The recent Kaseya ransomware incident combined the worst possibilities the infosec community has had to contend with in recent months:
- A supply-chain attack
- Ransomware
- An unpatched application vulnerability (zero day)
This is by no means an isolated incident. All vulnerabilities reported on widely used software products, especially those that do not require authentication to exploit, will likely become a target to spread ransomware.
Attacking the supply chain is simply a cost-effective way to scale ransomware operations.
In this blog post, we’ll use the Kaseya incident as a blueprint to recommend a short playbook for what you can do while you await a patch for any software vulnerability you know nothing about.
View our recent webinar for more information on the best defenses against Kaseya supply-chain and similar attacks.
Zero days and active defense
Zero days are a tough nut to crack. The average organization uses hundreds of different types of software and tools. It’s almost impossible to have an accurate software inventory, let alone account for issues like supply-chain attacks and zero days.
While the research community plugs away trying to proactively find and hunt bugs to remediate costly zero days in widely used software before adversaries do, Active Defense allows security teams to take a step back and evaluate the problem of zero days as a whole.
Active Defense shifts the focus of security teams away from individual software and esoteric, difficult-to-parse exploitation techniques to proactive defensive strategies while they wait for a patch to be installed.
By hypothesizing the objectives that adversaries achieve when exploiting Zero Days, we can plan our Active Defenses in a manner that can:
- Reduce the impact of exploitation
- Give an early warning of malicious activity
- Gather intelligence on the adversary
Zero days through the kill-chain
The following table demonstrates where zero days are likely to be used in the kill-chain:
|
Kill-Chain Phase |
Possible Zero-Day Targets |
Possible Motivation |
|
Initial Infection and foothold |
Internet-facing software applications and services |
Obtain access to a high-value environment |
|
Privilege escalation |
Operating system components and locally installed software |
Obtain a higher level of privilege to aid the rest of the kill-chain |
|
Lateral movement |
Distribution software and internally exposed services |
Expand attack footprint in locked-down environments |
|
Action on objectives |
Zero days against specialized software |
Exploit weaknesses to steal data |
Zero days are a means to the end goal. Whether in the initial stages of the operation or the critical last step.
From a defensive perspective, this gives us a valuable advantage: If we cannot stop the zero day itself, we have opportunities to trap the adversary either before or after they use it. And you can do just that with Active Defense.
Actively defending against Kaseya-style incidents
The scenario here is that you know about a zero-day target that does not yet have a patch. Let us also assume that the zero day is being used for initial infection and foothold to distribute ransomware within the environment.
The following table shows strategies for actively defending against techniques observed in the Kaseya REvil Ransomware incident.
|
Phase |
Technique |
Active Defense Tactic |
Hints, Tips, Tricks |
|
Initial infection |
Exploit an internet-facing application |
Create public-facing decoys to capture intelligence |
Use the application vulnerable to the zero day as a template for the decoy |
|
Execution |
Use of PowerShell |
Monitor for commands and scripts that involve stopping or disabling services |
N/A |
|
Defense evasion |
Kill processes and services |
Deploy decoy processes and services commonly killed by ransomware |
The most commonly attacked processes are those that lock files that are a target for encryption; therefore, “outlook.exe”, MS Office processes, and database processes are usually targeted |
|
Pre-encryption checks |
Delete volume shadow copies |
Monitor for the deletion of volume shadow |
Typically, volume shadow copies are deleted using vssadmin.exe or WMI |
|
Encryption |
Encrypt files |
Deploy decoy files on endpoints to monitor for file modification events |
Placing files in common encryption start locations (such as C:\ or %appdata% or Document folders) is a smart way to minimize the impact of encryption |
In the case of Kaseya, specifically, there was no worm-like behavior observed as the encryptor was pushed to machines via an update.
Beware of distribution points
One of the classic strategies these days, as seen in the Kaseya incident, is to compromise software and update distribution points to deploy ransomware at scale.
It is not a stretch to say that any software that installs updatable services on endpoints can be a target of similar attacks and the table in the previous section is the best form of defense for that.
We wish to draw attention to two pervasively present distribution points for ransomware in most organizations:
- Active Directory
- SCCM
With recent disclosures around serious vulnerabilities—the Print Nightmare Vulnerability, for example—organizations are at risk of both Active Directory and SCCM as targets for any ransomware that leverages such a vulnerability to spread.
Here are four suggestions to actively defend against techniques in such a scenario.
|
Phase |
Technique |
Active Defense Tactic |
|
Internal recon (Active Directory) |
Query Active Directory for privileged users with rights to create a group policy |
Plant decoy users in privileged groups and OUs |
|
Internal recon (Active Directory) |
Query Active Directory for SCCM servers |
Plant decoy systems with attributes consistent with SCCM servers |
|
Lateral movement via zero days like Print Nightmare |
Use the Print Nightmare vulnerability to obtain RCE on Active Directory and SCCM |
|
|
Lateral movement |
Creation of new group policy or SCCM policy to distribute encryptor |
Monitor and log the creation of new policies |
Closing Notes
Organizations should expect that any major vulnerability disclosed is likely to become a target for spreading ransomware.
Due to the unpredictability of TTPs that may be used in individual incidents, we advise organizations to adopt a wider array of Active Defense techniques to build resilience against a variety of ransomware operator strategies.
We also encourage organizations to adopt Active Defense and deception strategies in the following parts of their IT environment:
- DMZ (both external and internal segments)
- Data center segments hosting business-critical applications for east-west lateral movement
- Active Directory
- Privileged endpoints
- Endpoints of personnel interacting with sensitive applications
Learn more about Kaseya Supply-Chain ransomware attack by viewing our webinar hosted by ThreatlabZ.
