Analysis of Real Cybercrime Operators

Published in AISA’s Cyber Today Magazine 2022 Edition 1

When executives see ransomware attacks in news headlines, pressure is applied downwards to the cyber security function of the organisation to ascertain whether the business may also be vulnerable to a similar attack.

Introduction

Some of the questions that are often asked are, “Could our organisation be targeted by a similar type of hacker?” or “What do we need to do to make sure this doesn’t happen to us?”. Answering these questions are not easy, and there is no simple way to provide assurance. A timeline must be established of the steps that the attacker took to achieve their objective and assess the effectiveness of control that are implemented at each stage.

Despite news headlines allocating perpetrators of cyber-attacks on organisations as typically one large, powerful, and all-evil hacker, data breaches in modern times are often caused by multiple different threat actors with varying skillsets and sophistication. These threat actors operate highly independently from one another but broker their services and access to each other in an organised fashion, congregating and transacting on underground forums.

This article will review three cybercrime operators that support the different stages of the lifecycle of a ransomware attack (as displayed in Figure 1), perform analysis on their tools, techniques, and procedures, and provide important recommendations to improve organisations’ resilience.

Discussion

Phase 1: Initial Access

As the ransomware monetisation model has grown exponentially in the past year, the demand for compromised initial access has surged, which has encouraged a new wave of “Initial Access Brokers”. This is a term which is used to describe actors who supply initial low privilege access to the highest bidder, namely malicious penetration testers and ransomware operators.

There were four primary techniques that were observed to be in use by Initial Access Brokers on underground forums. These methods included opportunistic access through information-stealer malware distribution, password attacks, exploiting vulnerable internet-facing infrastructure and social engineering through phishing.

Figure 2 displays a Russian-speaking Initial Access Broker that was observed selling Virtual Private Network (VPN) credentials for a German-based graphics design firm with US$115 million in revenue. Whilst the buy-now price for this access was US$700, it was later sold to a malicious penetration tester for just US$150. It was discovered that their method for compromising this organisation was opportunistic and they weren’t intentionally targeted. They even went as far to write on a thread (translated from Russian), “I don’t know what the rights are, and I don’t know how to look at a VPN, and I won’t”.

The threat actor had compromised VPN credentials by deploying an information-stealer malware to a range of victims by masquerading it as a legitimate software download. This malware was spread like a giant net being cast in the ocean, and stole credentials stored on infected machines from browsers, auto-fill forms, passwords saved in the system and in cookies. In this case, the VPN credentials were likely compromised from an employee’s infected personal device.

Employees will store their organisational credentials insecurely without appropriate security awareness training. Building a situationally aware and cyber-resilient workforce is not something that will happen overnight, and it requires a top-down approach with managers and executives leading by example. Organisations should consider implementing a password manager to prevent the exfiltration of credentials using this method.

Other observed techniques by threat actors included attacks targeting weak passwords, such as password spraying, dictionary attacks and credential stuffing. The Australian Cyber Security Centre (ACSC) recommends that organisations ensure passwords use all complexity requirements, are a minimum of 14 to 20 characters in length, are changed every 90 days, and that users who do not set their initial password are required to change it on first use[1]. Accounts should also be locked out after a defined sequence of failed attempts.

Social engineering attacks such as phishing and vishing are also widely known to be used by Initial Access Brokers, and it was observed that valid Office365 credentials for Australian organisations were sold for as little as US$6 each on underground forums. This signals the utmost importance of organisations using controls such as multi-factor authentication, and conditional access controls such as IP allow-listing and geo-blocking.

Whilst exploiting vulnerable internet-facing infrastructure is also a known method, it was not observed as being widely used for obtaining an initial foothold, due to the required investment of time and resources. However, to mitigate this, organisations should implement a defined patch management schedule that prioritises patches based on the criticality of the system and the type of information processed.

Phase 2: Persistence, Privilege Escalation & Lateral Movement

Persistence consists of techniques that threat actors use to ensure their initial foothold on the network is not lost due to changes in the environment, such as system restarts or changed credentials.[2] The most common techniques observed to maintain persistence included launching a Command & Control (C2) implant, modifying dormant accounts to create a backdoor, and setting scheduled tasks to create a reverse shell.

Cobalt Strike is a common threat emulation tool used by both industry penetration testers, and cybercriminals to maintain persistence. It includes functionality to set up a C2 server and implant malicious code on targets which call back to receive scheduled tasks.

Once a C2 implant is on infrastructure, it will maintain persistence by being launched at system start-up or user log-on, by either modifying registry run keys, adding it to the start-up folder or by using Windows logon scripts[3]. To mitigate this, organisations must analyse network traffic for uncommon data flows. This includes reviewing processes that typically do not use network communication, and analysing packet contents to detect application layer protocols that do not follow the expected standard. However, this can be quite expensive and difficult to implement, therefore it is recommended to focus on using Endpoint Detection and Response (EDR) software for alerting.

Adversaries also look to control dormant accounts within the network, which are usually from staff on extended leave. To mitigate this, organisations should ensure there is integration between the human resources and system administration functions of the organisation. When an employee’s working status changes, a ticket should automatically be raised with the system administration team to temporarily disable the user’s account and remove them from unnecessary Active Directory groups.

Threat actors also use scheduling functionality to recurringly execute malicious code to create reverse shells. This technique has also been observed being used in the wild by malware families such as Lokibot and Remsec[4]. Mitigations for operating systems will be vary, but ultimately rely on scheduled tasks being audited locally or through a centralised logging source.

Whilst privilege escalation and lateral movement are separate techniques, they are often combined together as it is easier for a threat actor to laterally move throughout a network and compromise other accounts, than it is to escalate privileges from a standard user account to a local administrator on a single workstation. This is also due to initial compromise being in heavily controlled and monitored environments such as Windows Virtual Desktops (WVD), Citrix gateways and Standard Operating Environment (SOE) workstations.

Privilege escalation refers to gaining a high level of privilege than the initial access originally had. This can be completed at the host level, by upgrading from a standard user to a local administrator (NT_AUTHORITY/SYSTEM on Windows and root on *nix), or it can be completed at the domain level, by moving laterally throughout the network to new systems and resources which have higher privileges or trust, such as an exchange server or domain controller.

The most common observed privilege escalation techniques included attacks leveraging Kerberos, adversary-in-the-middle attacks such as LLMNR (Link-Local Multicast Name Resolution) poisoning, LSASS (Local Security Authority Subsystem Service) credential dumping and gaining access to passwords misplaced in network shares.

Figure 3 displays a malicious penetration tester selling Domain Admin access to a USA-based real estate organisation with a revenue of over $350 million, for a buy-now price of US$24,000. This user primarily relied on Kerberos-based attacks to escalate privilege and move laterally through compromised networks. This user was also seen purchasing access from the Initial Access Broker in Figure 2.

Kerberos is a network authentication protocol used by default in Windows Active Directory (AD) environments, based on utilising tickets to allow nodes to communicate and prove their identity[5]. Kerberoasting is used to steal tickets and retrieve service account credentials as a standard user. A threat actor is able to request a Kerberos service ticket, capture that Ticket Granting Service (TGS) from memory, and then crack the targeted service account hash offline. This is possible because a component of TGS tickets are encrypted using ciphers with the service account’s NTLM hash by design.

With low complexity requirements, the NTLM hash can be cracked and the password can be used to move laterally. Organisations should mandate complex passwords of 25 or more characters for service accounts, and if possible, be changed every 30 days. Kerberos encryption should also be changed to AES-256. In general, the principle of least privilege should be applied, to ensure that the minimum required number of users are assigned to the domain admin group, and other admin functions should be delegated to separate accounts to prevent the extent of compromise.

LLMNR is a protocol used by default in modern Windows operating systems and allows hosts to perform resolution on the same local link[6]. When Domain Name System (DNS) resolutions fails, the host will broadcast to all other machines on the local network for the correct address via LLMNR or NBT-NS. If the host was attempting to open a Serve Message Block (SMB) connection and it identifies the machine, it will pass across its username and NTLM has (v1 or v2.

In an enterprise environment, there are often legacy scripts regularly attempting to broadcast messages to decommissioned or renamed hosts, and therefore DNS resolution will fail and the LLMNR protocol will be used. An attacker can exploit this by masquerading as the target machine that the host is trying to resolve to, and if a SMB connection is attempting to be opened, can receive a copy of its credentials[7].

Organisations can mitigate this by disabling both LLMNR and NBT-NS. This is required because NBT-NS is used automatically if LLMNR is disabled. Inter-VLAN communication should be limited to reduce the success of local network attacks. Additionally, automated scripts should only use the lowest privilege possible to perform tasks, to prevent the extent of compromise.

LSASS is a process used in Windows operating systems for enforcing the security policy on the system, and verifies user logons, handles password changes, and creates access tokens. To undertake its function, the LSASS.exe process will cache a copy of previously logged in user passwords and password hashes. With access to the NT_AUTHORITY/SYSTEM account, the LSASS.exe process can be snapshotted, having the contents of its memory “dumped”. This dump will contain any cached credentials[8]. These credentials can then be used by an attacker to pivot to other machines in the network, and then repeat the process on a new machine to pivot further until a highly privileged domain account is compromised. However, it is noted that credentials are no longer cached in memory from Windows 8.1/2012 R2 onwards due to the implementation of protected processes.

This technique has been widely observed in use by both malicious penetration testers, advanced persistent threats, and ransomware operators, using a tool known as Mimikatz. To prevent the success of these attacks, additional Local Security Authority (LSA) configurations should be implemented to prevent code injection that could compromise credentials[9].

The final technique observed was gaining access to passwords stored in network share drives[10]. This can be as a result of poor security governance or because credentials within group policy settings in SYSVOL are encrypted using a key shared publicly by Microsoft in 2019.[11] Organisations should ensure that credentials are not placed in locations that are accessible by users or within group policy preference files. Network shares should be regularly searched for credentials that might be hardcoded in scripts or stored in documents for business efficiency.

Phase 3: Exfiltration & Encryption

In recent times, Ransomware operators have moved to a “double extortion” model, by both exfiltrating sensitive files, and encrypting all workstations, servers, and backup infrastructure with ransomware[12]. The impacts and devastation that ransomware can cause are widely known, and every organisation will question whether or not they are susceptible to it.

Avos Ransomware was first observed in July 2021 actively targeting Australian organisations, as seen in Figure 5. Malicious penetration testers, as observed in Phase 2, will either work with ransomware operators like Avos on a pay-per-access basis, or by operating on commission as affiliates.

If an organisation doesn’t make a ransomware payment, their files are leaked on a Data Leak Site (DLS) maintained by Avos, which can be seen in Figure 6. The ransomware payload is typically delivered by either creating a group policy to distribute the package in the network or being remotely invoked as a process using PowerShell on all hosts.

There are various methods that ransomware operators can use for exfiltrating data, and if they have already obtained privileged domain access, it may be too late to prevent data leakage. Organisation should perform automated network traffic analysis to identify inconsistencies of outbound traffic, and regularly audit firewall rules and categorisation[13].

Performing regular backups is critical, but organisations must not forget to implement a robust IT disaster recovery plan and incident response plan which contains procedures for regularly taking and testing backups[14]. It is important that not only the backups are tested, but the plan itself is tested by conducting simulation exercises regularly so that personnel are aware of their roles and responsibilities.

Conclusion

Protecting your organisation from cyber threats is like being involved in a game of “cat and mouse” and it should be known there is no silver bullet or product that will provide the level of assurance the business needs in its resilience to cyber-attacks. A layered approach of controls related to people, process, and technology, will truly apply the “Defence in Depth” strategy to impede and disrupt a threat from achieving its objective.

The review completed was not exhaustive, and there will always be other recommendations that can be made to improve cyber resilience. A shift in mindset is ultimately required, by working on the assumptions that a threat actor already has an initial foothold, and further controls are required to identify, detect, and isolate them from the network.

Available to read online here: https://cybertoday.partica.online/cyber-today/cyber-today-edition-1-2022/flipbook/34/