The much-anticipated CrowdStrike® Cyber Intrusion Services Casebook for 2017 offers detailed accounts of some of the cases the CrowdStrike Services incident response (IR) team has investigated over the past year.
One key trend the CrowdStrike team observed is that the lines between nation-state sponsored attack groups and eCrime threat actors continue to blur. As part of this trend, the increase in criminal hackers using fileless attacks and “living off the land” techniques has been especially pronounced. This uptick in fileless attacks is also documented and independently verified in a recent report from Ponemon Research. Fileless attacks include exploiting processes that are native to the Windows operating system such as PowerShell and Windows Management Instrumentation (WMI). “Living off the land” describes how adversaries move within the victim’s environment once they gain access, often employing anti-forensics tools to erase signs of their presence and increase dwell time. Evidence of this trend is also reflected in the prevalence of brute-force attacks on RDP (remote desktop protocol) servers, which was also observed by the CrowdStrike Services team during their 2017 client engagements.
A commercial services organization contacted CrowdStrike Services after being hit by the SamSam ransomware variant, which is commonly associated with xDedic, a Russian-operated darknet forum. The eCrime operators of xDedic have been implicated in a number of nation-state attacks against public sector organizations, as explained in a previous blog.
xDedic operates a market for the selling and buying of crimeware and compromised credentials used for accessing RDP servers. After xDedic sells access to these compromised RDP servers, they are then used in attacks against government agencies and other commercial targets.
Although the organization had already paid the ransom when they contacted CrowdStrike, they sought help to prevent the ransomware from spreading to other systems and to determine the original point of entry by the attackers.
The CrowdStrike Services team first verified the exact ransomware variant used in the attack. Notably, the variant involved automatically encrypts files on the victim’s network — a common ransomware tactic — however, it doesn’t give the attacker the ability to access, acquire or exfiltrate data from the network.
The team observed that the adversary used Sticky Keys to launch brute-force attacks and gain RDP login credentials so they could move about the victim’s environment freely. Sticky Keys is a Windows Ease of Access feature that enables keyboard shortcuts. Once compromised, it can provide an adversary system-level access without needing to authenticate and provided the attackers with an effective persistence mechanism.
Other fileless or “living off the land” TTPs tied to xDedic that the investigators found included compromised privileged accounts and network login brute-force attacks, both of which reflect the varied toolsets a sophisticated threat actor leverages in order to penetrate a target environment.
Incident Investigation and Analysis
After conducting forensic analysis by deploying CrowdStrike Falcon® endpoint monitoring the team was able to identify the root cause of the intrusion that led to the deployment of the SamSam ransomware within the victim’s network. Because they were able to identify the persistence mechanism used by the ransomware, the team could immediately stop its propagation and prevent it from encrypting any additional files. During this process, the team provided comprehensive analysis of a number of areas including:
- Forensic artifacts commonly seen in IR investigations
- Known malicious indicators in each image collected, including file names and MD5 hashes of malicious software
- System registry hives
- Artifacts indicating process execution of malicious and benign software
The analysts also included the manual review of the forensic data looking for other indicators not included above. CrowdStrike determined that an attacker accessed systems within the client environment to create user accounts and to deploy and execute ransomware and batch scripts. Investigators also determined that the attacker’s goal was to secure more RDP server logins to sell to other cybercriminal threat actors.
Results and Key Recommendations
CrowdStrike Services was able to rid the client’s environment of the damaging SamSam ransomware completely and help the organization close the security gaps that had allowed the attack to occur. The team concluded their investigation by providing the client with tailored recommendations to help them strengthen their defenses against future attacks. These recommendations included the following:
- Enforce Network Level Authentication (NLA) for RDP sessions:
Any server that is public-facing on the internet and accessible via RDP should be configured to require NLA for RDP sessions. This forces a user to successfully authenticate prior to receiving the Windows logon screen.
- Implement two-factor authentication (2FA) to prevent unauthorized access:
2FA requires users to provide a one-time generated token on a separate device after entering login credentials.
- Consider CrowdStrike Falcon endpoint protection:
The CrowdStrike Services team begins every investigation by deploying the CrowdStrike Falcon platform to provide endpoint visibility and real-time Indicators of Attack (IOA). You can test drive Falcon or try a no-obligation trial and see first-hand what your current security may be missing.
To learn more details about this case and others investigated by the CrowdStrike Services team, download the CrowdStrike Services Cyber Intrusion Casebook 2017.