Significance of Access to Incident Response Capability: Ransomware Attacks Case Study

Introduction

In this blog, we emphasise the significance of organisations having access to expert knowledge and a comprehensive incident response capability as well as engaging this capability at the right moment while actively facing a large-scale cyber attack with the potential for significant impact. To showcase this, we explore a case study of attacks associated with ransomware.

Key Highlights

• Access to Incident Response and Expert Knowledge Can Reduce Impact.
• Aged Vulnerabilities, Such as MS Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), Are Still Exploited to Gain Initial Access: Threat actors remotely execute malicious code and gain access to the system without needing valid credentials.
• Compromised Servers, Such as MS Exchange, Are Being Used For Persistence and Lateral Movement: The exploitation of ProxyShell allows threat actors to drop malicious files, such as a web shell, onto the patient zero host, which is then used as a backdoor.
• Threat Actors’ Arsenal Includes Publicly Available Commercial Remote Admin Tools: Legitimate tools, such as GoToAssist and TeamViewer, are being abused by attackers to persist and execute various other malicious operations.

Summary

At Telstra Purple, we encounter and support customers confronting large scale cyber incidents, often just moments from inflicting significant damage. Different organisations engage incident response services at different stages of the attack lifecycle, oftentimes, past the point of no return, exacerbating potential outcomes.

Through the encounters presented below, we exemplify how effective it may be for organisations to have readily available incident response capability and access to expert knowledge as well as invoking it in a timely manner.

In the scenarios below involving ransomware, the incident response capability has been engaged while the attackers still had hands-on-keyboard access, likely just moments before they could execute the final payload – ransomware, thus causing significant damage.

The initial discovery of malicious activity in the investigated environments occurred during the triage of suspicious network traffic. Network detection signatures classified this network traffic as being related to Cobalt Strike, enabling the responding teams to trace the origin of this network activity back to an on-premises MS Exchange server. Further triage revealed a dozen additional infected endpoints. Additionally, the threat actors utilised both custom and commercially available remote access tools, such as GoToAssist, for various purposes throughout the attack.

Further investigation revealed that the entry point and initial infection vector was a vulnerable MS Exchange server. The threat actors deployed a web shell for the initial foothold and subsequently used various additional mechanisms to stay persistent and move laterally. From there, they propagated through the network, infecting additional endpoints with Cobalt Strike and other custom tools. As a result, the threat actors successfully compromised several business-critical systems, including domain controllers.

Following The Threat Actors Footsteps

Initial Access

The threat actors penetrated the environments by exploiting the MS Exchange ProxyShell vulnerabilities.

The incident response investigation uncovered the root cause and confirmed successful exploitation through inspection of the IIS and Exchange PowerShell logs. Early discovery of the root cause or patient zero allows organisations to plan for restoration as the attack unfolds, essentially providing an opportunity to restore business operations back to normal more effectively and quickly.

Execution and Persistence

Following a successful exploitation, the threat actors dropped and executed a web shell.

The web shell provided the threat actors with the ability to run PowerShell commands on the infected server.

For persistence, the threat actors used multiple methods, including the following:

1. A web shell that functioned as a backdoor.
2. Creation of local accounts.
3. Legitimate remote admin tools: The threat actors used the legitimate GoToAssist remote admin software on both the Exchange server and other infected endpoints to maintain persistence.

The execution as well as persistence techniques observed by the incident response team supporting the impacted organisations allowed them to implement high precision and confidence detection rules. These rules aided in scoping and containing the incident, as well as detecting future attacks.

Credential Access, Discovery, and Lateral Movement

The threat actors used the infamous Mimikatz throughout the attack to dump credentials from infected endpoints and servers and used Cobalt Strike to compromise additional endpoints.

Through inspection of browsing history, it was noted that the threat actors accessed shares on file servers and endpoints to transfer over their tools to other endpoints.

This discovery enhanced the tracking of the threat actors' actions and facilitated the creation of potential scenarios for their next steps. These scenarios aided in implementing containment measures and provided valuable insights into the potential motives and objectives of the threat actors.

Investigation of the Threat Actors C2 Infrastructure

Threat actors used a combination of Tor as well as Dynamic DNS (DDNS) to mask their network infrastructure. The initial intrusion (exploitation) originated from a Tor exit node, while the second stage payload communicated with DDNS addresses. Further post exploitation C2 traffic, associated with Cobalt Strike and other custom malware, was with DDNS addresses, legitimate compromised hosts, as well as dedicated short-lived hosts the threat actors set under specific VPS.

Through an in-depth investigation of the network traffic attributes related to the threat actors, additional Indicators of Compromise (IOC) were uncovered. These IOCs had not been previously observed by the existing security solutions stack in the impacted organisation's environment. This allowed the impacted organisations to proactively search for potentially additional compromised assets as well as widen their detection and mitigation strategy in general.

Conclusion

At Telstra Purple, we encounter and support customers confronting large scale cyber incidents, often just moments away from inflicting significant damage. Various organisations engage incident response services at different stages of the attack lifecycle, oftentimes even beyond the point of no return, further exacerbating potential outcomes.

Our involvement in various cases and investigations has emphasised the importance of having easily accessible incident response capability, ready access to expert knowledge, and the prompt utilisation of these resources during an active cyber attack. The availability of these resources proves highly effective in ensuring swift response and mitigation in the face of potential cyber incidents and threats. As such, organisations having these resources experienced the advantage of commencing restoration efforts during the attack rather than after it, resulting in minimal to no downtime and limited impact on their overall business operations.