Connect with us

Cyber Security

Understanding the Adversary: How Ransomware Attacks Happen – Security Intelligence

Avatar photo

Published

on

Understanding the Adversary: How Ransomware Attacks Happen
IBM Security X-Force Incident Response (IR) has responded to hundreds of ransomware incidents across every geography and industry. As we have taken time to analyze these incidents, a clear pattern has emerged. Although we observe dozens of ransomware groups in operation across the globe, many with multiple affiliate groups working under them, most ransomware actors tend to follow a similar attack flow and set of standard operating procedures. It is possible that ransomware actors are cross-training and sharing with each other their most effective techniques, which are becoming standard practices for many ransomware groups and affiliates. But whatever forces are bringing ransomware actors together, security defenders can use knowledge of these attacks to their advantage to better defend networks against ransomware attacks and catch attackers before they accomplish their final objectives.
The X-Force IR team has observed that most ransomware attacks occur in a predictable pattern that we break down into five stages: Initial Access, Post-Exploitation Foothold, Reconnaissance/Credential Harvesting/Lateral Movement, Data Collection and Exfiltration, and Ransomware Deployment.
While no two ransomware incidents are exactly the same, by analyzing the behaviors of the adversaries across various engagements, operators, and geo-locations, X-Force IR has created this generalized attack graph which can be used to identify logical control and detection opportunities that are applicable to a majority of ransomware operators.

Figure 1: Standard Attack Flow for Ransomware Attacks, As Observed by X-Force Incident Response (Source: X-Force)
Stage 1: Initial Access
The most common access vectors for ransomware attacks continue to be phishing (MITRE ATT&CK Technique 1566), vulnerability exploitation including Exploitation of a Public Facing Application (T1190), and External Remote Services (T1133) such as exploiting remote desktop protocol. The vast majority of phishing campaigns that result in a ransomware incident are distributing an access trojan such as Bazar, TrickBot, QakBot, or Valak.
Stage 2: Post-Exploitation
Depending on the initial access vector, the second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access with an offensive security tool such as Cobalt Strike or Metasploit. For example, X-Force IR has observed NetSupport Manager being loaded by the access trojan. NetSupport Manager would then be used to spawn a Cobalt Strike beacon.
Stage 3: Understand and Expand
During the third stage of the attack, attackers have consistently focused on understanding the local system and domain that they currently have access to and acquiring credentials to enable lateral movement. Local system reconnaissance is often achieved through built-in tools such as net, whoami, and tasklist.
To facilitate domain reconnaissance, ransomware operators continue to leverage the open-source utility “AdFind”. Out of all ransomware incidents X-Force IR responded to in 2020, AdFind was used in 88% of the attacks. X-Force IR has also observed ransomware operators using the nltest command to acquire a list of domain controllers and privileged accounts prior to performing a more comprehensive Active Directory reconnaissance through AdFind. On several occasions, X-Force IR has observed ransomware operators redirecting the output of AdFind to a series of text files which are then added to an archive and exfiltrated.
While credentials can be harvested by many access trojans, X-Force IR has observed ransomware operators usually leveraging Mimikatz, ZeroLogon, and PrintNightmare to acquire credentials to be used in the remainder of the attack.
In most ransomware attacks X-Force has observed, exploitation of Active Directory is a key linchpin in the attack and presents an opportunity for security defenders to catch and stop ransomware attackers or frustrate their success. Several recommendations for securing Active Directory are included at the end of this blog.
Following Active Directory reconnaissance, ransomware operators commonly move laterally via server message block (SMB) or remote procedure call (RPC) protocols. Credential harvesting may continue on additional systems as required with the goal of acquiring domain administrator privileges.
Stage 4: Data Collection and Exfiltration
Almost every ransomware incident X-Force IR has responded to since 2019 has involved the “double extortion” tactic of data theft and ransomware. During Stage 4 of the attack, the focus of the ransomware operators switches primarily to identifying valuable data and exfiltrating it.
Ransomware operators will usually move laterally to additional systems during Stage 4 through SMB, RPC and remote desktop protocol (RDP) to identify data for exfiltration. X-Force IR has observed ransomware operators leveraging one or two staging systems to collect data prior to exfiltration, which they continually access via a tunneled RDP connection. While we have observed certain ransomware operators access and exfiltrate data from databases, the majority of data collection is performed over SMB.
Data exfiltration is an area of the attack lifecycle where X-Force IR has observed moderate variance across ransomware operators. Tools such as WinSCP and RClone continue to be the most common tools; however, X-Force IR has responded to several ransomware incidents where the adversaries leveraged custom data exfiltration tools or living off the land tools like BitsAdmin.
Stage 5: Ransomware Deployment
While innovation within the ransomware developers’ community continues to create new variants of malware, distribution of the ransomware payload to the target systems remains fairly common across ransomware operators.
In almost every single ransomware incident X-Force IR has responded to, the ransomware operators targeted a domain controller as the distribution point for the ransomware payload.
To distribute the ransomware, adversaries most often leverage SMB from a share on the domain controller and execute the payload either with PsExec, WMIC, RunDll32, or by creating a scheduled task with tools like CrackMapExec.
By understanding commonalities across most ransomware attacks, defenders have an advantage in identifying and focusing on assets heavily leveraged in the majority of attacks, including Active Directory and domain controllers. The following recommendations include specific measures network defenders can take to best defend against ransomware attacks, given what we know about the ransomware attack flow.
Limit Privileged Access
Protect Privileged Accounts
Secure Active Directory
Restrict Common Lateral Movement Pathways
Defend Against Phishing Threats:
Focus on Patch Management
Utilize a mature patch management program to prioritize patches that are most likely to be exploited and are most applicable given your network architecture. Use patch advisories and intelligence on vulnerabilities exploited in the wild to prioritize patches for implementation in your network. At a minimum, we recommend implementing patches for the following systems, as applicable, per CISA Alert AA21-209A last revised on August 20, 2021:
Detect and Hunt
John (@TactiKoolSec) is the Head of Research for the IBM Security X-Force where he leads research efforts to understand and model adversary operations, devel…
4 min readThis is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min readCorporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
4 min read5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted…
If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing…
This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…
Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America…
The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020. New research in this year’s report also reveals for the first time that 83% of organizations in the study have experienced…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.

source

Continue Reading
Advertisement
Click to comment

Business

Prosecutors seek from 40 to 50 years in prison for Sam Bankman-Fried for cryptocurrency fraud

Avatar photo

Published

on

Prosecutors seek from 40 to 50 years in prison for Sam Bankman-Fried for cryptocurrency fraud

By LARRY NEUMEISTER

NEW YORK (AP) — FTX founder Sam Bankman-Fried’s orchestration of one of history’s largest financial frauds in his quest to dominate the cryptocurrency world deserves a prison sentence of 40 to 50 years, federal prosecutors on Friday told a federal judge.

Prosecutors made the recommendation in papers filed in Manhattan federal court in advance of a March 28 sentencing, where a judge will also consider a 100-year prison sentence recommended by the court’s probation officers and a request by defense lawyers for leniency and a term of imprisonment not to exceed single digits.

Bankman-Fried, 32, was convicted in November on fraud and conspiracy charges after his dramatic fall from a year earlier when he and his companies seemed to be riding a crest of success that had resulted in a Super Bowl advertisement and celebrity endorsements from stars like quarterback Tom Brady and comedian Larry David.

Some of his biggest successes, though, resulted from stealing at least $10 billion from investors and customers between 2017 and 2022 to buy luxury real estate, make risky investments, dispense outsized charitable donations and political contributions and to buy praise from celebrities, prosecutors said.

 

FILE - Sam Bankman-Fried leaves Manhattan federal court in New York on Feb. 16, 2023. Bankman-Fried's lawyers are seeking leniency next month at the FTX founder's sentencing for cryptocurrency crimes. The lawyers filed presentence arguments late Monday, Feb. 26, 2024, in Manhattan federal court. (AP Photo/Seth Wenig, File)

 

“His life in recent years has been one of unmatched greed and hubris; of ambition and rationalization; and courting risk and gambling repeatedly with other people’s money. And even now Bankman-Fried refuses to admit what he did was wrong,” prosecutors wrote.

Advertisement
Submit your 2022 Austin Neighborhood Feedback

“Having set himself on the goal of amassing endless wealth and unlimited power — to the point that he thought he might become President and the world’s first trillionaire — there was little Bankman-Fried did not do to achieve it,” prosecutors said.

They said crimes reflecting a “brazen disrespect for the rule of law” had depleted the retirement funds and nest eggs of people who could least afford to lose money, including some in war-torn or financially insecure countries, and had harmed others who sought to “break generational poverty” only to be left “devastated” and “heartbroken.”

“He knew what society deemed illegal and unethical, but disregarded that based on a pernicious megalomania guided by the defendant’s own values and sense of superiority,” prosecutors said.

Bankman-Fried was extradited to the United States in December 2022 from the Bahamas after his companies collapsed a month earlier. Originally permitted to remain at home with his parents in Palo Alto, California, he was jailed last year weeks before his trial after Judge Lewis A. Kaplan concluded that he had tried to tamper with trial witnesses.

In their presentence submission, prosecutors described Bankman-Fried’s crimes as “one of the largest financial frauds in history, and what is likely the largest fraud in the last decade.”

“The defendant victimized tens of thousands of people and companies, across several continents, over a period of multiple years. He stole money from customers who entrusted it to him; he lied to investors; he sent fabricated documents to lenders; he pumped millions of dollars in illegal donations into our political system; and he bribed foreign officials. Each of these crimes is worthy of a lengthy sentence,” they wrote.

They said his “unlawful political donations to over 300 politicians and political action groups, amounting to in excess of $100 million, is believed to be the largest-ever campaign finance offense.”

And they said his $150 million in bribes to Chinese government officials was one of the single largest by an individual.

“Even following FTX’s bankruptcy and his subsequent arrest, Bankman-Fried shirked responsibility, deflected blame to market events and other individuals, attempted to tamper with witnesses, and lied repeatedly under oath,” prosecutors said, citing his trial testimony.

Advertisement
Submit your 2022 Austin Neighborhood Feedback

Two weeks ago, Bankman-Fried attorney Marc Mukasey attacked a probation office recommendation that their client serve 100 years in prison, saying a sentence of that length would be “grotesque” and “barbaric.”

He urged the judge to sentence Bankman-Fried to just a few years behind bars after calculating federal sentencing guidelines to recommend a term of five to 6 1/2 years in prison.

“Sam is not the ‘evil genius’ depicted in the media or the greedy villain described at trial,” Mukasey said, calling his client a “first-time, non-violent offender, who was joined in the conduct at issue by at least four other culpable individuals, in a matter where victims are poised to recover — were always poised to recover — a hundred cents on the dollar.”

Mukasey said he will respond to the prosecutors’ claims in a filing next week.

Read More

Continue Reading

Cyber Security

Biden to create cybersecurity standards for nation’s ports as concerns grow over vulnerabilities

Avatar photo

Published

on

Biden to create cybersecurity standards for nation’s ports as concerns grow over vulnerabilities

WASHINGTON (AP) — President Joe Biden on Wednesday signed an executive order and created a federal rule aimed at better securing the nation’s ports from potential cyberattacks.

The administration is outlining a set of cybersecurity regulations that port operators must comply with across the country, not unlike standardized safety regulations that seek to prevent injury or damage to people and infrastructure.

“We want to ensure there are similar requirements for cyber, when a cyberattack can cause just as much if not more damage than a storm or another physical threat,” said Anne Neuberger, deputy national security adviser at the White House.

Nationwide, ports employ roughly 31 million people and contribute $5.4 trillion to the economy, and could be left vulnerable to a ransomware or other brand of cyberattack, Neuberger said. The standardized set of requirements is designed to help protect against that.

The new requirements are part of the federal government’s focus on modernizing how critical infrastructure like power grids, ports and pipelines are protected as they are increasingly managed and controlled online, often remotely. There is no set of nationwide standards that govern how operators should protect against potential attacks online.

The threat continues to grow. Hostile activity in cyberspace — from spying to the planting of malware to infect and disrupt a country’s infrastructure — has become a hallmark of modern geopolitical rivalry.

For example, in 2021, the operator of the nation’s largest fuel pipeline had to temporarily halt operations after it fell victim to a ransomware attack in which hackers hold a victim’s data or device hostage in exchange for money. The company, Colonial Pipeline, paid $4.4 million to a Russia-based hacker group, though Justice Department officials later recovered much of the money.

Ports, too, are vulnerable. In Australia last year, a cyber incident forced one of the country’s largest port operators to suspend operations for three days.

Advertisement
Submit your 2022 Austin Neighborhood Feedback

In the U.S., roughly 80% of the giant cranes used to lift and haul cargo off ships onto U.S. docks come from China, and are controlled remotely, said Admiral John Vann, commander of the U.S. Coast Guard’s cyber command. That leaves them vulnerable to attack, he said.

Late last month, U.S. officials said they had disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure. Vann said this type of potential attack was a concern as officials pushed for new standards, but they are also worried about the possibility for criminal activity.

The new standards, which will be subject to a public comment period, will be required for any port operator and there will be enforcement actions for failing to comply with the standards, though the officials did not outline them. They require port operators to notify authorities when they have been victimized by a cyberattack. The actions also give the Coast Guard, which regulates the nation’s ports, the ability to respond to cyberattacks.

Read More

Continue Reading

Business

Why Was Sam Altman Fired? Possible Ties to China D2 (Double Dragon) Data from Hackers

Avatar photo

Published

on

Theories are going around the internet why Sam Altman was fired. On an insider tech forum (Blind) – one person claims to know by third-hand account and how this news will trickle into the media over the next couple of weeks.

It’s said OpenAI had been using data from D2 to train its AI models, which includes GPT-4. This data was obtained through a hidden business contract with a D2 shell company called Whitefly, which was based in Singapore. This D2 group has the largest and biggest crawling/indexing/scanning capacity in the world 10x more than Alphabet Inc (Google), hence the deal so Open AI could get their hands on vast quantities of data for training after exhausting their other options.

The Chinese government became aware of this arrangement and raised concerns with the Biden administration. As a result, the NSA launched an investigation, which confirmed that OpenAI had been using data from D2. Satya Nadella, the CEO of Microsoft, which is a major investor in OpenAI, was informed of the findings and ordered Altman’s removal.

There was also suggestion that Altman refused to disclose this information to the OpenAI board. This lack of candor ultimately led to his dismissal and is what the board publicly alluded to when they said “not consistently candid in his communications with the board.”

To summarize what happened with Sam Altman’s firing:

1. Sam Altman was removed from OpenAI due to his ties to a Chinese cyber army group.

2.OpenAI had been using data from D2 to train its AI models.

3. The Chinese government raised concerns about this arrangement with the Biden administration.

Advertisement
Submit your 2022 Austin Neighborhood Feedback

4. The NSA launched an investigation, which confirmed OpenAI’s use of D2 data.

5. Satya Nadella ordered Altman’s removal after being informed of the findings.

6. Altman refused to disclose this information to the OpenAI board.

 

We’ll see in the next couple of weeks if this story holds up or not.

Continue Reading