PICUS LABS MONTHLY #May 2020

MAY'S THREAT: MAZE

The Rise of Maze Ransomware

Unfortunately, Maze ransomware has been in the news quite often in the last months. In May, the Maze ransomware gang have started posting payment card data stolen during a breach at state-owned Banco de Costa Rica. The data leak, which consists of a 2 GB CSV file containing details of various Mastercard and Visa credit or debit cards, has been verified by security researchers. The recent Maze ransomware attack on tech major Cognizant Technology Solutions hurt the company's revenues and corresponding margins by $50-$70 million. Lastly, nuclear missile contractor Westech has been breached by the Maze gang.

You can test the effectiveness of your security controls against Maze ransomware with '390945 Maze Ransomware Scenario' in Picus Threat Library.

MAY'S THREAT ACTORS

Lazarus Group

• Picus Threat ID: 381703, 78307, 677859, 805294, 582408
• Aliases: Hidden Cobra, Guardians of Peace, Zinc, Nickel Academy
• Target Regions: Europe, Middle East, Southern Asia, Eastern Asia, US
• Target Industries: Finance, Media, Technology 
• Malware: Dacls RAT

Naikon

• Picus Threat ID: 238761, 677859, 805294, 582408
• Target Regions: ASEAN countries
• Target Industries: Government, Defense
• Malware: Aria-body Backdoor

Hangover

• Picus Threat ID: 265213, 799984, 473207, 746210, 556555, 345766
• Aliases: Patchwork, Neon, Viceroy Tiger, MONSOON
• Target Regions: US, Southern Asia
• Target Industries: Government, Military
• Malware: BackConfig Trojan

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

APT29 Threat Group

Picus Threat ID: 647501

ACTIONS

1. Execute Invoke-UserHunter Function (PowerView)

Technique: T1087 Account Discovery

Tactic: Discovery

2. Display the names of all network shares using "net share" command

Technique: T1049 System Network Connections Discovery

Tactic: Discovery

3. Kerberoasting Attack by using Invoke-Kerberoast

Technique: T1028 Kerberoasting

Tactic: Credential Access

...

8. C2 Communicate Over HTTPS Port 443

Technique: T1043 Commonly Used Ports

Tactic: Command and Control

Maze Ransomware

Picus Threat ID: 390945

ACTIONS

1. Delete Shadow Copy using Windows Management Instrumentation (WMI)

Technique: T1490 Inhibit System Recovery

Tactic: Impact

2. Connect to RDP using mstsc.exe

Technique: T1076 Remote Desktop Protocol

Tactic: Lateral Movement

3. Gather credentials using Mimikatz Tool

Technique: T1003 Credential Dumping

Tactic: Credential Access

...

9. Disable Automated Windows Recovery Features

Technique: T1490 Inhibit System Recovery

Tactic: Impact

Atomic Attacks

Process Injection by using EtwpCreateEtwThread Function

• Picus Threat ID: 614692
• Technique: T1055 Process Injection
• Tactics: Defense Evasion, Privilege Escalation

Dism.exe OS Binary (Lolbas) used in Signed Binary Proxy Execution

• Picus Threat ID: 590774
• Technique: T1218 Signed Binary Proxy Execution
• Tactic: Defense Evasion, Execution

Session File Dumping by using Sessionsearcher Tool

• Picus Threat ID: 525672
• Technique: T1005 Data from Local System
• Tactic: Collection

MALICIOUS CODE

Pwndlocker Ransomware

• Picus Threat ID: 894642
• Signature Technique: T1486 Data Encrypted for Impact
• Target Regions: US
• Target Industries: Local Government

Aria-body Backdoor

• Picus Threat ID: 630462, 754010
• Signature Technique: T1024 Custom Cryptographic Protocol
• Target Regions: ASEAN countries
• Target Industries: Goverment, Military

Dacls Remote Access Trojan

• Picus Threat ID: 805294, 783079, 677859
• Signature Technique: T1020 Automated Exfiltration
• Target Regions: Southern Asia, Eastern Asia
• Target Industries: Finance

WEB APPLICATION ATTACKS

Pulse Secure SSL VPN Command Injection

• Picus Threat ID: 604838
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score: 8.0 High
• CVE: CVE-2019-11539
• Affected Product: Pulse Secure Pulse Connect Secure

Microsoft SharePoint Remote Code Execution

• Picus Threat ID: 549830
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score:8.8 High
• CVE: CVE-2020-0932
• Affected Product: Microsoft SharePoint

Django GIS Functions SQL Injection 

• Picus Threat ID: 211963
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score:9.8 Critical
• CVE: CVE-2020-9402
• Affected Product: Django 1.11 before 1.11.29

VULNERABILITY EXPLOITATIONS

Google Chrome WebAudio UAF

• Picus Threat ID: 615448
• CVE: CVE-2019-13720
• CVSS 3 Base Score: 8.8 High 

Exim Privilege Escalation 

• Picus Threat ID: 859715
• CVE: CVE-2019-10149
• CVSS 3 Base Score: 9.8 Critical

Windows Installer Elevation of Privilege

• Picus Threat ID: 792978
• CVE: CVE-2020-0683
• CVSS 3 Base Score: 7.8 High

SIGMA RULES

Windows Hash Database Files Dumping via Volume Shadow Copy

• Picus Sigma ID: 7796
• Detected Method: Credential Dumping via Volume Shadow Copy Service
• Technique: T1003 Credential Dumping
• Tactic: Credential Access

DLL Injection with PowerShell

• Picus Sigma ID: 5167
• Detected Method: DLL Injection via Parent PID Spoofing
• Technique: T1055 Process Injection
• Tactics: Defense Evasion, Privilege Escalation

Proxy Execution of Application

• Picus Sigma ID: 7171
• Detected Method: Proxy Execution via Program Compatibility Troubleshooter 
• Detected Technique: T1085 Rundll32
• Tactic: Defense Evasion, Execution