The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning to disseminate IOCs and TTP associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.
Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in the summer of 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware but may deploy other variants in the future.
Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, cancelled school days, and unauthorised access to and theft of personal information regarding students and staff.
3.0 Observed TTP and IOCs employed by Vice Society
The ransomware group Vice Society has been breaking into schools and colleges, stealing sensitive data, and demanding ransom payments. If the extortionists are not paid, the victim may be unable to unlock their encrypted files, and the attackers may publicly disclose the information stolen from victim servers. Vice Society most likely gains initial network access through compromised login credentials obtained from unspecified internet-facing applications. Once inside the network, the hackers spend their time investigating the IT systems they have compromised, looking for new ways to gain access to sensitive data, and exfiltrating information with the intent of releasing it if a ransom payment is not made.
To spread laterally through an organisation, the group's modus operandi may include the exploitation of known vulnerabilities (like the so-called PrintNightmare vulnerability discovered in Windows' print spooler service). Once sensitive information has been taken, the group launches a ransomware attack that encrypts data and displays a ransom demand, claiming that documents, photos, and databases have been taken and encrypted and that if negotiations do not start within seven days, the contents of the files will be shared on a dark web website. Tables 1,2,3,4, and 5 depicted the IOC and TTP employed by Vice Society in their campaign.
Table 1: List indicator of compromise – Email addresses
|OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org|
Table 2: List indicator of compromise – TOR address
Table 3: List indicator of compromise – IP addresses
|IP Addresses for C2||Confidence Level|
Table 4: List indicator of compromise – Hash value
Table 5: Observed TTPs (and associated IDs) employed by Vice Society mapped to MITRE ATT&C
|TA0001- Initial Access||T1190-Exploit Public-Facing Application||Vice Society actors exploit vulnerabilities in an internet-facing system to gain access to victims’ networks.|
|T1078-Valid Accounts||Vice Society actors obtain initial network access through compromised valid accounts.|
|TA0002- Execution||T1047-Windows Management Instrumentation (WMI)||Vice Society actors leverage WMI as a means of “living off the land” to execute malicious commands. WMI is a native Windows administration feature.|
|T1053-Scheduled Task/Job||Vice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code.|
|TA0003- Persistence||T1543.003-Modify System Process||Vice Society actors encrypt Windows Operating functions to preserve compromised system functions.|
|T1547.001-Registry Run Keys/Startup Folder||Vice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot.|
|Vice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs.|
|TA0004- Privilege Escalation||T1068-Exploitation for Privilege Escalation||Vice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges.|
|TA0005- Defense Evasion||T1036-Masquerading||Vice Society actors may attempt to manipulate features of the files they drop in a victim’s environment to mask the files or make the files appear legitimate.|
|T1055-Process Injection||Vice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process- based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses.|
|T1497-Sandbox Evasion||Vice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis.|
|TA0008- Lateral Movement||T1080-Taint Shared Content|
Vice Society actors may deliver payloads to remote systems by adding content to
shared storage locations such as network drives.
|TA0010- Exfiltration||TA0010-Exfiltration||Vice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom.|
|TA0040- Impact||T1486-Data Encrypted for Impact||Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.|
|T1531-Account Access Removal||Vice Society actors run a script to change the passwords of victims’ email accounts.|
MyCERT strongly urges network defenders to apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:
Preparing for Cyber Incidents
- Maintain offline backups of data and regularly maintain backup and restoration. By instituting this practice, the organisation ensures they will not be severely interrupted and only have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Ensure your backup data is not already infected.
- Review the security posture of third-party vendors and those interconnected with your organisation. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
- Document and monitor external remote connections. Organisations should document approved solutions for remote management and maintenance and immediately investigate if an unapproved solution is installed on a workstation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Identity and Access Management
- Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least eight characters and no more than 64 characters in length;
- Store passwords in a hashed format using industry-recognized password managers;
- Add password user “salts” to shared login credentials;
- Avoid reusing passwords;
- Implement multiple failed login attempt account lockouts;
- Disable password “hints”;
- Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. Note: NIST guidance suggests favouring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install the software.
- Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Review domain controllers, servers, workstations, and active directories for new and unrecognised accounts.
- Audit user accounts with administrative privileges and configures access controls according to the principle of least privilege.
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set to automatically disable admin accounts at the Active Directory level when the account is not in immediate need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need support completing a specific task.
Protective Controls and Architecture
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are handy for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Install, regularly update, and enable real-time antivirus software detection on all hosts.
- Secure and closely monitor remote desktop protocol (RDP) use.
- Limit access to resources over internal networks, especially by restricting RDP and using the virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after several attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
Vulnerability and Configuration Management
- Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organisation can take to minimise its exposure to cybersecurity threats. Organisations should prioritise patching of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalogue.
- Disable unused ports.
- Consider adding an email banner to emails received from outside your organisation.
- Disable hyperlinks in received emails.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors cannot run these tools, they will have difficulty escalating privileges and moving laterally.
- Ensure devices are correctly configured and that security features are enabled.
- Disable ports and protocols not being used for business purposes (e.g., RDP Transmission Control Protocol Port 3389).
- Restrict Server Message Block (SMB) Protocol within the network to only necessary access servers, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMBs to propagate malware across organisations.
Generally, MyCERT advises against paying the ransom and urges the public to report the incident to the authorities if their organisation’s systems are compromised. Paying the ransom does not ensure that the data will be unlocked or that the threat actor won't publish victim data. Additionally, it motivates threat actors to commit more crimes and target more victims. Threat actors can potentially regard the victim company as a soft target and decide to attack it once more in the future.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
5) https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf