MA-993.112023: MyCERT Alert - Cyber Security Best Practices against Ransomware LockBit 3.0
1.0 Introduction
The Cyber999 Incident Response Centre observed an increase in various ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Lately, we have been receiving incidents involving a number of organisations in Malaysia hit by the LockBit 3.0 ransomware. Hence, this advisory is released to alert and advise organisations to apply necessary measures on prevention and mitigations if they are targeted or fall victim.
LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. The attackers associated with the Lockbit 3.0 are believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language, avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.
We have previously released an advisory on Lockbit 3.0 ransomware, available at:
https://www.mycert.org.my/portal/advisory?id=MA-907.012023
Additionally, it was also reported recently by security researchers and security organisations that the infamous LockBit 3.0 ransomware group was observed exploiting a critical unpatched Citrix NetScaler ADC and NetScaler Gateway vulnerability – CVE-2023-4966, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch. Citrix Bleed was disclosed on October 10 2023, as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling unauthorised access to sensitive device information.
A joint advisory by CISA, FBI, MS-ISAC, and ASD’s ACSC was released on LockBit affiliates exploiting Citrix Bleed, available at:
2.0 Impact
The impacts of LockBit 3.0 are:
- Operations disruption with essential functions coming to a sudden halt.
- Extortion by the hackers for financial gain.
- Data theft and illegal publication as blackmail if the victim does not comply.
3.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to reduce the risk of compromise by LockBit 3.0 ransomware:
1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
Note: Devices with local administrative accounts should implement a password policy requiring strong, unique passwords for each administrative account.
2) Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
3) Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
4) Apply security updates released by Citrix to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
5) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
6) Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
7) Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
8) Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
9) Maintain offline backups of data and regularly maintain backup and restoration. By implementing this practice, the organisation ensures they will not be severely interrupted, and/or only have irretrievable data.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
6.0 References
- https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
- https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://www.acaglobal.com/insights/thousands-servers-exposed-citrix-bleed-vulnerability
- https://www.cisa.gov/news-events/alerts/2023/11/16/citrix-releases-security-updates-citrix-hypervisor-0
- https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bulletin-for-cve202323583-and-cve202346835
MA-989.112023: MyCERT Alert - CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware
1.0 Introduction
Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.
Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.
2.0 Impact
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.
For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.
3.0 Technical Details
3.1 Tactics, Techniques and Procedures (TTPs)
3.1.1 Initial Access
Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]
3.1.2 Living off the Land
Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.
Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.
- net user [username] /domain [T1087.002]
- net group “domain computers” /domain [T1018]
- net group “domain admins” /domain [T1069.002]
- net localgroup administrators [T1069.001]
Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.
3.1.3 Leveraged Tools
Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.
Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.
Name | Description |
---|---|
cmd.exe | The native command line prompt utility. |
PowerShell.exe | A native command line tool used to start a Windows PowerShell session in a Command Prompt window. |
PsExec.exe | A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution. |
mstsc.exe | A native tool that establishes an RDP connection to a host. |
PuTTY.exe | Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004]. |
PortStarter | A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1] |
secretsdump | A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances. |
ntdsutil.exe | A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users. Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. |
AnyDesk | A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. |
wevtutil.exe | A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001]. |
PowerView | A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials. |
3.2 Rhysida Ransomware Characteristics
3.2.1 Execution
In one investigation, Rhysida actors created two folders in the C:\ drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.
File Name | Hash (SHA256) | Description |
---|---|---|
conhost.exe | 6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010 | A ransomware binary. |
psexec.exe | 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b | A file used to execute a process on a remote or local host. |
S_0.bat | 1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597 | A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003]. |
1.ps1 | 4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183 | Identifies an extension block list of files to encrypt and not encrypt. |
S_1.bat | 97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4 | A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system. |
S_2.bat | 918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1 | Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment. |
Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].
3.2.2 Encryption
After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe.
Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.
3.2.3 Data Extortion
Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.
Figure 1: Rhysida Ransom Note
Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]
3.3 Indicators of Compromise (IOCs)
On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]
C2 IP Address |
---|
5.39.222[.]67 |
5.255.99[.]59 |
51.77.102[.]106 |
108.62.118[.]136 |
108.62.141[.]161 |
146.70.104[.]249 |
156.96.62[.]58 |
157.154.194[.]6 |
Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org.
Email Address |
---|
rhysidaeverywhere@onionmail[.]org |
rhysidaofficial@onionmail[.]org |
Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.
Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.
File Name | Hash (SHA256) |
---|---|
Sock5.sh | 48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57 |
PsExec64.exe | edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef |
PsExec.exe | 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
PsGetsid64.exe | 201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa |
PsGetsid.exe | a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb |
PsInfo64.exe | de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7 |
PsInfo.exe | 951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501 |
PsLoggedon64.exe | fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea |
PsLoggedon.exe | d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef |
PsService64.exe | 554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d |
PsService.exe | d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c |
Eula.txt | 8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a |
psfile64.exe | be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21 |
psfile.exe | 4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329 |
pskill64.exe | 7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d |
pskill.exe | 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 |
pslist64.exe | d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60 |
pslist.exe | ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a |
psloglist64.exe | 5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636 |
psloglist.exe | dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f |
pspasswd64.exe | 8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f |
pspasswd.exe | 6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801 |
psping64.exe | d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285 |
psping.exe | 355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140 |
psshutdown64.exe | 4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400 |
psshutdown.exe | 13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123 |
pssuspend64.exe | 4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee |
pssuspend.exe | 95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd |
PSTools.zip | a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61 |
Pstools.chm | 2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc |
psversion.txt | 8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4 |
psexesvc.exe | This artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable. |
4.0 Recommendations
MyCERT recommends system administrators to review this advisory and take the below recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents.
- Prioritize remediating known exploited vulnerabilities.
- Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
- Segment networks to prevent the spread of ransomware.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- Microsoft: DEV-0832 (Vice Society) Opportunistic Ransomware Campaigns Impacting US Education Sector
- FortiGuard Labs: Ransomware Roundup - Rhysida
- Microsoft: Security Update Guide - CVE-2020-1472
- Microsoft: Master File Table (Local File Systems)
- SentinelOne: Rhysida
- Secplicity: Scratching the Surface of Rhysida Ransomware
- Cisco Talos: What Cisco Talos Knows about the Rhysida Ransomware
- SOC Radar: Rhysida Ransomware Threat Profile
- Sophos: A Threat Cluster’s Switch from Vice Society to Rhysida
- Sophos: Vice Society - Rhysida IOCs (GitHub)
- Check Point Research: Rhysida Ransomware - Activity and Ties to Vice Society
- Microsoft: Command Line Process Auditing
- Microsoft: Audit Process Tracking
- Microsoft: Remote Credential Guard
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
MA-944.062023: MyCERT Advisory - CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
1.0 Introduction
Open-source data indicates that on May 27, 2023, the CL0P Ransomware Gang, also known as TA505, started exploiting a previously unreported SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT), MOVEit Transfer.
A web shell called LEMURLOOT was used to infect MOVEit Transfer web apps that were accessible to the public and steal data from the underlying MOVEit Transfer databases. Similar flurry of activity was launched by TA505 in early 2023 targeting Fortra/Linoma GoAnywhere MFT servers and Accellion File Transfer Appliance (FTA) devices in the form of zero-day exploit-driven attacks.
2.0 Impact
- Retrieve Microsoft Azure system settings and enumerate the underlying SQL database.
- Store a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer system.
- Create a new administrator privileged account with a randomly generated username and LoginName and RealName values set to “Health Check Service.”
- Delete an account with LoginName and RealName values set to ‘Health Check Service.’
3.0 Affected Products
- MOVEit Transfer 2023.0.0
- MOVEit Transfer 2022.1.x
- MOVEit Transfer 2022.0.x
- MOVEit Transfer 2021.1.x
- MOVEit Transfer 2021.0.x
- MOVEit Transfer 2020.1.x
- MOVEit Transfer 2020.0.x
4.0 Indicators of Compromise (IoCs)
4.1 Moveit Campaign Indicators of Compromised
Files | Hash | ||
LEMURLOOT Web Shell e.g. human2.aspx | 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | ||
0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495 | |||
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | |||
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | |||
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 | |||
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | |||
348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d | |||
387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a | |||
38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264 | |||
3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b | |||
3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409 | |||
3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c | |||
4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf | |||
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a | |||
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | |||
5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff | |||
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d | |||
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0 | |||
769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b | |||
7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1 | |||
93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db | |||
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | |||
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead | |||
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a | |||
a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7 | |||
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | |||
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272 | |||
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | |||
b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad | |||
bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b | |||
c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4 | |||
c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37 | |||
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | |||
cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45 | |||
d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899 | |||
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195 | |||
daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4 | |||
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e | |||
ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a | |||
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | |||
f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d | |||
fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f |
4.2 GoAnywhere Campaign Indicators of Compromise
Files | Hash | Description |
larabqFa.exe Qboxdv.dll | 0e3a14638456f4451fe8d76 fdc04e591fba942c2f16da3 1857ca66293a58a4c3 | Truebot |
%TMP%\7ZipSfx.000\Zoom.exe | 1285aa7e6ee729be808c46 c069e30a9ee9ce34287151 076ba81a0bea0508ff7e | Spawns a PowerShell subprocess which executes a malicious DLL file |
%TMP%\7ZipSfx.000\ANetDiag.dll | 2c8d58f439c708c28ac4ad 4a0e9f93046cf076fc6e5ab 1088e8943c0909acbc4 | Obfuscated malware which also uses long sleeps and debug detection to evade analysis |
AVICaptures.dll | a8569c78af187d603eecdc 5faec860458919349eef510 91893b705f466340ecd | Truebot |
kpdphhajHbFerUr.exe gamft.dll | c042ad2947caf4449295a5 1f9d640d722b5a6ec69575 23ebf68cddb87ef3545c | Truebot |
dnSjujahur.exe Pxaz.dll | c9b874d54c18e895face05 5eeb6faa2da7965a336d70 303d0bd6047bec27a29d | Truebot |
7ZSfxMod_x86.exe ZoomInstaller.exe Zoom.exe | d5bbcaa0c3eeea17f12a5c c3dbcaffff423d00562acb69 4561841bcfe984a3b7 | Fake Zoom installer - Truebot |
update.jsp | eb9f5cbe71f9658d38fb4a7 aa101ad40534c4c93ee73e f5f6886d89159b0e2c2 | Java Server Pages (JSP) web shell with some base64 obfuscation |
%TMP%\<folder>\extracted_at_0x e5c8f00.exe | f2f08e4f108aaffaadc3d11b ad24abdd625a77e0ee9674 c4541b562c78415765 | Employs sandbox detection and string obfuscation - appears to be a collection of C# hack tools |
UhfdkUSwkFKedUUi.exe gamft.dll | ff8c8c8bfba5f2ba2f800325 5949678df209dbff95e16f2f 3c338cfa0fd1b885 | Truebot |
Email Address | Description |
unlock@rsv-box[.]com | CL0P communication email |
unlock@support-mult[.]com | CL0P communication email |
rey14000707@gmail[.]com | Login/Download |
gagnondani225@gmail[.]com |
Malicious Domain |
http://hiperfdhaus[.]com |
http://jirostrogud[.]com |
http://qweastradoc[.]com |
http://qweastradoc[.]com/gate.php |
http://connectzoomdownload[.]com/download/ZoomInstaller.exe |
https://connectzoomdownload[.]com/download/ZoomInstaller.exe |
Certificate Name |
Status |
Date Valid |
Thumbprint | Serial Number |
Savas Investments PTY LTD | Valid Issuer: Sectigo Public Code Signing CA R36 |
10/7/2022 - 10/7/2023 | 8DCCF6AD21A58226521 | 00-82-D2-24- 32-3E-FA-65- 06-0B-64- 1F- 51-FA-DF-EF- 02 |
E36D7E5DBAD133331C181 |
MOVEit Campaign Infrastructure IP Addresses May/June 2023 | GoAnywhere Campaign Infrastructure IP Addresses January/February 2023 |
104.194.222[.]107 | 100.21.161[.]34 |
138.197.152[.]201 | 104.200.72[.]149 |
146.0.77[.]141 | 107.181.161[.]207 |
146.0.77[.]155 | 141.101.68[.]154 |
146.0.77[.]183 | 141.101.68[.]166 |
148.113.152[.]144 | 142.44.212[.]178 |
162.244.34[.]26 | 143.31.133[.]99 |
162.244.35[.]6 | 148.113.159[.]146 |
179.60.150[.]143 | 148.113.159[.]213 |
185.104.194[.]156 | 15.235.13[.]184 |
185.104.194[.]24 | 15.235.83[.]73 |
185.104.194[.]40 | 162.158.129[.]79 |
185.117.88[.]17 | 166.70.47[.]90 |
185.162.128[.]75 | 172.71.134[.]76 |
185.174.100[.]215 | 173.254.236[.]131 |
185.174.100[.]250 | 185.104.194[.]134 |
185.181.229[.]240 | 185.117.88[.]2 |
185.181.229[.]73 | 185.174.100[.]17 |
185.183.32[.]122 | 185.33.86[.]225 |
185.185.50[.]172 | 185.33.87[.]126 |
188.241.58[.]244 | 185.80.52[.]230 |
193.169.245[.]79 | 185.81.113[.]156 |
194.33.40[.]103 | 192.42.116[.]191 |
194.33.40[.]104 | 195.38.8[.]241 |
194.33.40[.1]64 | 198.137.247[.]10 |
198.12.76[.]214 | 198.199.74[.]207 |
198.27.75[.]110 | 198.199.74[.]207:1234/update.jsp |
206.221.182[.]106 | 198.245.13[.]4 |
209.127.116[.]122 | 20.47.120[.]195 |
209.127.4[.]22 | 208.115.199[.]25 |
209.222.103[.]170 | 209.222.98[.]25 |
209.97.137[.]33 | 213.121.182[.]84 |
45.227.253[.]133 | 216.144.248[.]20 |
45.227.253[.]147 | 23.237.114[.]154 |
45.227.253[.]50 | 23.237.56[.]234 |
45.227.253[.]6 | 3.101.53[.]11 |
45.227.253[.]82 | 44.206.3[.]111 |
45.56.165[.]248 | 45.182.189[.]200 |
5.149.248[.]68 | 45.182.189[.]228 |
5.149.250[.]74 | 45.182.189[.]229 |
5.149.250[.]92 | 5.149.250[.]90 |
5.188.86[.]114 | 5.149.252[.]51 |
5.188.86[.]250 | 5.188.206[.]76 |
5.188.87[.]194 | 5.188.206.76[:]8000/se1.dll |
5.188.87[.]226 | 5.34.178[.]27 |
5.188.87[.]27 | 5.34.178[.]28 |
5.252.23[.]116 | 5.34.178[.]30 |
5.252.25[.]88 | 5.34.178[.]31 |
5.34.180[.]205 | 5.34.180[.]48 |
62.112.11[.]57 | 50.7.118[.]90 |
62.182.82[.]19 | 54.184.187[.]134 |
62.182.85[.]234 | 54.39.133[.]41 |
66.85.26[.]215 | 63.143.42[.]242 |
66.85.26[.]234 | 68.156.159[.]10 |
66.85.26[.]248 | 74.218.67[.]242 |
79.141.160[.]78 | 76.117.196[.]3 |
79.141.160[.]83 | 79.141.160[.]78 |
84.234.96[.]104 | 79.141.161[.]82 |
84.234.96[.]31 | 79.141.173[.]94 |
89.39.104[.]118 | 81.56.49[.]148 |
89.39.105[.]108 | 82.117.252[.]141 |
91.202.4[.]76 | 82.117.252[.]142 |
91.222.174[.]95 | 82.117.252[.]97 |
91.229.76[.]187 | 88.214.27[.]100 |
93.190.142[.]131 | 88.214.27[.]101 |
91.222.174[.]68 | |
91.223.227[.]140 | |
92.118.36[.]210 | |
92.118.36[.]213 | |
92.118.36[.]249 | |
96.10.22[.]178 | |
96.44.181[.]131 | |
5.252.23[.]116 | |
5.252.25[.]88 | |
84.234.96[.]104 | |
89.39.105[.]108 | |
138.197.152[.]201 | |
148.113.152[.]144 | |
198.12.76[.]214 | |
209.97.137[.]33 | |
209.222.103[.]170 |
5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended below to improve their organization’s security posture.
- Reduce threat of malicious actors using remote access tools by:
- Auditing remote access tools.
- Reviewing logs for execution of remote access software.
- Using security software.
- Requiring authorized remote access solutions.
- Blocking both inbound and outbound connections.
- Implement application controls.
- Strictly limit the use of RDP and other remote desktop services.
- Disable command-line and scripting.
- Restrict the use of PowerShell.
- Update Windows PowerShell or PowerShell Core.
- Review domain controllers, servers, workstation, and active directories.
- Audit user accounts with administrative privileges.
- Reduce the threat of credential compromise.
- Implement time-based access for accounts.
In addition, MyCERT recommend apply the following recommendation to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:
- Implement a recovery plan.
- Maintain offline backups of data.
- Require multifactor authentication.
- Keep all operating systems, software and firmware up to date.
- Segment networks.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Install, regularly update, and enable real time detection for antivirus software.
- Disable unused ports and hyperlinks.
- Consider adding and email banner to emails.
- Ensure all backup data is encrypted, immutable.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
6.0 References
- https://www.cisa.gov/sites/default/files/2023-06/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_5_0.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
- https://www.bleepingcomputer.com/news/security/clop-ransomware-likely-testing-moveit-zero-day-since-2021/
MA-941.062023: MyCERT Advisory - BianLian Ransomware Group
1.0 Introduction
Recently, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.
2.0 Technical Details
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a doubleextortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltrationbased extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.
2.1 Initial access
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers or via phishing.
2.2 Command and Control
BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control.
FBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords.
2.3 Defense Evasion
BianLian group actors use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.
2.4 Discovery
BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used:
• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports.
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders.
• SharpShares to enumerate accessible network shares in a domain.
• PingCastle to enumerate Active Directory (AD). PingCastle provides an AD map to visualize the hierarchy of trust relationships.
BianLian actors also use native Windows tools and Windows Command Shell to:
• Query currently logged-in users.
• Query the domain controller to identify:
- All groups.
- Accounts in the Domain Admins and Domain Computers groups.
- All users in the domain.
• Retrieve a list of all domain controllers and domain trusts.
• Identify accessible devices on the network.
2.5 Credential Access
BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit).
In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it.
Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network.
2.6 Presistence and Lateral Movement
BianLian group actors use PsExec and RDP with valid accounts for lateral movement. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.
2.7 Collection
FBI observed BianLian group actors using malware (system.exe) that enumerates registry and files and copies clipboard data from users.
2.8 Exfiltration and Impact
BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion.
BianLian group uses File Transfer Protocol (FTP) and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data.
BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.
Figure 1: BianLian Sample Ransom Note (Look at this instruction.txt)
If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.gitbhub[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company.
BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.
3.0 Indicators of Compromise
See Table 1 for IOCs obtained from FBI investigations as of March 2023.
Name | SHA-256 Hash | Description |
def.exe | 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900 a09331325df893 | Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group. |
encryptor.exe | 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b 75050da22e8e43 | Example of a BianLian encryptor. |
exp.exe | 0c1eb11de3a533689267ba075e49d93d55308525c04d6aff 0d2c54d1f52f5500 | Possible NetLogon vulnerability (CVE-2020- 1472) exploitation. |
system.exe | 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e 930fba9baf23973ce | Enumerates registry and files. Reads clipboard data. |
Table 1: BianLian Ransomware and Data Extortion Group IOCs
Through FBI investigation as of March 2023, FBI has observed BianLian actors use the commands in Table 2. ACSC has observed BianLian actors use some of the same commands.
Command | Use |
[Ref].Assembly.GetType(‘System.Management .Automation.AmsiUtils’).GetField(‘amsiInitFaile d’,’NonPublic,* Static’).SetValue($null,$true) | Disables the AMSI on Windows. AMSI is a built-in feature on Windows 10 and newer that provides an interface for anti-malware scanners to inspect scripts prior to execution. When AMSI is disabled, malicious scripts may bypass antivirus solutions and execute undetected. |
cmd.exe /Q /c for /f “tokens=1,2 delims= “ ^%A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””’) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\<file>.csv full | Creates a memory dump lsass.exe process and saves it as a CSV filehttps://attack.mitre.org/versions/v12/techniq ues/T1003/001/. BianLian actors used it to harvest credentials from lsass.exe. |
cmd.exe /Q /c net user <admin> /active:yes 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1 | Activates the local Administrator account. |
cmd.exe /Q /c net user "<admin>"<password> 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1 | Changes the password of the newly activated local Administrator account. |
cmd.exe /Q /c quser 1> \\127.0.0.1\C$\Windows\Temp\<folder> 2>&1 | Executes quser.exe to query the currently logged-in users on a machine. The command is provided arguments to run quietly and exit upon completion, and the output is directed to the \Windows\Temp directory. |
dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart | Using the Deployment Image Servicing and Management (DISM) executable file, removes the Windows Defender feature. |
dump.exe -no-pass -just-dc user.local/<fileserver.local>\@<local_ip> | Executes secretsdump.py, a Portable Executable version of an Impacket tool. Used to dump password hashes from domain controllers. |
exp.exe -n <fileserver.local> -t <local_ip> | Possibly attempted exploitation of the NetLogon vulnerability (CVE-2020-1472). |
findstr /spin "password" *.* >C:\Users\training\Music\<file>.txt | Searches for the string password in all files in the current directory and its subdirectories and puts the output to a file. |
ldap.exe -u user\<user> -p <password> ldap://<local_ip> | Connects to the organization’s Lightweight Directory Access Protocol (LDAP) server. |
logoff | Logs off the current user from a Windows session. Can be used to log off multiple users at once. |
mstsc | Launches Microsoft Remote Desktop Connection client application in Windows. |
net group /domain | Retrieves a list of all groups from the domain controller. |
net group 'Domain Admins' /domain | Queries the domain controller to retrieve a list of all accounts from Domain Admins group. |
net group 'Domain Computers' /domain | Queries the domain controller to retrieve a list of all accounts from Domain Computers group. |
net user /domain | Queries the domain controller to retrieve a list of all users in the domain. |
net.exe localgroup "Remote Desktop Users" <user> /add | Adds a user account to the local Remote Desktop Users group. |
net.exe user <admin> <password> /domain | Modifies the password for the specified account. |
netsh.exe advfirewall firewall add rule "name=allow RemoteDesktop" dir=in * protocol=TCP localport=<port num> action=allow | Adds a new rule to the Windows firewall that allows incoming RDP traffic. |
netsh.exe advfirewall firewall set rule "group=remote desktop" new enable=Yes | Enables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic. |
nltest /dclist | Retrieves a list of domain controllers. |
nltest /domain_trusts | Retrieves a list of domain trusts. |
ping.exe -4 -n 1 * | Sends a single ICMP echo request packet to all devices on the local network using the IPv4 protocol. The output of the command will show if the device is reachable or not. |
quser; ([adsisearcher]"(ObjectClass=computer)").Find All().count;([adsisearcher]"(ObjectClass=user)") .FindAll().count;[Security.Principal.WindowsIde ntity]::GetCurrent() | select name;net user "$env:USERNAME" /domain; (Get-WmiObject - class Win32_OperatingSystem).Caption; Get- WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem; net group "domain admins" /domain; nltest /dclist:; nltest /DOMAIN_TRUSTS | Lists the current Windows identity for the logged-in user and displays the user's name. Uses the Active Directory Services Interface (ADSI) to search for all computer and user objects in the domain and returns counts of the quantities found. Lists information about the current user account from the domain, such as the user's name, description, and group memberships. Lists information about the operating system installed on the local computer. Lists information about the "Domain Admins" group from the domain. Lists all domain controllers in the domain. Displays information about domain trusts. |
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Control\Terminal * Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f | Adds/overwrites a new Registry value to disable user authentication for RDP connections. |
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Control\Terminal Server" /* v fAllowToGetHelp /t REG_DWORD /d 1 /f | Adds/overwrites a new Registry value to allow a user to receive help from Remote Assistance. |
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SAVEnabled /d 0 /f | Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SAVEnabled. |
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\Sophos Endpoint * Defense\TamperProtection\Config" /t REG_DWORD /v SEDEnabled /d 0 /f | Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SEDEnabled. |
reg.exe ADD * HKEY_LOCAL_MACHINE\SOFTWARE\WOW 6432Node\Sophos\SAVService\TamperProtecti on /t REG_DWORD /v Enabled /d 0 /f | Adds/overwrites a new registry value to disable tamper protection for a Sophos antivirus service called SAVService. |
reg.exe copy hklm\system\CurrentControlSet\services\tvnser ver * hklm\system\CurrentControlSet\control\safeboo t\network\tvnserver /s /f | Copies the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with Networking. This allows the service to run with the same settings in Safe Mode as it does in normal mode. |
s.exe /threads:50 /ldap:all /verbose /outfile:c:\users\<user>\desktop\1.txt | Executes SharpShares. |
schtasks.exe /RU SYSTEM /create /sc ONCE /<user> /tr "cmd.exe /crundll32.exe c:\programdata\netsh.dll,Entry" /ST 04:43 | Creates a Scheduled Task run as SYSTEM at 0443 AM. When the task is run, cmd.exe uses crundll32.exe to run the DLL file netsh.dll. (It is likely that netsh.dll is a malware file and not associated with netsh.) |
start-process PowerShell.exe -arg C:\Users\Public\Music\<file>.ps1 -WindowStyle Hidden | Executes a PowerShell script, while keeping the PowerShell window hidden from the user. |
Table 2: PowerShell and Windows Command Shell Activity
4.0 Recommendations
MyCERT recommend organizations implement the recommendation below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity.
- Reduce threat of malicious actors using remote access tools by:
- Auditing remote access tools on your network to identify currently used and/or authorized software.
- Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
- Using security software to detect instances of remote access software only being loaded in memory.
- Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
- Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
- Implement application controls to manage and control execution of software.
- Strictly limit the use of RDP and other remote desktop services.
- Disable command-line and scripting activities and permissions.
- Restrict the use of PowerShell.
- Update Windows PowerShell or PowerShell Core.
- Enable enhanced PowerShell logging.
- Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.
- Review domain controllers, servers, workstations, and active directories.
- Audit user accounts.
- Implement time-based access for accounts set at the admin level and higher.
In addition, MyCERT recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:
- Implement a recovery plan.
- Maintain offline backups of data.
- Require phishing-resistant multifactor authentication.
- Keep all operating systems, software, and firmware up to date.
- Segment networks.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Install, regularly update, and enable real time detection for antivirus software.
- Disable unused ports.
- Consider adding an email banner to emails.
- Ensure all backup data is encrypted, immutable.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-921.042023: MyCERT Advisory - BlackCat Ransomware
1.0 Introduction
MyCERT has observed an increase in ransomware-related attacks, including those executed by ransomware known as BlackCat/ALPHV. This ransomware variant was identified through FBI investigations. BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered a more secure programming language with improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.
2.0 Impact
The malicious actors’ use of Rust to deliver the ransomware payload sets the stage for its encryption routine. The ransomware binary defaces the system’s background images. It replaces it with one containing a notification that important files have been downloaded and encrypted, plus information on where additional instructions can be found. Sample ransom note is as below:
Figure 1: Sample ransom note of the BlackCat ransomware binary.
- The payload also terminates specific services related to backups, antivirus applications, databases, Windows internet services, and ESXi virtual machines (VMs).
- In addition, a new variant of the BlackCat ransomware binary restarts the affected system to safe mode before proceeding to its encryption routine. It also disables system recovery and deletes volume shadow copies to inhibit the recovery of the affected systems.
3.0 Affected Products
- Windows 7 and higher (7, 8.1, 10,11; 2008r2, 2012, 2016, 2019, 2022).
- Windows XP and 2003.
- VMware ESXi
- Debian and Ubuntu Linux
- ReadyNAS, Synology, QNAP
4.0 Technical Details
BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts in conjunction with Cobalt Strike and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored.
The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed:
- start.bat - launches the ransomware executable with the required arguments.
- est.bat - copies the ransomware to other locations.
- drag-and-drop-target.bat - launches the ransomware executable for the MySQL Server.
- run.bat - executes a callout command to and external server using SSH – file names may change depending on the company and systems affected.
- Runsl.psl - PowerShell scripts to disable AV.
5.0 Indicators of Compromise
The following are characteristics of compromise by BlackCat/ALPHV, as mid-February 2022: