Targeted Sectors: Education, Healthcare
On September 6, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) that shares indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with attacks conducted by the Vice Society adversary. This release is a follow-up to a previous alert about the Zeppelin ransomware and is a continuation of the US-CERT’s #StopRansomware effort to intelligently inform defenders about ransomware variants and the threat actors behind the attacks.
According to the US-CERT Alert and Cisco Talos reporting, the adversary has primarily targeted small to midsize victims, while notably targeting public school districts and other educational institutions, especially kindergarten through twelfth grade (K-12) institutions. The threat actor has been observed conducting big-game hunting (BGH) and double-extortion attacks. They operate a data leak site, which is used to publish exfiltrated data of victims that choose not to pay the requested ransom.
Vice Society has typically gained initial network access through compromised credentials or by exploiting internet-facing applications. The actors focus efforts on exploring the victim’s network, identifying targets of opportunity, and exfiltrating data prior to deploying ransomware. Vice Society has been observed using the Hello Kitty and Zeppelin ransomware-as-a-service families.
AttackIQ has released a new attack graph emulating a Vice Society attack to help customers validate their security controls and their ability to defend against this threat actor and others who utilize similar behaviors.
Validating your security program performance against this specific threat actor’s behaviors is paramount in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against malicious techniques currently utilized by a very active threat actor.
- Assess their security posture against an actor who can take multiple paths to success for persistence and discovery tactics.
- Continuously validate detection and prevention pipelines beyond the initial access exploit as Vice Society will adopt new exploits over time
Attack Graph – [US-CERT AA22-249A] #StopRansomware: Vice Society Deploys Zeppelin Ransomware
The attack graph starts immediately after Vice Society has gained initial access to a victim’s network. The actor will immediately begin setting up persistence and using file names and services that masquerade as legitimate tools or system processes.
Create or Modify System Process: Windows Service ( T1543.003): Creates a new service called “Updater” using the native “sc.exe” utility.
Registry Run Keys / Startup Folder ( T1547.001): If the attack graph is unable to create the scenario it will pivot and attempt to create new registry startup values with the name “explorer.exe” in both the Run and RunOnce keys.
Masquerading: Match Legitimate Name or Location ( T1036.005): Renames an executable to “rundll32.exe” and executes it from the “%TEMP%” directory.
After persistence has been achieved, the actor beings to discover details about the infected host and its current Active Directory environment.
System Owner/User Discovery ( T1033): Executes the native “query user” and “whoami” commands to receive details of the running user account.
Permission Groups Discovery: Domain Groups ( T1069.002): The actor uses the “net.exe” utility to list the users of the “Enterprise Admins” domain group.
Domain Trust Discovery ( T1482): The native binary “nltest” is used to list all of the domain trust relationships for the domain associated with the workstation.
With additional opportunities for attack identified the actor begins to decrease the security of the infected host that will make it easier to maintain access and open additional attack surface opportunities.
Ingress Tool Transfer ( T1105): Download and save a sample of “PsExec” that would later be utilized by the actor to move laterally.
Inhibit System Recovery ( T1490): Runs “vssadmin.exe” to delete a recent Volume Shadow Copy created by the attack graph.
Modify Registry ( T1112): Disables Restricted Admin Mode for Remote Desktop access of the host by setting the “DisableRestrictedAdmin” registry value to “0”.
Impair Defenses: Disable or Modify Tools ( T1562.001): Uses PowerShell to set the “DisableAntiSpyware” registry key that will prevent Microsoft Defender from running after next reboot.
With the system’s defenses degrade the actor the actor can abuse native Windows functionality to launch payloads.
System Binary Proxy Execution: Rundll32 ( T1218.011): “Rundll32.exe” is used to execute a DLL file by specifying a specific export to call once its opened.
Hijack Execution Flow: DLL Side-Loading ( T1547.002): Bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute actor code.
Before beginning the final ransomware process, Vice Society will want to dump additional credentials and attempt to move laterally to other hosts to increase the impact of their attack.
OS Credential Dumping: LSASS Memory ( T1003.001): Uses “rundll32.exe” with “comsvcs.dll” to call the “MiniDump” export that will dump the LSASS process memory to disk. This process contains a variety of credential materials and can passed to additional dumping tools to extract credentials.
Remote Services: Remote Desktop Protocol ( T1021.001): Attempt to use Remote Desktop to move laterally to additional hosts and identify additional data for exfiltration and extortion.
Vice Society has recently been observed using the Zeppelin ransomware as the final stage of their attack.
Data Encrypted for Impact ( T1486): Downloads and saves to disk a sample of the Zeppelin ransomware used by Vice Society.
Opportunities for Extending the Attack Graph
In addition to this new attack graph, there are additional stand-alone scenarios that can be added to the attack graph or as part of a separate assessment if customer’s have the appropriate environments.
Dump Active Directory Database ( T1003.003): One of the many end goals of the threat actor is to obtain a copy of the Active Directory database so that it may be attacked offline. Russian actors have been observed dumping the NTDS.dit database from a domain controller once administrative access has been achieved. This scenario needs to be executed on a Domain Controller asset.
PrintNightmare (CVE-2021-34527) LPE Exploit Script ( T1068): Cisco reported that PrintNightmare was used by Vice Society as part of their initial access exploits. This scenario is meant to be executed on asset vulnerable to this exploit to validate any compensating controls that may be in place if the system is unable to be patched.
Detection and Mitigation Opportunities
With so many different techniques being utilized by threat actors, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Persistence using Windows Service ( 003) and Registry Run Keys ( T1547.001)
The threat actors in this report utilized two different methods to maintain persistence in their victim’s environment. Concerned about their potential loss of access, they are going to take steps to ensure they will remain on the infected host after reboots or partial remediation efforts. Disrupting their ability to maintain their foothold will help prevent their immediate return.
1a. Detections
Behavioral Detections can be utilized in EDR and SIEM products to detect and/or prevent creation of registry keys and windows services:
Registry Run Detection:
Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS (‘reg add’ AND ‘\CurrentVersion\Run’ AND ‘wscript’)
Windows Service Detection:
Process Name == (cmd.exe or powershell.exe)
Command Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”<path to trusted executable>”’ AND start= ”auto”)
1b. Mitigations
Mitre’s mitigations for Registry Keys (T1547.001)
- Although MITRE does not provide specific mitigations for this technique, it is advised that non administrative users have application whitelisting enforced to prevent the usage of reg.exe and regedit.exe to prevent misusage of this windows feature.
Mitre’s mitigations for Windows Service ( T1543.003)
- M1047 – Audit
- M1028 – Operating System Configuration
- M1045 – Code Signing
- M1018 – User Account Management
- M1040 – Behavior Prevention on Endpoint
2. Defense Evasion using Disable or Modify Tools ( 001):
Often when a threat actor has received a foothold in a network, one of the steps they may take to reduce chance of being seen is to disable security controls on the endpoint or in the environment. A common/default security control on windows device is Windows Defender which is often attempted to be disabled early in the attack stage.
2a. Detections
Process Name == powershell.exe
Command Line CONTAINS (“New-ItemProperty” AND “Windows Defender” AND “DisableAntiSpyware”)
2b. Mitigations
Mitre’s mitigations for Impair Defenses: Disable or Modify Tools
- M1022 – Restrict File and Directory Permissions
- M1024 – Restrict Registry Permissions
- M1018 – User Account Management
3. Lateral Movement using Remote Desktop Protocol ( 001)
Prior to deploying ransomware, the threat actor may attempt to move laterally to other devices for a wider impact. A common method for lateral movement in a windows environment is using port 3389 (Remote Desktop Protocol).
3a. Detections
For detecting lateral movement attempts with Remote Desktop Protocol, we recommend ingesting Windows event logs into your SIEM product as well as any third-party authentication services for multi-factored authentication.
Although every SIEM is different, ideally an alert can be created to look for windows event logs for remote login (type 10) with several successful logins followed by failures for MFA. This would indicate that an actor has credentials to pivot with but cannot fully authenticate due to the multi-Factored security control.
Additionally, building a table to compare previous attempts to login via RDP would show if an unusual user or recipient of RDP authentications has occurred. A good example of this type of rule can be found here: Azure-Sentinel – Rare RDP Connections
3b. Mitigations
Mitre’s mitigations for Remote Service: Remote Desktop Protocol ( T1021.001):
- M1047 – Audit
- M1042 – Disable or Remove Feature or Program
- M1035 – Limit Access to Resource Over Network
- M1032 – Multi-Factor Authentication
- M1030 – Network Segmentation
- M1028 – Operating System Configuration
- M1026 – Privileged Account Management
- M1018 – User Account Management
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against an actor who can take multiple paths to achieve their goals. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.