PICUS LABS MONTHLY #May 2021

MAY'S THREAT: DARKSIDE RANSOMWARE GROUP

A Rising Ransomware Threat Group: DarkSide 

The Darkside ransomware group established several high-profile breaches, including the US-based Colonial Pipeline Company incident in May 2021. They have established the Ransomware as a Service (RaaS) model and expanded their operations with the participation of other threat actors. In addition to encrypting files and demanding ransom, the Darkside threat actors exfiltrate data and threaten the victim by releasing the exfiltrated data, known as the double-extortion tactic.

You can test the effectiveness of your security controls against the Darkside ransomware campaigns with the "655212 Darkside Ransomware Attack Scenario" in Picus Threat Library. You can also validate your defenses against Darkside malware samples with threats 312355, 424348, 727882, 551628, 269817, 588030, 507789, 230239, 675517, 247255, 429456, 591155, 304959, 204994, 506926, and 166962 in Picus Threat Library.

MAY'S THREAT ACTORS

UNC2447

• Picus Threat ID: 730014,782601,383259,794709,607648,781917,499270,277155,840145
• Target Regions: North America, Europe 
• Malware: Sombrat,Fivehands,Hellokitty,Deathransom,Warprism,Baecon,Foxgrabber

APT29

• Picus Threat ID: 433911
• Aliases: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
• Target Regions: North America, Europe, Asia, Middle East
• Target Industries: Government, Consulting, Technology, Telecommunication Malware: Cobaltstrike, EnvyScout, BoomBox, NativeZone, VaporRage

ATTACK SCENARIOS

APT / Malware Scenarios

DarkSide Ransomware Scenario

Picus Threat ID: 655212

ACTIONS:

1. Gather System Language via Powershell
ATT&CK Technique: T1082 System Information Discovery
ATT&CK Tactic: Discovery

2. Gather System Language from Register Hive
ATT&CK Technique: T1082 Input Capture
ATT&CK Tactics: Discovery

3.Capture Geoip Location Info using PowerShell
ATT&CK Technique: T1005 Data from Local System
ATT&CK Tactic: Collection
...
15. Gather Information about Target Domain using ADRecon
ATT&CK Technique: T1018 Remote System Discovery
ATT&CK Tactic: Discover

PortDoor Backdoor Scenario

Picus Threat ID: 571886

ACTIONS:

1. Copy a File "winlog.wll" in MS Word Startup Folder for Persistence

ATT&CK Technique: T1547 Boot or Logon Autostart Execution

ATT&CK Tactic: Persistence, Privilege Escalation

2. Execute Backdoored WLL using rundll32.exe

ATT&CK Technique: T1218 Signed Binary Proxy Execution

ATT&CK Tactics: Defense Evasion

3.Displays the current date and time variables using "net time"

 ATT&CK Technique: T1124 System Time Discovery

 ATT&CK Tactic: Discovery

 ...

9. Encrypt a file "253774.csv" using AES

 ATT&CK Technique: T1560 Archive Collected Data

 ATT&CK Tactic: Collection

Atomic Attacks

Credential Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege

• Picus Threat ID: 225673
• ATT&CK Technique: T1003 OS Credential Dumping
• ATT&CK Tactics: Credential Access

Credential Dumping from Protected Processes via PPLDump

• Picus Threat ID: 787684
• ATT&CK Technique: T1003 OS Credential Dumping
• ATT&CK Tactics: Credential Access

Process Injection by using DoppelGate Technique

• Picus Threat ID: 826695
• ATT&CK Technique: T1055 Process Injection
• ATT&CK Tactics: Defense Evasion

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

MALICIOUS CODE

DarkSide Ransomware

• Picus Threat ID: 868324,871662,517987,812418,734114,655212,374655,774481,743576,464272,792638,830614,496797,843957,
  401207,639011
• Signature ATT&CK Technique: T1566,T1190,T1133,T1090.003,T1486 Target Regions: All
• Target Industries: Government, Medicine, Education

UNC2447 - Sombrat, Fivehands, Hellokitty, Deathransom, Warprism, Beacon, Foxgrabber

• Picus Threat ID: 456779, 546269, 776580, 573385
• Signature ATT&CK Techniques: T1547.006, T1012
• Target Regions: Switzerland, Great Britain, Belgium, United States, The Netherlands, Croatia, Porto Rico, Germany, Turkey, Russia, Denmark, Mexico, Canada, Dominican Republic
• Target Industries: ALL

APT29 - CobaltStrike Beacon

• Picus Threat ID: 433911
• Signature ATT&CK Technique: T1085,T1179,T1055,T1112,T1055,T1497,T1179,T1497,T1043

WEB APPLICATION ATTACKS

HTTP Protocol Stack Remote Code Execution Vulnerability Variant-1

• Picus Threat ID: 804289
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2021-31166
• Affected Product: IIS

Microsoft Exchange Server Remote Code Execution Vulnerability

• Picus Threat ID: 328019
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 8.8 Critical
• CVE: CVE-2021-28482
• Affected Product: Microsoft Exchange Server

Apache OfBiz Deserialization to RCE Vulnerability

• Picus Threat ID: 804289
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2021-30128
• Affected Product: Apache OFBiz

VULNERABILITY EXPLOITATIONS

Ubuntu OverlayFS Privilege Escalation .ELF File Download Variant-1

• Picus Threat ID: 365626
• CVE: CVE-2021-3493
• CVSS 3 Base Score: 7.8 High
• Affected Product: Ubuntu OverlayFS

ExifTool ANT Perl Injection Vulnerability Variant-1

• Picus Threat ID: 366433
• CVE: CVE-2021-22204
• CVSS 3 Base Score: 7.8 High
• Affected Product: ExifTooly

GitLab Remote Code Execution .RMD File Download Variant-1

• Picus Threat ID: 313770
• CVE: CVE-2021-22192
• CVSS 3 Base Score: 8.8 High
• Affected Product: GitLab

SIGMA RULES

Suspicious XSL Script Processing via WMI Execution

• Picus Sigma ID: 3213
• Technique: XSL Script Processing
• Tactic: Defense Evasion 

Computer Information Discovery via WMIC Tool

• Picus Sigma ID: 4923
• Technique: System Information Discovery
• Tactic: Discovery

Sophos Antivirus Service Stop via Taskkill Tool

• Picus Sigma ID: 8702
• Technique: Impair Defenses: Disable or Modify Tools
• Tactic: Defense Evasion