While significant progress is being made by global organizations in relation to threat detection and response, adversaries continue to surface, innovate, and adapt to target environments with diverse cyberattacks including new extortion and ransomware tactics, techniques, and procedures (TTPs). The data comes from Mandiant’s M-Trends 2022 report based on investigations of targeted attack activity conducted between October 1, 2020 and December 31, 2021. Among its various findings are insights into prevalent attack vectors, most targeted industries, and an increase in espionage activity linked to China.
Daily Archives: April 19, 2022
Absolute Software launches ransomware response offering to accelerate endpoint recovery
Endpoint and secure access solutions vendor Absolute Software has released a new offering to enable customers to prepare and accelerate their endpoint recovery in the face of ransomware attacks. The firm said Absolute Ransomware Response features several capabilities and benefits that will help organizations assess their ransomware preparedness and cyber resilience across endpoints. The launch comes as new research from cybersecurity leader Mandiant cites an increasing evolution in ransomware tactics, techniques, and procedures (TTPs).
Spyware was used against Catalan targets and UK prime minister and Foreign Office
Researchers at The Citizen Lab at the University of Toronto revealed two significant findings that further highlight the widespread use of Israeli mercenary spyware apps. First, the group released fresh rounds of forensic results that uncovered Catalans’ phones targeted in Spain. Secondly, they discovered that spyware infiltrated the Prime Minister and Foreign and Commonwealth offices in the UK.
These revelations also appeared in conjunction with a lengthy investigation by journalist Ronan Farrow appearing in the New Yorker. Farrow’s research offers new details into the rise of the spyware industry, the troubles facing the spyware purveyors, the efforts by tech companies to circumscribe the highly sophisticated malware, and the Biden administration’s planned actions regarding this trend.
Stories from the SOC – Lateral movement using default accounts
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. When this account is used for administrative purposes, it can be difficult to distinguish between legitimate and malicious activity. Security best practice is to create and implement user accounts with limited privileges and disable the default ‘Administrator’ account on all machines.
The Managed Threat Detection and Response (MTDR) analyst team received 82 alarms involving the default ‘Administrator’ account successfully logging into multiple assets in the customer environment. The source asset attempting these logons was internal, successfully logging into multiple other internal assets within a short timeframe. Further investigation revealed the use of PowerShell scripts used for network share enumeration, account enumeration, and asset discovery.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
An initial alarm was triggered by a built-in USM Anywhere rule named “Successful Logon to Default Account.” This rule was developed by the Alien Labs team to trigger based on successful login attempts to default Windows accounts, captured by Windows Event Log. This alarm was the first indicator of compromise in this environment which prompted this investigation.
Expanded investigation
Events search
The customer confirmed in prior investigations that the default Administrator account is widely used for legitimate administrative purposes in this environment. How does one distinguish between administrative activity and malicious activity? Additional event searching must be conducted to provide more context into this login and the actions surrounding it. To do this, filters were utilized in USM Anywhere to query for events associated with the Administrator account on the affected asset.
Event deep dive
First, the account Security Identifier (SID) was used to confirm which account was being used for this login. The SID Is a Globally Unique Identifier (GUID) that is unique to each account on a Windows System. The default Administrator Security Identifier (SID) typically ends with the Relative Identifier (RID) of 500 on Windows Systems.
A review of the event attached to this alarm confirms that the default Administrator account was used to sign in, with a SID ending with the RID of 500.
To provide more context, events originating from the source asset were queried within the last 24 hours. 40 successful logins using the Administrator account were seen from this source to other internal assets in less than 10 minutes.
These events were captured by the AlienVault Agent, which was installed directly on the source asset to forward events to USM Anywhere.
Reviewing for additional indicators
Further review into the activity originating from the source asset reveals the use of an encoded and compressed PowerShell script. Encoding and compression effectively allow the attacker to obfuscate scripts being executed, evading detection.
Using open-source tools, we were able to decode and decompress the underlying PowerShell script:
The decoded ‘Invoke-ShareFinder’ script seen above is a function used to query for exposed network shares in a Windows domain. This tool can also be used to determine which users have access to each network share. Exposed and insecure network shares could allow an attacker to obtain sensitive information or conduct lateral movement.
An additional event was found for the PowerShell script “Discovery.psm1” being executed on this asset. This script is used for internal network discovery using various scanning techniques.
Response
Building the investigation
With all events gathered and analysis completed, an investigation was created and submitted to the customer for review. Due to the severity of this incident and for situational awareness, a call was made to the customer to inform them of this activity.
Customer interaction
The customer took quick action to isolate the source asset, preventing further lateral movement attempts. Additionally, all affected assets were scanned using SentinelOne to ensure they were not infected with malware. Lastly, the default ‘Administrator’ account was disabled on all assets in this environment, effectively preventing future abuse of this account.
Limitations and opportunities
Limitations
The MTDR team lacked visibility into the customer’s SentinelOne EDR environment, which would have allowed for additional context and quicker response action.
Opportunities
AT&T offers Managed Endpoint Security (MES), a tool that provides comprehensive endpoint protection against malware, ransomware, and fileless attacks. MES utilizes behavioral analysis, which would have alerted analysts of malicious activity and prevented the “Discovery” and “Invoke-ShareFinder” scripts from executing on the asset. MES can also be used to conduct response actions such as isolating and scanning affected assets.
Stories from the SOC – Lateral movement using default accounts
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. When this account is used for administrative purposes, it can be difficult to distinguish between legitimate and malicious activity. Security best practice is to create and implement user accounts with limited privileges and disable the default ‘Administrator’ account on all machines.
The Managed Threat Detection and Response (MTDR) analyst team received 82 alarms involving the default ‘Administrator’ account successfully logging into multiple assets in the customer environment. The source asset attempting these logons was internal, successfully logging into multiple other internal assets within a short timeframe. Further investigation revealed the use of PowerShell scripts used for network share enumeration, account enumeration, and asset discovery.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
An initial alarm was triggered by a built-in USM Anywhere rule named “Successful Logon to Default Account.” This rule was developed by the Alien Labs team to trigger based on successful login attempts to default Windows accounts, captured by Windows Event Log. This alarm was the first indicator of compromise in this environment which prompted this investigation.
Expanded investigation
Events search
The customer confirmed in prior investigations that the default Administrator account is widely used for legitimate administrative purposes in this environment. How does one distinguish between administrative activity and malicious activity? Additional event searching must be conducted to provide more context into this login and the actions surrounding it. To do this, filters were utilized in USM Anywhere to query for events associated with the Administrator account on the affected asset.
Event deep dive
First, the account Security Identifier (SID) was used to confirm which account was being used for this login. The SID Is a Globally Unique Identifier (GUID) that is unique to each account on a Windows System. The default Administrator Security Identifier (SID) typically ends with the Relative Identifier (RID) of 500 on Windows Systems.
A review of the event attached to this alarm confirms that the default Administrator account was used to sign in, with a SID ending with the RID of 500.
To provide more context, events originating from the source asset were queried within the last 24 hours. 40 successful logins using the Administrator account were seen from this source to other internal assets in less than 10 minutes.
These events were captured by the AlienVault Agent, which was installed directly on the source asset to forward events to USM Anywhere.
Reviewing for additional indicators
Further review into the activity originating from the source asset reveals the use of an encoded and compressed PowerShell script. Encoding and compression effectively allow the attacker to obfuscate scripts being executed, evading detection.
Using open-source tools, we were able to decode and decompress the underlying PowerShell script:
The decoded ‘Invoke-ShareFinder’ script seen above is a function used to query for exposed network shares in a Windows domain. This tool can also be used to determine which users have access to each network share. Exposed and insecure network shares could allow an attacker to obtain sensitive information or conduct lateral movement.
An additional event was found for the PowerShell script “Discovery.psm1” being executed on this asset. This script is used for internal network discovery using various scanning techniques.
Response
Building the investigation
With all events gathered and analysis completed, an investigation was created and submitted to the customer for review. Due to the severity of this incident and for situational awareness, a call was made to the customer to inform them of this activity.
Customer interaction
The customer took quick action to isolate the source asset, preventing further lateral movement attempts. Additionally, all affected assets were scanned using SentinelOne to ensure they were not infected with malware. Lastly, the default ‘Administrator’ account was disabled on all assets in this environment, effectively preventing future abuse of this account.
Limitations and opportunities
Limitations
The MTDR team lacked visibility into the customer’s SentinelOne EDR environment, which would have allowed for additional context and quicker response action.
Opportunities
AT&T offers Managed Endpoint Security (MES), a tool that provides comprehensive endpoint protection against malware, ransomware, and fileless attacks. MES utilizes behavioral analysis, which would have alerted analysts of malicious activity and prevented the “Discovery” and “Invoke-ShareFinder” scripts from executing on the asset. MES can also be used to conduct response actions such as isolating and scanning affected assets.
Cybersecurity litigation risks: 4 top concerns for CISOs
The threat of litigation is enough to keep any business leader up at night, and the increasing prevalence of data protection, privacy, and cybersecurity legislation and regulation is piling on the pressure for CISOs.
According to Norton Rose Fulbright’s latest Annual Litigation Trends Survey of more than 250 general counsel and in-house litigation practitioners, cybersecurity and data protection will be among the top drivers of new legal disputes for the next several years. Two-thirds of survey respondents said they felt more exposed to these types of disputes in 2021, up from less than half in 2020, while more sophisticated attacks, less oversight of employees/contractors in remote environments, and concerns about the amount of client data were all cited as mitigating factors.
Cybersecurity litigation risks: 4 top concerns for CISOs
The threat of litigation is enough to keep any business leader up at night, and the increasing prevalence of data protection, privacy, and cybersecurity legislation and regulation is piling on the pressure for CISOs.
According to Norton Rose Fulbright’s latest Annual Litigation Trends Survey of more than 250 general counsel and in-house litigation practitioners, cybersecurity and data protection will be among the top drivers of new legal disputes for the next several years. Two-thirds of survey respondents said they felt more exposed to these types of disputes in 2021, up from less than half in 2020, while more sophisticated attacks, less oversight of employees/contractors in remote environments, and concerns about the amount of client data were all cited as mitigating factors.
Managing container vulnerability risks: Tools and best practices
Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns.
Container security is a complex activity that, much like broader cybersecurity, requires a combination of people, processes and technology, with the first being the most critical. Organizations looking to shift to widespread container use should be upskilling existing staff as well as bringing in others with the necessary skill sets to ensure a secure cloud-native operating model, of which containers are a key component.
Managing container vulnerability risks: Tools and best practices
Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns.
Container security is a complex activity that, much like broader cybersecurity, requires a combination of people, processes and technology, with the first being the most critical. Organizations looking to shift to widespread container use should be upskilling existing staff as well as bringing in others with the necessary skill sets to ensure a secure cloud-native operating model, of which containers are a key component.