By David Liebenberg and Caitlin Huey.
Last quarter, ransomware was not the most dominant threat for the first time since we began compiling these reports. We theorized that this was due to a huge uptick in Microsoft Exchange exploitation, which temporarily became a primary focus for Cisco Talos Incident Response (CTIR). We believed that ransomware would soon return to its position as the most observed threat. This proved correct, as ransomware cases exploded this quarter, comprising nearly half of all incidents, underscoring that it remains one of the top threats targeting enterprises.
Although ransomware was the top threat, there were very few observations of commodity trojan use this quarter. Ransomware actors continued to use commercial tools such as Cobalt Strike, open-source tools, including Rubeus, and tools native on the victim’s machine (living-off-the-land binaries, aka “LoLBINs”) such as PowerShell. This quarter also demonstrated the continuation of a somewhat hopeful trend: There were several pre-ransomware events in which timely detection via Cisco Secure products, along with quick remediation efforts from CTIR and the victim organization, led to containment of the incident before encryption could occur.
Actors targeted a broad range of verticals, including transportation, utilities, health care, government, telecoms, technology, machinery, chemical distribution, manufacturing, education, real estate and agriculture. Health care was targeted the most out of all verticals for the third quarter in a row, with government being the second most-targeted. There are many reasons why actors are continuing to target the health care industry, including the COVID-19 pandemic incentivizing victims to pay to restore services as quickly as possible.
Ransomware was the clear top threat this quarter, account for about 46 percent of all threats and more than tripling the next most common threat, which was the exploitation of vulnerabilities in Microsoft Exchange Server. There was also a variety of ransomware families observed, including:
- Mount Locker
In a pre-ransomware attack against a technology company, adversaries compromised vendor account credentials and then engaged in several actions to facilitate lateral movement. The adversary obtained additional credentials via Local Security Authority Subsystem Service (LSASS) credential dumping and engaged in heavy scanning. This included use of the SoftPerfect network scanner and a script to identify hosts affected by the BlueKeep vulnerability. CTIR identified a file containing a list of hundreds of Kerberos password hashes, which could be cracked offline to steal plaintext passwords. The adversaries leveraged Cobalt Strike as well, installing a service via a compromised account to execute a Cobalt Strike beacon. The adversary installed Cobalt Strike beacons on additional hosts via named pipes. The activity spread throughout the environment, affecting domain controllers and an SCCM server. Several hosts showed signs of malware staging. The adversaries also employed the “Go Simple Tunnel” (GOST) and created scheduled tasks that tunneled traffic to a C2 domain.
Cisco Secure Endpoint detected suspicious encoded PowerShell commands and activity from a compromised domain administrator account. After reviewing the alert, the victim organization consulted with CTIR for remediation efforts. Together, we remove the adversaries from the network before they could launch the ransomware executable.
Other observed threats this quarter included the exploitation of vulnerabilities, cryptocurrency mining, and account compromise. Interestingly, there were several incidents involving trojanized USB drives, a relatively older means of initial infection that has not been observed since we’ve been compiling these reports. In one of these incidents, the USB drive contained the Sality malware, an older, wormable malware family. Based on the output from Cisco Secure Endpoint, the Sality malware executed and replicated itself multiple times to various paths on the C drive using random names ending in either a “exe,” “pif,” and/or “cmd” file extensions. This illustrates the importance of avoiding USB re-use, particularly for OT companies.
Looking ahead: In July 2021, the ransomware group REvil carried out an attack against Kaseya, which provides IT solutions to managed service providers (MSPs). Because REvil targeted MSPs that manage IT services for their clients, they reached at least 1,500 organizations. However, CTIR has only engaged in one incident associated with this activity. This included a manufacturing organization that used an affected MSP. Luckily, the number of servers affected was limited, since the organization only used the MSP to manage certain functions. Following this attack, the U.S. and Russia held a high-level bilateral meeting on cybercrime. Shortly afterward, REvil’s websites and infrastructure were shut down, though it has not been explicitly linked to these bilateral meetings.
For the vast majority of incidents, CTIR could not reasonably determine the initial vector because of logging deficiencies. CTIR encourages all organizations to save their logs to make any potential incident response engagements more efficient and effective.
However, when potential initial vectors were identified, attackers most often infected their victims by exploiting vulnerabilities. This was bolstered by the widely publicized Microsoft Exchange vulnerabilities announced in the spring which culminated in several responses that closed out in April. Other top initial vectors included phishing and account compromise, either an account from the victim organization or from a vendor with access to the organization.
Looking ahead: While phishing as an infection vector remained low this quarter, we observed at least two business email compromise (BEC) engagements for the coming quarter. In one of these incidents, the adversary used compromised credentials to log into a legitimate user’s O365 email account and changed inbox rules to facilitate reconnaissance.
The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services. CTIR urges organizations to implement MFA wherever possible.
Top-observed MITRE ATT&CK techniques
Below is a list of the most common MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple categories, we grouped them under the most relevant category in which they were leveraged. This represents what CTIR observed most frequently and is not intended to be exhaustive.
Key findings from the MITRE ATT&CK appendix include:
- Ransomware engagements were higher this quarter, as were the associated software and tools we typically observe alongside ransomware attacks, including Cobalt Strike and PsExec.
- We observed an uptick in evasion techniques this quarter compared to the previous quarter. This is likely related to the amount of ransomware engagements, as we saw more attempts to disable security and AV products, as well as execute ransomware payloads with command-line utilities such as “rundll32.exe” or “regsvr32.exe.”
- Remote desktop protocol (RDP) usage slightly increased again this quarter. In some engagements, we observed the adversary leveraging multiple remote services for lateral movement, such as attempting to move laterally throughout the environment by leveraging available shares over Server Message Block (SMB) and RDP.
- Initial Access (TA0027): T1078 Valid Accounts — Adversary leveraged compromised credentials.
- Persistence (TA0028): T1053 Scheduled Task/Job — Scheduled tasks were created on a compromised server.
- Execution (TA0041): T1059.001 Command and Scripting Interpreter: PowerShell — Executes PowerShell code to retrieve information about the client's Active Directory environment.
- Discovery (TA0007): T1087 Account Discovery — Use a utility like ADRecon to gain information on users and groups.
- Credential Access (TA0006): T1003 OS Credential Dumping — Use tools such as Mimikatz to compromise credentials in the environment.
- Privilege Escalation (TA0029): T1574.002 Hijack Execution Flow: DLL Side-Loading — A malicious PowerShell script attempted to side-load a DLL into memory.
- Lateral Movement (TA0008): T1021.001 Remote Desktop Protocol — Adversary made attempts to move laterally using Windows Remote Desktop.
- Collection (TA0035): T1074 Data Staged — Use Notepad++ for data staging.
- Defense Evasion (TA0030): T1562.001 Impair Defenses — Disable or modify tools.
- Command and Control (TA0011): T1071 Application Layer Protocol — Used SMB for C2.
- Impact (TA0034): T1486 Data Encrypted for Impact — Deploy REvil ransomware.
- Software/Tool: Cobalt Strike — Adversary copied Cobalt Strike to at least two domain controllers.