A

Ankura Cyber Threat Intelligence Bulletin

Contact: Brandon Catalan, Ted Theisen

August 31, 2021

Observations

Over the past thirty days, the Ankura Cyber Security team has worked with clients to solve cybersecurity challenges involving emerging ransomware groups and tactics, a new set of critical vulnerabilities, emerging Denial-Of-Service technologies, and sophisticated cyber espionage campaigns.

For this month’s report, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) has compiled detailed metrics surrounding the tactics employed to exploit the devastating ProxyShell Microsoft Exchange vulnerabilities. Additionally, due to the increasing popularity of cryptojacking attacks, Ankura threat-intelligence operators have been monitoring innovative cryptocurrency analytics solutions.

Lastly, during this period Ankura’s Cyber Security team has observed an exponential boost in LockBit’s ransomware activity, which indicates how powerful their custom encryption malware is, and how effective their affiliate recruiting program is at identifying and collaborating with some of the most highly skilled professional hackers and developers.

ProxyShell Vulnerabilities

ProxyShell is a collection of vulnerabilities on Microsoft Exchange servers that allows for a threat actor to execute code as a privileged user without the need for authentication. ProxyShell is comprised of three separate vulnerabilities used in a single attack chain that can be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, authenticate the threat actor, and allow for remote code execution. These vulnerabilities are as follows: CVE-2021-34473 (Pre-auth path confusion vulnerability to bypass access control, patch released in April 2021), CVE-2021-34523 (Privilege elevation vulnerability in the Exchange PowerShell backend, patch released in April, 2021), and CVE-2021-31207 (Post-auth remote code execution via arbitrary file write, patch released in May).

All three of these vulnerabilities are in the Microsoft Client Access Service (CAS), which typically runs on port 443 on the Internet Information Services (IIS), Microsoft’s web server, and is usually public internet facing to enable users to access email from web browsers and mobile devices.[1] Since August 20, 2021, there have been attacks against unpatched Exchange servers from versions 2013 to 2019 utilizing the ProxyShell vulnerability. On Saturday, August 21, 2021, several CERTs (the Computer Emergency Response Team for federal agencies) released security warnings urging organizations to protect against ProxyShell by applying the May updates released by Microsoft to vulnerable machines.

Figure 1a: CERT-US advisory for ProxyShell 

 

Figure 1b: NZ release an advisory for ProxyShell 

As of the August 21 2021, there are an estimated 1,900 Microsoft Exchange systems that have been taken over with ProxyShell, however, the Shodan search engine identified about 46,000 Exchange servers that are vulnerable to a ProxyShell exploit.[2]

Figure 2: Shodan’s results on currently vulnerable servers graphed by country[3] 

Security researchers from Huntress labs discovered at least five (5) different types of WebShells (which are designed to obtain elevated privileges and backdoor access to the system) that are used with the ProxyShell attack vector: XSL Transform (currently the most commonly seen), Encrypted Reflected Assembly Loader, Comment Separation and Obfuscation of the “unsafe” Keyword, Jscript Base64 Encoding and Character Typecasting, Arbitrary File Uploader. A common method to hide these WebShells is by modifying the Exchange configuration file C:\Windows\System32\inetsrv\Config\applicationHost.config with a new virtual directory path or by hiding the WebShells in C:\ProgramData\ and subdirectories.[4]

Researchers have also found that the new ransomware LockFile has been utilizing ProxyShell to disperse the ransomware and discovered a unique TTP (Tactics, Techniques, and Procedures) for the group that was not seen before the rise of ProxyShell.[5] The attacker modified the IIS “MSExchangeOWAAppPool” app pool. The WebShell itself was located in “C:\ProgramData\COM1\hxxxy”. This allows for a threat actor to hide a WebShell in nonstandard locations, usually outside the monitored ASP Directories.

Figure 3: New TTP utilized by the LockFile Ransomware 

 

Figure 4: Known methods to hide WebShells for persistence. 

Emerging DDos Technology

Denial of service (DoS) attacks traditionally involve flooding a target system with internet traffic to render it unusable.[6] A Distributed Denial of Service (DDoS) attack is launched from multiple (potentially thousands) compromised devices. Often distributed globally via what is referred to as a botnet. A volume-based denial of service attack operates by producing more traffic on a victim’s server than its capacity permits. This results in decreased throughput as well as limited availability.[7] There are many types of distributed denial of services attacks, as well as different tactics, techniques and emerging technology that is making it much more affordable to attackers and threat actors to infiltrate systems and networks with more attack vectors.

Reflected amplification attacks are a powerful tool in the arsenal of a DDoS attacker. Through this type of attack, the threat actor sends spoofed requests from a compromised machine to an open server and the server responds to the victim requests. If the response volume is larger than the spoofed request, the server effectively amplifies the attacker’s bandwidth, allowing them to flood the target with even more malicious packets. Following malicious manipulation of fragment content, the victim ends up with an IP packet that is larger than the number of bytes permitted which can overflow memory buffers and causes denial of services for legitimate packets.

Reflected amplification attacks are a type of DDoS attack in which an adversary leverages the connectionless nature of the User Datagram Protocol (UDP) with spoofed requests to misconfigured open servers to overwhelm a target with a flood of packets, ultimately causing a disruption of the server’s functionality, or rendering the server inaccessible to legitimate users.[8] The figure below shows the process of this type of DDoS attack which is focused on reflected amplification attacks.

 

Figure 1: Reflected Amplification Overview

Most DDOS amplifications are UDP-based (User Datagram Protocol), with the reason being that the more reliable Transmission Control Protocol (TCP) requires a three-way handshake that complicates spoofing attacks. Every TCP connection starts with a client sending a SYN packet, the server responds with a SYN+ACK response and the client completes the handshake with an ACK packet. The three-way handshake protects TCP applications from amplifiers because if an attacker sends a SYN packet with a spoofed IP address, the SYN+ACK will go to the victim and the attacker never learns the information contained in the SYN+ACK which is needed to complete the three-way handshake. Without receiving the SYN+ACK packet, the threat actor cannot make valid requests on behalf of the victim.[9] The figure below demonstrates the three-way handshake during a reflected amplification attack.

Figure 2: Reflected Amplification Attack

Weaknesses in the implementation of TCP in middleboxes and censorship infrastructure can be weaponized as a vector to stage reflected DDoS amplification attacks against any target, surpassing existing UDP-based amplification factors. A middlebox is an in-network device that sits on the path between two communicating end hosts and can monitor, filter, and/or transform packet streams in-flight.[10] Unlike traditional routers and switches, middleboxes operate not only on packet headers but also on their payloads using Deep Packet Inspection (DPI). Censoring firewalls identifiesforbidden keywords or domains in plaintext traffic, Domain Name System (DNS) requests or Transport Layer Security (TLS) server name indication fields. Once a censoring middlebox determines a connection should be censored, it can do so by dropping offensive packets, injecting RESET (RST) packets to tear down the connection, injecting false DNS responses, and injecting block pages in response to forbidden HTTP requests.[11] If middleboxes inject content based only on one side of the connection, an attacker can spoof one side of the TCP three-way handshake and convince the middlebox there is a valid connection.

A team from the University of Maryland and the University of Colorado Boulder used an artificial intelligence algorithm to reveal the techniques for the first TCP-based DDoS amplification attack.[12] The various types of DDoS attacks include a normal TCP reflection in which an attacker sends a single SYN packet to elicit SYN+ACKs, a middlebox reflection attack, in which an attacker sends a packet sequence to trigger a block page or censorship response, and a combined destination and middlebox reflection attack, in which the attacker can elicit a response from both the middlebox and the end destination. Another type of attack is known as a routing loop reflection attack, in which trigger packets are trapped in a routing loop. The final reflection attack is a victim-sustained reflection in which the victim’s default response triggers additional packets from the middlebox or destination.[13] Comprised of innocent requests, the goal of these attacks is to crash the web server and the magnitude is measured in requests per second. Similarly, Slowloris is another type of attack which allows threat actors to disrupt services to legitimate users, however in a different manner.

Slowloris is a highly targeted attack that enables one web server to take down another server without affecting other services or ports on the target network. This is applied by holding as many connections to the target web server open for as long as possible and creates connections to the target server but sends only a partial request.[14] Slowloris constantly sends more HTTP headers but never completes a request, the targeted server keeps each of these false connections open which eventually overflows the maximum concurrent connection pool and leads to denial of additional connections which can be coming from legitimate clients.[15] Although this type of attack uses a different method to infiltrate a server or network, it still disrupts services for legitimate users by sending headers and incomplete requests and is still an effective attack method.

Cryptocurency Analytics: AntiAnalysis

Despite its name, cryptocurrency is not a completely secure method of payment for criminal actors. While some cryptocurrencies such as Monero are relatively difficult to trace, investigators or cryptocurrency exchanges can leverage cryptocurrency analysis tools to detect criminal activity such as money laundering or identifying wallets tied to known threat actors. These tools rely on powerful machine learning to operate and are generally not accessible to an individual user. To combat this analysis, criminals have become increasingly interested in adopting their own analysis technology to detect and avoid risky exchanges and wallets. One such tool, dubbed Antinalysis, received significant media attention from security researchers while enduring a rocky launch, suspension, and re-launch throughout August 2021. The ongoing Antinalysis saga is a useful case study of criminal adaptation to the powerful analytics tools used by security practitioners.

Developed by pharaoh, an administrator of the illicit Incognito Market, Antinalysis allows users to see how “clean” their wallet address is before moving cryptocurrency. Pharoah claimed that Antinalysis can provide its customers with comparable transaction intelligence to tools used by law enforcement and cryptocurrency exchanges, allowing dark net denizens to perform risk analysis “from the opponent’s point of view”.[16] For $3 USD in Monero, Antinalysis allows its user to analyze a wallet address and determine its risk for being flagged by exchanges.[17]

Figure 1: Antinalysis Result 

Unfortunately for pharaoh, Antinalysis promptly caught the attention of security researchers, including the cryptocurrency analytics firm Elliptic. Elliptic noted that while Antinalysis was primitive compared to their own tools, it was an innovative criminal application of cryptotracing analytics.[18] The underlying technology, however, was anything but novel; later reporting confirmed that Antinalysis was essentially a clone of AMLBot[19], a similar service that also provides rudimentary wallet analysis by utilizing the API of Crystal Blockchain, another cryptocurrency analytics firm.[20]

While phaorah initially celebrated the attention Antinalysis was getting from media outlets, their tone changed once their link to AMLBot and Crystal Blockchain became apparent. Not long after admitting that AMLBot and Antinalysis shared a data source[21], pharoah suspended operations and posted tirades on Antinalysis and the dark web forum Dread in which they blamed law enforcement and Elliptic for “criminalizing a cryptocurrency tool”.[22] This did not garner much sympathy on Dread, with one user noting that Pharoah’s grumblings about criminalizing privacy were ironic given their role as an admin for Incognito Market.[23]

This was not the end for Antinalysis, however. On August 24, 2021, pharoah announced that Antinalysis was back online and would now use their own dataset rather than a third-party API.[24] While the loss of Crystal Blockchain’s API will likely limit Antinalysis’ functionality, at time of analysis the tool is live and accepting transaction queries once more. Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) is continuing to monitor the situation involving Antinalysis and the ever more prevalent expansion of blockchain analysis technologies.

 

Figure 2: Antinalysis resurfaces 

BlackMatter Ransomware Group

One of the newest ransomware groups to emerge on the scene, BlackMatter, is quickly making a name for itself in the world of ransomware. Their first appearance on the dark web occurred on July 21, 2021, when the threat group promptly deposited four (4) bitcoins into their newly created account on the prestigious forum Exploit.in. BlackMatter, soon after depositing, created a post stating that they were looking to buy access to companies from the United States, Canada, Australia, and the United Kingdom. The threat group also stated they are only looking to buy access from companies that are worth 100 million or more, and that the network has at least 500 host machines.

Figure 1: BlackMatter’s initial post on Exploit.in

BlackMatter appeared shortly after REvil’s disappearance, however CTAPT analysts have yet to confirm the relation between REvil and BlackMatter. Analysts have noticed similar tactics, techniques, and procedures (TTP’s) and supporting infrastructure between BlackMatter and DarkSide, the ransomware group responsible for the Colonial Pipeline ransomware attack that occurred in early May. BlackMatter has claimed they are a new independent group and have based their services off the other top competing Ransomware-as-a-Service (RaaS) providers; in particular they based most of their product off DarkSide and some minuscule procedures from both REvil and LockBit.

 

Figure 2: Companies posted on BlackMatter’s leak site

Despite BlackMatter claiming that they are a new threat group and not a rebrand of any previous ransomware gang, there is wide-spread speculation that this statement is false due to the experienced nature of the group. BlackMatter brings direct attention to the Colonial Pipeline attack on their leak site by stating, “We do not attack Oil and gas industry (pipelines, oil refineries)”. While it is common practice for ransomware groups to state who is on their blocklist, this is the first group to specifically state they won’t target the oil and gas industry. Since their emergence, BlackMatter has infected seven (7) victims. This number is expected to rise as BlackMatter settles into their foothold within the ransomware scene.

Figure 3: Rules and About us (BlackMatter leak site)

Threat Actor of the Month

LockBit, formally known as ABCD ransomware, has been one of the most active ransomware groups following the shutdown of REvil. Their ransomware cryptor is one of the most advanced encryption malwares on the market today. LockBit follows a typical ransomware business structure; from the top down, the malware developers contract the dirty work to affiliates who breach corporate networks. As they act like a business, they require marketing and a presence online to recruit new affiliates. This trend occurs within many ransomware gangs and gives some insight into the mind of the threat actor.

The LockBit owners post publicly under the username LockBitSupp on the forums XSS.is and Exploit.in, always in the Russian language. They post on a range of subjects, including an Android ransomware where they state they “almost finished writing [the ransomware],” suggesting they had plans to create a mobile ransomware themselves.

Figure 1: LockBitSupp’s post about “Android ransomware” on XSS.is 

Other than their presence on popular hacking forums, LockBit also has a dark web leak site where they post sensitive information from companies they compromise. This is also the site they use to post information about their affiliate program. Compared to other Ransomware-as-a-Service groups, LockBit has one of the best advertisements for attracting new hackers. On their “Conditions for Partners” page, they advertise the LockBit 2.0 ransomware features, which include the fastest encryption speed on the market and a self-spreading function. LockBit boasts about the quality of their business by stating, “with our help you can easily get more targets over the weekend than with any other affiliate program over the week”.

Figure 2: Section of LockBit 2.0’s Conditions for Partners page 

One of the most remarkable marketing tactics that LockBit uses is including a call for insiders through their ransom note promising “millions of dollars,” for hacking into your own business. Initial access into a company is one of the most difficult parts of a ransomware attack and outsourcing that work to an insider in the company eliminates the need to find vulnerabilities entirely. Many researchers theorize that outside security personnel would be most likely to be recruited from this message as they have insider access to corporate networks but do not have any loyalty to the company they are contracted for. It is currently unknown how effective this technique is, but in the future, it is likely that other Ransomware-as-a-Service groups will follow in LockBit’s footsteps.

Figure 3: LockBit 2.0 ransom note (Source: BleepingComputer) 

 

Trending IOCs

Indicator Type Attribution
142.91.170[.]175 IP LockBit
142.91.170[.]6 IP LockBit
docs[.]google[.]com/spreadsheets/d/11C7pdR3r_VeOPQXpRCGtUEJoftKO1wB7ZFfX0t94XTw/edit#gid=0&range=B1

 

URL LockBit
1_Remote Desktop Connectio~.lnk File LockBit
Remote Desktop Connection.lnk File LockBit
C:\Windows\System32\CloudBAK.exe Path LockBit
C:\Windows\System32\defrag32.exe Path LockBit
C:\Windows\System32\diagnosticMem.exe Path LockBit
C:\Windows\System32\Ras.exe Path LockBit
C:\Windows\System32\wermgupd.exe Path LockBit
C:\Windows\System32\wermreport.exe Path LockBit
0b6cb591f1a0db7d74d8e802000fce9a61bfe520922eefbad1166d1f7c13d222 Hash LockBit
397138156bb09696045398ca709bcaa73e0fe7cc48be9b6654f29bce0c535015 Hash LockBit
4250172289cf5e82f5decd7b72d3455538faf7dc26c97abfcfa243aae2a66d8e Hash LockBit
443cd5c871a7e0e75284c10c279a9d19156c44d2a038f35c3abd83ecd52cb14c Hash LockBit
49614c9b05cceea11c341e790283ee75606bd304dc0c9899a1d4a036bda33f8a Hash LockBit
560f5444461de30e9b2f00a8cb37f4c6d736bb35cc9fb85894b198c59508cde7 Hash LockBit
5819b1d4ee001e387223a7a6fc1ad4a476e45ccd75b354932108073985c05b95 Hash LockBit
af5511fd2bfda3970d7ed82d0138ff9388f17f55fcfbbee0ee37e9608c91bb65 Hash LockBit
e6f11f2dd14c5fde7695a3b6185fbeb1bfc7376ad58597d6969c0307585858b0 Hash LockBit
ff61e09fbd4515297004a025b0ef1d502548a9f4a1ba3bf25ebfb93ac18fbf27 Hash LockBit


[1]
https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/

[2] https://marketresearchtelecast.com/proxyshell-massive-wave-of-attacks-on-unpatched-exchange-servers/136463/

[3] https://borncity.com/win/2021/08/10/exchange-server-neues-zu-den-proxyshell-schwachstellen/

[4] https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit

[5] https://twitter.com/DaveKleinatland/status/1429690829166235648

[6] https://portswigger.net/daily-swig/nation-state-threat-how-ddos-over-tcp-technique-could-amplify-attacks

[7] https://www.usenix.org/system/files/sec21fall-bock.pdf

[8] https://thehackernews.com/2021/08/attackers-can-weaponize-firewalls-and.html

[9] https://www.usenix.org/system/files/sec21fall-bock.pdf

[10] https://www.usenix.org/system/files/sec21fall-bock.pdf

[11] https://www.usenix.org/system/files/sec21fall-bock.pdf

[12] https://portswigger.net/daily-swig/nation-state-threat-how-ddos-over-tcp-technique-could-amplify-attacks

[13] https://www.usenix.org/system/files/sec21fall-bock.pdf

[14] https://portswigger.net/daily-swig/nation-state-threat-how-ddos-over-tcp-technique-could-amplify-attacks

[15] https://www.netscout.com/what-is-ddos/slowloris-attacks

[16] http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4fa922ff5c367180d745

[17] https://pdcdvggsz5vhzbtxqn2rh27qovzga4pnrygya4ossewu64dqh2tvhsyd.onion/example

[18] https://www.elliptic.co/blog/cybercriminals-have-built-their-own-blockchain-analytics-tool

[19] https://krebsonsecurity.com/2021/08/new-anti-anti-money-laundering-services-for-crooks/#more-56578

[20] https://www.elliptic.co/blog/cybercriminals-have-built-their-own-blockchain-analytics-tool

[21] https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/754edeb254693a4d954d/#c-cba4775a9aa75f00b5

[22] http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/9517e26b77f61ee7fca2/#c-586c174cfc0fa42ce2

[23] http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/5e281e14ad255e0bedf5

[24] http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/9b506639f738c1a6bfae