The recent Kaseya ransomware incident combined the worst possibilities the infosec community has had to contend with in recent months:
A supply-chain attack
Ransomware
An unpatched application vulnerability (zero day)
This is by no means an isolated incident. All vulnerabilities reported on widely used software products, especially those that do not require authentication to exploit, will likely become a target to spread ransomware.
Attacking the supply chain is simply a cost-effective way to scale ransomware operations.
In this blog post, we’ll use the Kaseya incident as a blueprint to recommend a short playbook for what you can do while you await a patch for any software vulnerability you know nothing about.
View our recent webinar for more information on the best defenses against Kaseya supply-chain and similar attacks.
Zero days and active defense
Zero days are a tough nut to crack. The average organization uses hundreds of different types of software and tools. It’s almost impossible to have an accurate software inventory, let alone account for issues like supply-chain attacks and zero days.
While the research community plugs away trying to proactively find and hunt bugs to remediate costly zero days in widely used software before adversaries do, Active Defense allows security teams to take a step back and evaluate the problem of zero days as a whole.
Active Defense shifts the focus of security teams away from individual software and esoteric, difficult-to-parse exploitation techniques to proactive defensive strategies while they wait for a patch to be installed.
By hypothesizing the objectives that adversaries achieve when exploiting Zero Days, we can plan our Active Defenses in a manner that can:
Reduce the impact of exploitation
Give an early warning of malicious activity
Gather intelligence on the adversary
Zero days through the kill-chain
The following table demonstrates where zero days are likely to be used in the kill-chain:
Kill-Chain Phase
Possible Zero-Day Targets
Possible Motivation
Initial Infection and foothold
Internet-facing software applications and services
Obtain access to a high-value environment
Privilege escalation
Operating system components and locally installed software
Obtain a higher level of privilege to aid the rest of the kill-chain
Lateral movement
Distribution software and internally exposed services
Expand attack footprint in locked-down environments
Action on objectives
Zero days against specialized software
Exploit weaknesses to steal data
Zero days are a means to the end goal. Whether in the initial stages of the operation or the critical last step.
From a defensive perspective, this gives us a valuable advantage: If we cannot stop the zero day itself, we have opportunities to trap the adversary either before or after they use it. And you can do just that with Active Defense.
Actively defending against Kaseya-style incidents
The scenario here is that you know about a zero-day target that does not yet have a patch. Let us also assume that the zero day is being used for initial infection and foothold to distribute ransomware within the environment.
The following table shows strategies for actively defending against techniques observed in the Kaseya REvil Ransomware incident.
Phase
Technique
Active Defense Tactic
Hints, Tips, Tricks
Initial infection
Exploit an internet-facing application
Create public-facing decoys to capture intelligence
Use the application vulnerable to the zero day as a template for the decoy
Execution
Use of PowerShell
Monitor for commands and scripts that involve stopping or disabling services
N/A
Defense evasion
Kill processes and services
Deploy decoy processes and services commonly killed by ransomware
The most commonly attacked processes are those that lock files that are a target for encryption; therefore, “outlook.exe”, MS Office processes, and database processes are usually targeted
Pre-encryption checks
Delete volume shadow copies
Monitor for the deletion of volume shadow
Typically, volume shadow copies are deleted using vssadmin.exe or WMI
Encryption
Encrypt files
Deploy decoy files on endpoints to monitor for file modification events
Placing files in common encryption start locations (such as C:\ or %appdata% or Document folders) is a smart way to minimize the impact of encryption
In the case of Kaseya, specifically, there was no worm-like behavior observed as the encryptor was pushed to machines via an update.
Beware of distribution points
One of the classic strategies these days, as seen in the Kaseya incident, is to compromise software and update distribution points to deploy ransomware at scale.
It is not a stretch to say that any software that installs updatable services on endpoints can be a target of similar attacks and the table in the previous section is the best form of defense for that.
We wish to draw attention to two pervasively present distribution points for ransomware in most organizations:
Active Directory
SCCM
With recent disclosures around serious vulnerabilities—the Print Nightmare Vulnerability, for example—organizations are at risk of both Active Directory and SCCM as targets for any ransomware that leverages such a vulnerability to spread.
Here are four suggestions to actively defend against techniques in such a scenario.
Phase
Technique
Active Defense Tactic
Internal recon (Active Directory)
Query Active Directory for privileged users with rights to create a group policy
Plant decoy users in privileged groups and OUs
Internal recon
(Active Directory)
Query Active Directory for SCCM servers
Plant decoy systems with attributes consistent with SCCM servers
Lateral movement via zero days like Print Nightmare
Use the Print Nightmare vulnerability to obtain RCE on Active Directory and SCCM
Disable the print spooler service on AD and SCCM
Plant a decoy system on the network with hostname and DNS indicating it is an SCCM server
Lateral movement
Creation of new group policy or SCCM policy to distribute encryptor
Monitor and log the creation of new policies
Closing Notes
Organizations should expect that any major vulnerability disclosed is likely to become a target for spreading ransomware.
Due to the unpredictability of TTPs that may be used in individual incidents, we advise organizations to adopt a wider array of Active Defense techniques to build resilience against a variety of ransomware operator strategies.
We also encourage organizations to adopt Active Defense and deception strategies in the following parts of their IT environment:
DMZ (both external and internal segments)
Data center segments hosting business-critical applications for east-west lateral movement
Active Directory
Privileged endpoints
Endpoints of personnel interacting with sensitive applications
Learn more about Kaseya Supply-Chain ransomware attack by viewing our webinar hosted by ThreatlabZ.
↧