December 31, 2020
Over the past thirty days, the Ankura Cyber Security practice has responded to a broad array of matters ranging from nation-state information operations activity to aggressive ransom/extortion campaigns. As 2020 winds to a close, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) analysts have documented the marked increase in sophistication by both criminal and state-sponsored entities as 2020 progressed. A prime example of threat actors deploying advanced tactics was recently discovered and reported as supply chain exploitation through the compromise of SolarWinds’ Orion platform. We have been tracking the SolarWinds-related discoveries and have applied those findings to our investigative operations. Similarly, the evolution of ransomware from simply encrypting victim systems to an extortion-as-a-service business model is an exemplar of the evolving cyber threat landscape in 2020. CTAPT analysts expect the continued maturation of threat actor tactics into 2021 as criminals find new ways to make money, and nation-states find new ways to acquire an advantage. While some cyber espionage groups may temporarily slow politically-risky US operations as their sponsors assess upcoming US political changes, we expect nothing but increased threat actor activity elsewhere.
The sections that follow provide high-level overviews of notable activity that Ankura is tracking, and includes some late-breaking Indicators of Compromise (IOC) that may be of use:
The SolarWinds exploitation and the resulting FireEye discovery of the malware now coined “SUNBURST” dominated the headlines in December 2020. Many in the community continue to be impacted as the hunt for SUNBURST continues. As soon as indicators were released, Ankura’s managed Endpoint Detection and Response (EDR) operations successfully detected SUNBURST activity on two (2) client networks. The team quickly alerted both organizations and drove incident response and containment. Upon initial analysis, one (1) of the occurrences was attributed to the client’s security administrator who downloaded SUNBURST samples for research purposes. The second organization’s SUNBURST discovery was attributed to the client downloading and installing the malicious version of “solarwinds.orion.core.businesslayer.dll” in March of 2020. Related endpoint and network traffic analysis found evidence of outbound network traffic to a known malicious first-stage domain leveraged by the SUNBURST backdoor, however, forensic analysis on the infected endpoints did not identify any evidence of the TEARDROP second-stage droppers. In summary, Ankura was able to rapidly detect the malicious version of the Orion software, identify three (3) successful outbound communications to a known malicious domain utilized by the SUNBURST backdoor, forensically analyze the infected endpoint to confirm that the SUNBURST backdoor was not residing in memory, and use the results to further defend our partners.
As evidenced by the increasing number of reports and indicators being released daily, SUNBURST-related activity is an evolving situation. Analysis of the malicious code and compromised networks continues, and researchers are uncovering a wide variety of second-stage artifacts. The Cybersecurity and Infrastructure Security Agency (CISA) has recently suggested that it has evidence “that there are initial access vectors other than the SolarWinds Orion platform.” CTAPT is continuing its efforts to collect and expand upon high confidence SUNBURST technical indicators, making them immediately available to our front-line incident response and investigations teams. Furthermore, Ankura’s EDR team leverages long term passive DNS and event tracking along with triage support to collect memory samples and live forensic data to aid our clients in determining the impact, response, and scope of intrusion.
No Holiday for Egregor
Throughout the past forty-five (45) days, CTAPT has continued to monitor the Egregor ransomware group, noting that this group’s website included several dozen new victims in that time frame. These new victims belong to a diverse range of industries and include organizations throughout the US, Europe, Asia Pacific, and Latin America. As previously reported, CTAPT believes that individual actors now associated with Egregor are the same actors who were previously affiliated with Maze, as there appears to be significant overlap in the tactics, techniques, and procedures (TTPs) leveraged by both groups.
Figure 1: Screenshot of Egregor victim identification site
Using a newly popularized tactic, the Egregor group leverages a double extortion technique, involving an extortion website on the dark web called the “Hall of Shame” designed to pressure and shame victims into paying the requested ransom. Egregor has introduced a unique addition to their site, titled “Hole of the month” which is used to single out specific high-value victims for additional pressure. It is believed that the “Hole of the month” is chosen based upon perceived return on investment and the victim’s willingness to pay the ransom to avoid a potential reputation hit. At this time, it is not known if this tactic has been successful; however, it does show that Egregor is willing to innovate and employ new tactics to generate revenue even as new ransomware/extorsion groups enter the “market” on a monthly basis.
Figure 2: Screenshot of the current “Hole of the month”
Introduction to DeathStalker
DeathStalker, also known as Evilnum, is a sophisticated “hacker for hire” threat group which has targeted organizations across the globe active since at least 2013. Recently, CTAPT has observed a measurable increase in DeathStalker campaigns targeting entities in the Middle East, specifically the United Arab Emirates, Lebanon, and Turkey, likely as a result of recent geopolitical tensions and conflict in that part of the world. The group uses a variety of different attack vectors, including spear-phishing emails which leverage current events to target governments, capital markets, financial technology, law firms, small- to medium-sized businesses, and diplomatic entities.
In the past, DeathStalker has been linked to three (3) active malware families (Powersing, EvilNum, and Janicab), but is now leveraging “PowerPepper,” which is a PowerShell backdoor that allows for remote execution of shell commands. Once delivered to a target, the malware gathers system and user information before sending it to a command-and-control (C2) server using DNS over HTTPS (DoH). To contact the server, the malware will attempt to leverage Microsoft Excel as a web client. If this is denied, it will fall back to the PowerShell client. Once successfully connected to the C2 server, PowerPepper drops a keylogger as well as a MAC address filtering module.
“Doc(s) Daily Delivery” O365 Phishing
CTAPT analysts have noted a new technique leveraged in an attempt to gain access to targeted Office 365 accounts. The technique uses access to compromised legitimate credentials from several organizations, and then using those credentials to impersonate emails from businesses such as eFax. The emails appear to be delivery notifications of electronic faxes sent via eFax from a legitimate email account. This technique remains successful because the sending email addresses and embedded URLs are trusted by the victim organization.
Figure 3: Screenshot of weaponized email involved in this campaign
Once a victim clicks on the “View Documents” link in the email, they are directed to a freshly-generated Office 365 phishing site, hosted on either Joom, Weebly, or Quip, which requests that the victim enter his/her unique Office 365 credentials. The threat actors use different templates for landing pages and phishing emails, but the overall tactics remain the same. At this time, CTAPT cannot attribute this activity to any specific threat group but will continue to monitor for additional TTP modifications and attribution points.
Figure 4: Screenshot of different template used by same threat actors