Brief Update on our Perspective: 9 March, 2022
As we move into a new phase of the invasion of Ukraine, and the subsequent cyber operations we have seen, what do you need to know?
At the top level, the most important answer to that question is that Vectra Security Research and Threat intel are working hard to ensure we deliver the best coverage for detecting threats when they happen at any level in your network, and we provide the means to react quickly, effectively, and cut off attacks before they become the next incident response case study.
On the ground and in media, the war has moved from an aggressive rapid expansion into new territory and has turned to a more pitched battle of words. World leaders move to further sanction and increase their grip on Russian billionaires and assets. There is growing social pressure that corporations pull their products from Russia, the war has now become a lot smaller in the minds of people. In terms of the cyber espionage and battles being fought over computer networks, the tactics have also shifted. When the ground war began, there was a push to disrupt communications and the computer networks of those forces moving to defend positions. The world saw the deployment of three discreet types of attack. Firstly, Ukranian systems were subject to a mass DDoS attack, this was followed up with the well-known HermeticWiper malware used to destroy systems, and also Microsoft saw the deployment of a new Trojan, FoxBlade.
The Shift to Clandestine Operations
Finally we must remember to not let all our focus be dedicated to looking to attacks overseas, Mandiant recently produced a report detailing an ongoing attack from APT41 targeting US Government targets5. This Chinese state actor were detailed to use multiple attempts to compromise their targets, ranging from their own zero day in a Web facing application, to using the well distributed Log4J vulnerabilities to achieve action on objective. In these cases the threat actor deployed their own sophisticated malware utilising traditional C2 type behaviour, and also deploying persistence through the use of “dead drop” techniques to update C2 IP addresses.
So what now?
Once again, we are asked, well if this is business as usual what should we be doing?
First and foremost, we must remain vigilant, as it has been shown that whilst the headline grabbing activities will pull our focus to those overseas, we must also keep an eye on what we know to be true: Criminals will jump at an opportunity to use a global event to spread their own malware, sophisticated APT actors will attempt to use the smokescreen created by destructive malware to infiltrate targets of interest in a ground war, and finally, just because this is happening overseas we must not lose focus on our own networks and security.
--
[2] https://twitter.com/dsszzi/status/1499740427783651336?s=20&t=fDgbTX1ydsnTRjocdQUopw
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
Prior Content: 2 March, 2022
A week ago, we wrote about how the state level actors in Russia and other associated groups operate during a cyber security attack, or during an ongoing ground conflict. Looking back over the last seven days, we’d like to offer an updated perspective with a fresh look at what we know about how threat actors from Russia operate.
Additionally, we’d like to call attention to the fact that Microsoft have also identified a new Trojan capable of being used as part of a DDoS attack known as FoxBlade.A!dha and it’s dropper parent FoxBlade.B!dha. These were identified just before the first movements of the Russian military to seize territory in Ukraine, showing how joined up Russian military and Cyber operations truly are.
Malware operators will flood to Russian defence
As with any conflict there are always volunteers, and this hybrid ground / cyber war is no different. One of the first groups to swear allegiance to Russia was the Conti / TrickBot group, although they have since softened this stance. This gang are responsible for some of the largest and most successful ransomware campaigns in the last 5 years. TrickBot and its role in deploying IcedID, CobaltStrike and numerous Ransomware campaigns, is a name most blue team operators know well. It was Reported in late February that the TrickBot project was shut down, dealing a huge blow to the gang. Conti, however, prevail, having recently taken control of the BazarBackdoor malware.
Vectra customers should look for Vectra Threat Intel Match detections with the threat actor listed as WIZARD SPIDER or WIZARDSPIDER this is the internal name for the group. BazarBackdoor which is dropped by the BazarLoader malware communicates over HTTP and DNS to [.]bazar domains, customers should look for Hidden HTTP Tunnel, Hidden HTTPS Tunnel and Hidden DNS Tunnel detection as these are the primary communication methods for the backdoor. These will help correlate potential infections.
The backdoor also has several modular components, which can execute PowerShell commands on the infected host, so other detections to look out for includes Suspicious Remote Execution using WMI methods to execute commands on other hosts. This threat group is also known to use Task Scheduler and SMB to spread laterally, so look for schtask as an operation in Suspicious Remote Execution detections.
Early in the ground campaign, two new malware families emerged in the Information Security conflict, notably WhisperGate and Hermetic wiper. Both are destructive / Ransomware Lite types of malware, which destroy systems and sometimes ask for payment but do not provide a recovery option. At the moment, there are no network IOCs to look for, but Vectra are still able to find ransomware attacks as they happen, and let responders react quickly. An example of this is seen here in a post incident review where a customer did just that using Cognito Detect. Vectra’s CTO also produced a blog post talking about this current wave of ransomware.
The Vectra threat intelligence and services teams are also collating hundreds of indicators and reports to best serve our customers. To this end we have so far published three new saved searches in Recall:
- Cogntio – TTP – iSession - Cyclops Blink Hardcoded C2 IP Addresses: This saved search is designed to find communications with the hardcoded C2 IP addresses of the Cyclops Blink malware
- Cognito - TTP - SMB Files - Lockbit Known Ransom Note and Extension
- Cognito - TTP - SMB Files - Lockbit Known Named Pipe: These two searches are designed to find LockBit activity on the network by looking for the Named Piped communication that is used by the malware to remain hidden. It also looks to identify the transfer of potentially malicious files.
Additional awareness and best practices
Currently, Vectra is working hard to ensure all customers are protected. If you are a Sidekick customer, the analyst team is providing hands on coverage, and are working with Vectra threat intelligence directly to provide the best priority and service possible. To the wider customer base, Vectra threat intelligence is collating 1000s of indicators and independent reports to ensure the best coverage to everyone. We also continue work confirming behaviours of known and engaged malware operators and threat actors, to ensure that detections line up with known malware and threat actor behaviour.
Notable detections to always look out for will be:
- Hidden [HTTP, HTTPS, DNS] Tunnel: These detections will find malware Command and Control behaviours.
- External Remote Access: This again will find more traditional Malware command and Control channels.
- Suspicious Remote Execution: Many threat actors will attempt to spread laterally in an environment using existing channels making these detections more relevant right now.
- Privilege Anomaly Detections: These detections will show suspicious account usage. Many threat actors look for accounts with high levels of privilege on a network to spread their malware or engage with high value targets such as Active Directory.
There haven’t been wide reports of Cloud based attacks yet, but it is likely that whilst these destructive and noisy attacks are happening, quiet attacks that focus on the cloud are also likely to be happening. Russian state actors are moving to the cloud for their attacks. The CISA put out a report in Februrary 2022 stating that Russian state sponsored attackers breached defence contractors cloud infrastructure. Based on research from previous compromises, and known threat actor behaviour, Detect for Azure AD and Office 365 environments would expect to see the following types of detections.
- Azure AD Brute-Force Attempt
- Azure AD Suspicious Sign On
- Azure AD MFA-Failed Suspicious Sign On
- O365 Suspicious Sign-On Activity - This step of the attack can sometimes be the noisiest, however with a remote workforce, detecting this activity becomes something simple log searching is not sufficient. Detect for Cloud will produce detections as listed above to help analysts find the activity.
- Azure AD Change to Trusted IP Configuration
- Azure AD Suspicious Operation
- O365 Suspicious Teams Application - applications and service principals that possess valuable access rights are modified with additional secrets, essentially creating a "backdoor" that attackers use to perform privileged actions on behalf of those applications.
- Azure AD Newly Created Admin Account
- Azure AD Redundant Access Creation
- Azure AD Suspicious Operation
- Azure AD Unusual Scripting Engine Usage
- O365 Internal Spear phishing
- O365 Suspicious Exchange Transport Rule
- O365 Suspicious Mail Forwarding
- O365 Suspicious Mailbox Manipulation -There are many ways to gain persistence in a cloud environment. Many detections in Detect for Cloud are built to find activity, ranging from accounts being created in Azure AD, to installation of transport rules, which can redirect email, or in previous attacks have been used as a command and control implant.
- O365 Risky Exchange Operation
- O365 Suspicious Download Activity
- O365 Suspicious Mail Forwarding
- O365 Suspicious Mailbox Manipulation
- O365 Suspicious Sharing Activity - During this stage, along with opening up of sharing rights to non-local destinations, target mailbox permissions are modified to give another user (controlled by attacker) read access to target's e-mail, followed by periodic e-mail exfiltration.
Lastly, these TTPs as outlined by MITRE ATT&CK have been associated with Russian State Actors historically and have been updated to include the most recent destructive wiper attacks: