PICUS LABS MONTHLY  #October 2020

OCTOBER'S THREAT: RYUK RANSOMWARE

Return of the Ryuk Ransomware

Ryuk has been one of the most proficient ransomware threat actors. The threat group grew a little quiet earlier in the year, but that seems to have changed in the past couple of weeks, with incidents like what happened at UHS hospitals.

You can test the effectiveness of your security controls against the Ryuk ransomware campaigns with '714922 Ryuk Ransomware Attack Scenario" in Picus Threat Library. You can also validate your defenses against Ryuk malware samples with threats 312355, 424348, 727882, 551628, 269817, 588030, 507789, 230239, 675517, 247255, 429456, 591155, 304959, 204994, 506926, and 166962 in Picus Threat Library.

OCTOBER'S THREAT ACTORS  

MuddyWater

• Picus Threat ID: 231391, 574050, 532705, 360493, 265593
• Aliases: Seedworm, TEMP.Zagros
• Target Regions: Europe, Middle East, North America
• Target Industries: Telecommunication, Government, Oil
• Malware: Covicli Backdoor, PowGoop Loader, SSF.MX Backdoor

     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater. For more information, check the blog post Earth Vetala Campaign of MuddyWater APT Group

Jointworm

• Picus Threat ID: 833829, 833829, 833829, 833829
• Target Regions: Europe, UK, Asia
• Target Industries: Finance
• Malware: PhantomOCX

ATTACK SCENARIOS

Lazarus (APT38) Threat Group PowerRatankba Attack Scenario

Picus Threat ID: 690370

ACTIONS

1. Query System Information

ATT&CK Technique: T1082 System Information Discovery

ATT&CK Tactic: Discovery

2. Execute a Keylogger uses GetAsyncKeyState()

ATT&CK Technique: T1056 Input Capture

ATT&CK Tactics: Credential Access, Collection

3. Capture ScreenShot using PsTools

ATT&CK Technique: T1113 Screen Capture

ATT&CK Tactic: Collection

...

12. C2 Communicate Over HTTPS Port 443

ATT&CK Technique: T1043 Commonly Used Port

ATT&CK Tactic: Command and Control

     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by Lazarus. For more information, check the blog post Lazarus (Hidden Cobra) Group Employs HTA Embedded BMP Files

Ryuk Ransomware Scenario

Picus Threat ID: 714922

ACTIONS

1. Gather Information about Target Domain

ATT&CK Technique: T1018

ATT&CK Tactic: Discovery

2. Disable Defender Features

ATT&CK Technique: T1562 Impair Defenses

ATT&CK Tactic: Defense Evasion

3. Gather Trusted Domains via Nltest Command

ATT&CK Technique: T1482 Domain Trust Discovery

ATT&CK Tactic: Discovery

...

14. File Exfiltration with Encryptor.exe

ATT&CK Technique: T1486 Data Encrypted for Impact

ATT&CK Tactic: Impact

Atomic Attacks

Process Injection with Process Herpaderping Method

• Picus Threat ID: 548266
• ATT&CK Technique: T1055 Process Injection
• ATT&CK Tactics: Defense Evasion, Privilege Escalation

Spearphishing Attachment Attack by using Hot Manchego

• Picus Threat ID: 827559
• ATT&CK Technique: T1566 Phishing
• ATT&CK Tactic: Initial Access

Wuauclt.exe OS Binary (Lolbas) used in Signed Binary Proxy Execution Technique

• Picus Threat ID: 574776
• ATT&CK Technique: T1218 Signed Binary Execution
• ATT&CK Tactic: Defense Evasion

MALICIOUS CODE

Covicli Backdoor Malware

• Picus Threat ID: 668690, 201911, 409211, 721511, 704112
• Signature ATT&CK Technique: T1573 Encrypted Channel
• Target Regions: Europe, Middle East, North America
• Target Industries: Telecommunication, Government, Oil
• Threat Group: MuddyWater (Aliases: Seedworm, TEMP.Zagros)

Egregor Ransomware

• Picus Threat ID: 372862, 260828, 701507
• Signature ATT&CK Technique: T1486 Data Encrypted for Impact
• Target Regions: ALL
• Target Industries: Logistics, Entertainment, Real Estate, Media

SLOTHFULMEDIA RAT

• Picus Threat ID: 772071, 691496
• Signature ATT&CK Technique: T1082 System Information Discovery
• Target Regions: ALL
• Target Industries: ALL

WEB APPLICATION ATTACKS

Ruby on Rails MemCacheStore and RedisCacheStore Remote Code Execution (RCE)

• Picus Threat ID: 352514
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2020-8165
• Affected Product: Ruby on Rails

Cisco ASA and Firepower Arbitrary File Deletion

• Picus Threat ID: 842421
• OWASP Top 10: A5 - Broken Access Control
• CVSS 3 Base Score: 9.1 Critical
• CVE: CVE-2020-3187
• Affected Product: Cisco ASA and Firepower

SharePoint Server DataFormWebPart CreateChildControls RCE

• Picus Threat ID: 592989
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 7.8 High
• CVE: CVE-2020-16952
• Affected Product: SharePoint Server

VULNERABILITY EXPLOITATIONS

Google Chrome V8 Engine Null Pointer Information Leak

• Picus Threat ID: 894631
• CVE: CVE-2020-1571
• CVSS 3 Base Score: 7.8 High
• Affected Product: Windows Setup

Win32k Denial of Service Vulnerability 

• Picus Threat ID: 790051
• CVE: CVE-2020-1510
• CVSS 3 Base Score: 5.5 Medium
• Affected Product: Windows win32k Component

Windows Kernel Information Disclosure 

• Picus Threat ID: 682305
• CVE: CVE-2020-16938
• CVSS 3 Base Score: 5.5 Medium
• Affected Product: Windows Kernel

SIGMA RULES

Bypass User Access Control via Modifying Software Registry Value

• Picus Sigma ID: 3789
• Technique: T1112 Modify Registry
• Tactic: Defense Evasion

Credential Access using Obtaining Debug Privileges by Mimikatz via PowerShell

• Picus Sigma ID: 8537
• Technique: T1003 OS Credential Dumping
• Tactic: Credential Dumping

Windows Firewall Configurations Discovery via Netsh Tool

• Picus Sigma ID: 6642
• Detected Technique: T1518.001 Security Software Discovery
• Tactic: Discovery