CISA Alerts on Ransomware Runneth Over

Over the past few weeks, the Cybersecurity and Infrastructure Security Agency (CISA) in coordination with various parties to include the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN), has released a veritable barrage of Cybersecurity Alerts relating to ransomware (#StopRansomware). There is no shortage of threat actors that continue to leverage ransomware primarily for financial gain.

Here are the four latest entries to the Infoblox Ransomware Hall of Infamy, as we’ve been alerted to by CISA over the past few weeks. Note that we include citations to MITRE ATT&CK techniques directly:

Vice Society Leverages Hello Kitty/Five Hands and Zeppelin Ransomware to Target K-12 Education

Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021 and frequently deploy versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.

Per the CISA Alert, Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190—note this is a MITRE ATT&CK technique]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [TA0010] for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation (WMI) service [T1047] and tainting shared content [T1080].

Vice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) to escalate privileges [T1068]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [T1053], creating undocumented autostart Registry keys [T1547.001], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [T1574.002]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [T1036], using process injection [T1055], and likely use evasion techniques to defeat automated dynamic analysis [T1497]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts to prevent the victim from remediating.

For more information on Vice Society’s ransomware attacks, incidents of compromise, and more, please review the full alert here: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

Zeppelin Ransomware Targets Business and Government

Zeppelin ransomware is an offshoot of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS). From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Per the CISA Alert, Zeppelin actors gain access to victim networks via RDP exploitation [T1133], exploiting SonicWall firewall vulnerabilities [T1190], and phishing campaigns [T1566]. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups [TA0007]. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Prior to encryption, Zeppelin actors exfiltrate [TA0010] sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929 [T1486]. A note file with a ransom note is left on compromised systems, frequently on the desktop.

For more information on Zeppelin ransomware, incidents of compromise, and more, please review the full alert here: https://www.cisa.gov/uscert/ncas/alerts/aa22-223a

North Koreans Are Using Maui Ransomware to Target Healthcare

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.

Per the CISA Alert, Maui ransomware (maui.exe) is an encryption binary. According to industry analysis of a sample of Maui

(SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e)

provided in Stairwell Threat Report: Maui Ransomware—the ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.
Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:

1. Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
2. Maui encrypts each AES key with RSA encryption.
   • Maui loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself.
3. Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).

During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools. See Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, including YARA rules and a key extractor.

For more information on Maui ransomware and related North Korean malicious activity, incidents of compromise, and more, please review the full alert here: https://www.cisa.gov/uscert/ncas/alerts/aa22-187a

MedusaLocker Ransomware Still Relies On Remote Desktop Protocol to Gain Access

MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].

Per the CISA Alert, MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.

MedusaLocker then:

• Restarts the LanmanWorkstation service, which allows registry edits to take effect.
• Kills the processes of well-known security, accounting, and forensic software.
• Restarts the machine in safe mode to avoid detection by security software [T1562.009].
• Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486].
• Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.
• Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.

Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].

MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.

For more information on MedusaLocker ransomware, incidents of compromise, and more, please review the full alert here: https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

Suggested Mitigations to Potential Ransomware Attacks

The following mitigations can help limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by ransomware:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
  • Store passwords in hashed format using industry-recognized password managers;
  • Add password user “salts” to shared login credentials;
  • Avoid reusing passwords;
  • Implement multiple failed login attempt account lockouts;
  • Disable password “hints”;
  • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.

• Require multi factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Disable unused ports.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Maintain offline backups of data, and regularly maintain backup and restoration.  By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
• Implement comprehensive DNS security—see the next part of this blog.

DNS Security is a Core Part of Ransomware Mitigation Strategy

DNS is almost always in the kill chain of most cyberattacks, including ransomware, and can be used as a C&C channel, and for malware download and/or data exfiltration. Your clouds, on-premise resources, IT/OT environments and remote/roaming workers all need DNS security as a way to monitor and protect against cyberattacks.

Attackers may, in some cases, use malicious domains and IP addresses that could already have a reputation and may be identified by using threat intelligence on your DNS infrastructure. In addition, the behavior and context of DNS queries may provide the essential indicators you need to identify and stop a zero-day attack and more advanced threats.

It is important to remember that standard security controls and technologies such as next-gen firewalls, IPS, and gateways do not monitor DNS for detecting malicious communications. These security controls, while very important, often cannot stop specific attacks such as DNS data exfiltration. Worse yet, they are not able to detect the subtle threats from newly registered and observed domains that could be used to launch attacks. DNS security provides visibility and protection against such threats, which is especially important in today’s uncertain environment, where there is an increase in cyberattacks associated with nation states.

DNS security is designed to prevent users’ connection to malicious destinations and detect anomalous behavior in the networks, advanced persistent threat activity, botnet communications, DNS tunneling, and data exfiltration. DNS logs also contain a wealth of information for a more efficient incident response. DNS logs are a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and determining the scope of an ongoing breach, while tying DNS requests to a device and user.

In light of the likely sources of these attacks, it is important to note that BloxOne Threat Defense also addresses EECN IPs. This is a policy-based feed containing IPs of countries in Eastern Europe and China that are often regularly cited sources of cyberattacks seeking intellectual property or other sensitive or classified data, as well as theft of credit card or financial information. It is natural to expect their presence in the midst of the ongoing barrage of ransomware activity.

Let’s not forget that DNS security is a mainstream security control. A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.

To find out more about how Infoblox can help, please reach out to us via https://info.infoblox.com/contact-form/.

• Learn more about BloxOne Threat Defense
  • https://www.infoblox.com/products/bloxone-threat-defense/.

• Learn more about protective DNS and DNS security here:
  • https://www.infoblox.com/dns-security-resource-center/dns-security-faq/what-is-protective-dns-pdns/

If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form/.

Russia’s invasion of Ukraine could impact organizations both within and beyond the region, including malicious cyber activity against the U.S. homeland, in response to the unprecedented economic sanctions imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.