Category Archives: Ransomware

Kronos hot with ransomware, even though we do not know the reason. However, the original has weakness (14-12-2021)

Preface: In October 2020, two of the largest human resources (HR) technology vendors out there—Kronos and Ultimate Software—merged into UKG (Ultimate Kronos Group). Together, the two companies now bring customers more than 70 combined years of experience in the industry.

Background: Kronos’ system integration capabilities has compatibility because it accept CSV format of file as import data source. The integration is done via a comma delimited flat file (CSV) with Windows format. The file will be delivered to Kronos server daily via SFTP. Can a CSV contain malicious code? It first parses and processes the formula which begin with “=” before displaying any content to the user. The formula injected in the CSV might contain call to any system function or it may contain any malicious payload which can exploit the victim’s system. So, the answer is possible. But malicious code that is not executed automatically, it require social engineering to execute the action.

If Kronos Workforce central is installed on top of cloud. And victim workstation contained the shared drive of workforce central server. When malicious code trigger the CSV through social engineering and download the ransomware payload. As a result, it can conducting the action, lock all the files.

So if Kronos hit by ransomware, most likely it is a insider threat. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the cloud system.

Details of attack: Headline news – Warns Cyberattack May Knock HR Software Offline for Weeks , Kronos hasn’t said whether the attack is related to the Log4Shell vulnerability discovered this past weekend. For more details, please refer to the link https://www.bloomberg.com/news/articles/2021-12-14/kronos-warns-cyberattack-may-knock-hr-software-offline-for-weeks

The evasion technique of Ring 3 continues to improve. Since this is the entry point. Therefore Layer 7 with deep packet inspection is the bases for defensive technique. (6th Dec 2021)

Preface: In fact, despite the excel icon, the XLL file is a Dynamic Linked Library, a binary executable file.

Background: The number of data breaches as of September 30, 2021 has exceeded 17% of the total number of incidents in 2020 (1,291 breaches in 2021, and 1,108 breaches in 2020).

The fundamental objective of MS office products goal to increase the office automation efficiency. Before MS product born, type writer, carbon copy and copy machine coverage is fully utilized. When virus appear in early 90s. The evolution of cyber attack from disruption extend to suspend the office operation. Fundamentally, the role of automation software are operations. Perhaps there is no prefect things in our world. From certain view point, cyber criminals exploit the product design weakness is misused. On the other hand design weakness can be group to mis-config. When cyber criminals abuse above two matters. The software is a weapon. Heard some of the domain expert separate I.T and O.T. But MS office also become one of the operation components in their backend operation. What if MS office suddenly become a cyber attack tools. What they can be do?

If the different in between I.T and O.T are safety and longer product life cycle. Apart from safety, the soft ware product life cycle is shorter comparing ten years ago. However hardware is driven by software driver under industrial automation. So it is clear to understand that if O.T product life cycle longer than traditional I.T. Therefore the product end of life and end of support require to focus in this area. Otherwise, when similar of incident occurs, the benefits will give to cyber attacker.

Security Focus: Mshta.exe is a signed Microsoft application that runs Microsoft HTML Applications (HTA) files. These are HTML files that execute JavaScript or VBScript outside of the browser, with the full permission of the executing user.

Furthermore HTA files will run automatically if a user double clicks on them, because of this HTA files are excellent for Phishing, Malvertising, or Waterhole attacks where the user will click on the file and infect themselves. As a matter of fact, lack of security awareness is the potential weakness. If you are interested of HTA attack scenario. Please refer to attached diagram.

But who wants to know a simple way to set up compensation control in your office or industrial area?
If the system infrastructure had integrate to internet, clean DNS service, SIEM and defense including managed security service, local defense (antivirus) will be the defense baseline.
Be my guest, see whether you have time to think it over of this topic.

BlackMatter Ransomware – Stay Alert (18th Oct, 2021)

Preface: Ransomware common deploying malicious actions is the automatically propagation. Their target will be included ADMIN$, C$, SYSVOL, and NETLOGON default setup.

Common infection technique: Believe it or not, quite a lot of ransomware developers will use simple technique.
Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and executed it with PsExec tool).
Please refer to the official website for details – https://us-cert.cisa.gov/ncas/alerts/aa21-291a

Strengthen your prevention, detection and corrective control: If PsExec is utilized in an environment, disabling the admin (ADMIN$) share can restrict the capability for this tool to be utilized to remotely interface with endpoints. In addition, you should perform system hardening. For example. Modify the registry value to disable administrative sharing on workstations and servers.

Perhaps BlackMatter ransomware not use this technique. But this is a baseline protection. According to the suggestion by US-cert. Define new rules in your IDS is the effective way to mitigate the risk. Please refer to attached diagram for details.

Since it is hard to avoid design limitation. For example: Disabling PowerShell Remoting does not prevent local users from creating PowerShell sessions on the local computer or for sessions destined for remote computers. As a result, it provides a way for attackers.

Long time ago, SIEM vendor (Splunk) recommend using sysmon to detect ransomware attack. I agree that this is the effective solution. The concept is shown as below:

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

The Thirty-six stratagems – Know yourself and the ransomware, never lost in cyber war. 30-06-2021

Preface: The Thirty-six stratagems is a Chinese essay use to illustrate a series of stratagems used in war. It also applies to cyber warfare.

Background: Kernel-based Virtual Machine (KVM) is an open source virtualization technology built into Linux®. Specifically, KVM lets you turn Linux into a hypervisor that allows a host machine to run multiple, isolated virtual environments called guests or virtual machines (VMs).
KVM is part of Linux. VMware relied on Linux during its early history. The early version of its hypervisor, called ESX, included a Linux kernel
(the central part of an OS that manages the computer hardware). When VMware released ESXi, it replaced the Linux kernel with its own.

Security Focus: Security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.

Ransomware, menacing! Experts observe that ransomware is not limited to Windows operating system attacks. The evidence proves that they can run on Linux. Other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty
have also created Linux encryptors to target ESXi virtual machines.

Reference:

  • HelloKitty targeted a UK Healthcare organisation
  • DarkSide target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
  • GoGoogle is a malicious program designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals’ email address and the “.google” extension.
  • Mespinoza TheMespinozaransomware was first used in October 2018 at least. The first versions produced encrypted filescarrying the «.locked» extension, common to many ransomwares. Since December 2019, a new version ofMespinozais documented in open sources. This version is often calledPysabecause it produces encrypted fileswith the «.pysa» extension.

Staying alert!

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Rising Ransomware Threat To Operational Technology Assets, US (CISA) urge to critical facilities to tighten their cyber security incident management and protection. 10-6-2021

Preface: When the TCP/IP network protocol replaces the classic MODBUS protocol on a large scale. At the same time, there is a large demand for the deployment of Windows operating system servers and workstations. From the perspective of cyber security, information technology and operational technology are the same.

Synopsis: On May (9th May 2021), 2017, the WannaCry ransomware attack show to the world of their power. They can easily halted the entire DHS medical service in England. Recently, Ransomware attack shuts down biggest U.S. gasoline pipeline.

Contingency plan focus: In fact, according to official recommendations, payment of ransom is not recommended. This is because even if you pay, there is no guarantee that your system and data will be 100% fully restored. Therefore, an effective backup solution combined with business contingency plans is the correct way to solve this problem. However, the service interruption caused by ransomware is different from the traditional disaster recovery concept. The traditional DR concept assuming hardware or software failure. But it can resume operation through hot standby or cold standby facilities.

A gap was found here: In fact, the contingency plan for ransomware attacks is slightly different from the traditional disaster recovery plan. Because traditional DR will replicate two equivalent functional sites for DR. However, if the DR site contains design weaknesses similar to the production site. Maybe your DR environmental risk level will increase! Because it is a ransomware attack.

CISA recommends based on this matter: https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf

Ransomware hard to hunt because they are doing the Guerrilla warfare! 31st May,2021

Preface: A Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support, New York Times said.

My observation: My observation: Perhaps cyber criminals learn from practice. They know the system infrastructure weakness of industrial especially oil, powers supply facilities even logistic industry.

Since Java has large capability. The test developer sometimes will use the JavaScript to test their remote application. For instance (jj[.]js – JavaScript Testing Framework). Java provides a number of method calls to check and change the permission of a file, such as a read-only file can be changed to have permissions to write. If ransomware criminals have luck. They can rely on this ways to implant a foothold see whether they can exploit the vulnerability on victim workstation. As mentioned above, jj.js sometime can evade the defense mechanism if there is no application defense function in place. Furthermore, ransomware criminals can do a re-engineering of the file.

Remark: ransomware criminal will select dynamic cloud computing as a base. If victim web server is using IaaS service, it is most likely is their target.

NYTimes headline – https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html

The Chronicle of Ransomware – 26th May 2021

Preface: The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the ‘father of ransomware’). It was called the AIDS Trojan, also known as the PC Cyborg.

Synopsis: Perhaps mankind cannot imagine that in our modern world. We still impact by viral infection. The situation looks like we are replaying the seen in 1346 – 1353 (plague). But the digital world is the same. In past few weeks we heard ransomware wreak havoc. As far as we know, ransomware not only appears today. Since 2013, CryptoLocker attack found. But what is the standpoint by public began to focusing “WannaCry” ransomware in 2017. Unlike crypto-ransomware (WannaCry), Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device.

What is the countermeasure after the ransomware attack?
– Changed passwords for all end-users and privileged users.
– Changed access keys for all service accounts.
– Enhanced malware/ransomware protection on endpoints and servers.
– Enhanced monitoring and logging to identify malicious activities.

The objective of this topic is only for information base. Perhaps when you read below article posted in 2017. You will have resonance.

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/