Security
Headlines
HeadlinesLatestCVEs

Headline

Talos IR trends Q3 2024: Identity-based operations loom large

Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.

TALOS
#sql#vulnerability#web#windows#microsoft#cisco#perl#samba#auth

Thursday, October 24, 2024 06:00

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users’ identities.

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account–making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network.

Watch the team discuss some of the major takeaways of the report, and recommendations for defenders

**Threats against identity **

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts.

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user’s credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations.

**Ransomware **

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit.

A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation.

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Looking forward: While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor.

****Targeting** **

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January - March), where the education and manufacturing companies were the most targeted.

**
Initial access **

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a slight increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access.

Looking forward: Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices.

****Security weaknesses** **

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs.

Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions.

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking “uncategorized” websites in Cisco Umbrella’s “Web Content Categories” will help proactively mitigate suspicious or malicious activity.

****Top-observed MITRE ATT&CK techniques** **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include:

  • In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials.
  • Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy.
  • In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely.

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Related news

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections. "The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its

BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. Read the full analysis.

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. "A

TALOS: Latest News

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities