One of the major trends featured in the recent CrowdStrike® Services Cyber Intrusion Casebook notes attackers’ increased use of remote access tools that deliver real-time monitoring capabilities, an innovative tactic that provides criminals with more power and insight into the systems of their victims.
The eCrime ecosystem is also evolving, according to the report. eCrime actors and tools that used to operate discretely now show evidence of working in coordination. For example, the CrowdStrike Services team observed instances where Dridex, the malware usually associated with the adversary group tracked by CrowdStrike Falcon® Intelligence™ as INDRIK SPIDER, was used in conjunction with the FakeUpdates campaign or FrameworkPOS as a delivery vehicle. Previously, FakeUpdates malware has been associated primarily with other criminal groups.
Monetize or Die: The Adversary that Returned and Swapped Tactics
The report documents an investigation in which an insurance company was hit by ransomware and, when it refused to pay, the attacker switched to cryptomining. Though the company had good backups, the unpaid ransom didn’t keep the attacker from finding another way to leverage their access to the company’s environment.
Once engaged by the victim, the CrowdStrike Services team quickly discovered the ransomware used in the attack and was able to neutralize it and restore the company’s systems to normal — then they discovered something else was going on.
At the initial stages of any investigation, the CrowdStrike Services team deploys the Falcon platform to monitor the client’s systems for unauthorized activity. In this case, the Falcon Overwatch™ threat hunting team observed new hands-on-keyboard activity showing the adversary was deploying a cryptomining software called XMRig. As described in an earlier blog, bad actors use tools such as WannaMine to hijack an organizations systems and power in their pursuit of bitcoins. This illegal activity is called “cryptojacking.” This second-wave attack would have continued to cripple the organization’s business operations if it had been allowed to continue unimpeded.
Falcon was able to proactively block the cryptomining activity before damage was done. By providing expertise to the customer’s security team, CrowdStrike was instrumental in eradicating the adversary from the environment completely in just under six hours.
CrowdStrike’s Investigation and Analysis
In the course of this investigation, the Services team was able to quickly identify the initial infection vector and determine which servers were involved. The adversary had attempted to use an EternalBlue (MS17-010) scanner to search for unpatched systems and, when this was blocked by the company’s security tools, the adversary used Mimikatz to harvest credentials and PsExec to move laterally. This is how they deployed ransomware to the targeted systems. When the company refused to pay the ransomware and recovered using its backups, the adversary switched to their predominant access-persistence mechanism, which resides within the Windows Management Instrumentation (WMI) repository via permanent event subscriptions. The Services team found this persistence mechanism particularly interesting because, as recently as two years ago, it was used exclusively by nation-state actors. This event was evidence that sophisticated tactics, techniques and procedures (TTPs) are trickling down to these less sophisticated eCrime actors.
To achieve their objectives, this adversary used the following techniques:
- The persistence mechanism downloaded code on a scheduled basis, enabling the adversary to pass commands to the targeted system through PowerShell Reflective Injection.
- They harvested credentials via injection into the LSASS (Local Security Authority Subsystem Service) process, using the completely in-memory version of Mimikatz.
- They used the stolen credentials to pivot to systems of interest and establish a secondary access method by instantiating an SSH tunnel with the Plink tool.
- This secondary access was used to deploy a batch script to interfere with antivirus software.
- They then downloaded XMRig and created a service with the Non-Sucking Service Manager (NSSM), so that XMRig would continue to execute after a reboot.
The Services team worked with the company to enable Falcon platform preventions and deployed network and hash blocks to prevent further adversary activity and eliminate them from the environment. At that point, there was nothing the adversary could do.
This case characterizes the trend of sophisticated tools of nation-state adversaries being used by eCrime actors to gain access to networks and establish persistence for monetary gain. Even more troubling, when their initial objectives are thwarted — in this case, a ransomware attack — they are able to quickly change tactics and ensure their illegal objectives are met via other means. eCrime adversaries continue these attacks because they are experiencing success, not only through innovating, but also by relying on organizations’ overburdened security teams to make a mistake or let down their guard. That’s why, in addition to deploying the best next-gen security technology, organizations need to adhere to the following best practices:
- Develop a post-recovery strategy: Recovery is not the last step in remediating a ransomware attack — as this event clearly illustrates. Organizations need to know how the adversary got in before they can be sure they were successfully ejected.
- Upgrade operating systems: CrowdStrike constantly sees organizations compromised because they haven’t upgraded to supported operating systems. The savings gained by stretching the life of an outdated system are not worth the risks.
- Upgrade to PowerShell V5 and remove previous versions: Logging in this version of PowerShell is so robust that security teams can see commands being executed in real time. If companies would update to V5 across the enterprise, their own security teams could see what is happening and respond right away. Also, removing previous versions of PowerShell in the enterprise will aid in preventing downgrade attacks.
- Leverage multifactor authentication (MFA) for all users and privilege access management tools: Make it as difficult as possible for adversaries to get access to and leverage both user and admin credentials from outside your network. Once they have those, they can do whatever they want in the environment. In addition to MFA, a more robust privilege access management process will limit the damage adversaries can do if they get in.
The CrowdStrike Services Cyber Intrusion Casebook 2018 includes more detailed coverage of this case — including the tools and tactics used — as well as other key trends and cases, with recommendations that can inform your cybersecurity strategy in 2019 and beyond.
- Download the 2018 CrowdStrike Services Cyber Intrusion Casebook.
- Watch an on-demand webcast on the Cyber Intrusion Casebook: Stories from the Front Lines of Cybersecurity in 2018 and Insights that Matter for 2019.
- Learn more about CrowdStrike’s next-gen endpoint protection by visiting the Falcon platform product page.
- Test CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™ today.