria, ASP web shells, and the Frenchy toolkit.
Initial Vectors Phishing remained the top infection vector. CTIR also observed an uptick in web application exploitation, including the exploitation of newer vulnerabilities, such as in the Palo Alto GlobalProtect SSL VPN. We also observed third-party compromise in which a target’s GitHub account was compromised and the attackers stole a stored Amazon identity access management account.
Actions after compromise
Actions post-compromise remained consistent with last quarter, ranging from encrypting data to connecting to command-and-control and moving laterally throughout the victim network. We did observe defacement this quarter as well as an uptick in evasive actions.
Looking forward Although this blog covers fall 2019, CTIR has observed initial indicators that suggest an evolution in threat actor behavior in winter 2019/2020: Ransomware actors have begun exfiltrating sensitive data from victim organizations and threatening to publish them if the ransom is not paid.
Talos observed this behavior in two separate engagements in the winter that were perpetrated by the same actor. In both incidents, the actor leveraged the offensive security tool CobaltStrike to traverse the network and gather systems and data. The actor then exfiltrated the data using PowerShell to connect to an FTP server, after which the adversary deployed Maze ransomware in the victim environment.
This same actor had been observed by other security researchers threatening to release sensitive information if the ransom was not paid, and in several instances, followed through on that threat. This represents a major and dangerous shift in ransomware actor behavior because exfiltration further compels victim organizations to pay the ransom and ensures a significant impact even if proper measures such as backing up important information are implemented. It also shows an advancement in victim profiling by the actors, who may believe that large enterprises will be more willing to pay to keep sensitive data from being published. There are indications that other threat actors are beginning to mimic this behavior.
CTIR will provide additional details on this new behavior in next quarter’s report.