Skip to main content

This is a Zscaler Guest Post

The recent Kaseya ransomware incident combined the worst possibilities the infosec community has had to contend with in recent months:

  1. A supply-chain attack
  2. Ransomware
  3. An unpatched application vulnerability (zero day)

This is by no means an isolated incident. All vulnerabilities reported on widely used software products, especially those that do not require authentication to exploit, will likely become a target to spread ransomware.

Attacking the supply chain is simply a cost-effective way to scale ransomware operations.

In this blog post, we’ll use the Kaseya incident as a blueprint to recommend a short playbook for what you can do while you await a patch for any software vulnerability you know nothing about.


View our recent webinar for more information on the best defenses against Kaseya supply-chain and similar attacks.


Zero days and active defense

Zero days are a tough nut to crack. The average organization uses hundreds of different types of software and tools. It’s almost impossible to have an accurate software inventory, let alone account for issues like supply-chain attacks and zero days.

While the research community plugs away trying to proactively find and hunt bugs to remediate costly zero days in widely used software before adversaries do, Active Defense allows security teams to take a step back and evaluate the problem of zero days as a whole.

Active Defense shifts the focus of security teams away from individual software and esoteric, difficult-to-parse exploitation techniques to proactive defensive strategies while they wait for a patch to be installed.

By hypothesizing the objectives that adversaries achieve when exploiting Zero Days, we can plan our Active Defenses in a manner that can:

  1. Reduce the impact of exploitation
  2. Give an early warning of malicious activity
  3. Gather intelligence on the adversary

Zero days through the kill-chain

The following table demonstrates where zero days are likely to be used in the kill-chain:

 

Kill-Chain Phase Possible Zero-Day Targets Possible Motivation
Initial Infection and foothold Internet-facing software applications and services Obtain access to a high-value environment
Privilege escalation Operating system components and locally installed software Obtain a higher level of privilege to aid the rest of the kill-chain
Lateral movement Distribution software and internally exposed services Expand attack footprint in locked-down environments
Action on objectives Zero days against specialized software Exploit weaknesses to steal data

 

Zero days are a means to the end goal. Whether in the initial stages of the operation or the critical last step.

From a defensive perspective, this gives us a valuable advantage: If we cannot stop the zero day itself, we have opportunities to trap the adversary either before or after they use it. And you can do just that with Active Defense.

Actively defending against Kaseya-style incidents

The scenario here is that you know about a zero-day target that does not yet have a patch. Let us also assume that the zero day is being used for initial infection and foothold to distribute ransomware within the environment.

The following table shows strategies for actively defending against techniques observed in the Kaseya REvil Ransomware incident.

 

Phase Technique Active Defense Tactic Hints, Tips, Tricks
Initial infection Exploit an internet-facing application Create public-facing decoys to capture intelligence Use the application vulnerable to the zero day as a template for the decoy
Execution Use of PowerShell Monitor for commands and scripts that involve stopping or disabling services N/A
Defense evasion Kill processes and services Deploy decoy processes and services commonly killed by ransomware The most commonly attacked processes are those that lock files that are a target for encryption; therefore, “outlook.exe”, MS Office processes, and database processes are usually targeted
Pre-encryption checks Delete volume shadow copies Monitor for the deletion of volume shadow Typically, volume shadow copies are deleted using vssadmin.exe or WMI
Encryption Encrypt files Deploy decoy files on endpoints to monitor for file modification events Placing files in common encryption start locations (such as C:\ or %appdata% or Document folders) is a smart way to minimize the impact of encryption

 

In the case of Kaseya, specifically, there was no worm-like behavior observed as the encryptor was pushed to machines via an update.

Beware of distribution points

One of the classic strategies these days, as seen in the Kaseya incident, is to compromise software and update distribution points to deploy ransomware at scale.

It is not a stretch to say that any software that installs updatable services on endpoints can be a target of similar attacks and the table in the previous section is the best form of defense for that.

We wish to draw attention to two pervasively present distribution points for ransomware in most organizations:

  1. Active Directory
  2. SCCM

With recent disclosures around serious vulnerabilities—the Print Nightmare Vulnerability, for example—organizations are at risk of both Active Directory and SCCM as targets for any ransomware that leverages such a vulnerability to spread.

Here are four suggestions to actively defend against techniques in such a scenario.

 

Phase Technique Active Defense Tactic
Internal recon (Active Directory) Query Active Directory for privileged users with rights to create a group policy Plant decoy users in privileged groups and OUs
Internal recon

(Active Directory)

Query Active Directory for SCCM servers Plant decoy systems with attributes consistent with SCCM servers
Lateral movement via zero days like Print Nightmare Use the Print Nightmare vulnerability to obtain RCE on Active Directory and SCCM
  1. Disable the print spooler service on AD and SCCM
  2. Plant a decoy system on the network with hostname and DNS indicating it is an SCCM server
Lateral movement Creation of new group policy or SCCM policy to distribute encryptor Monitor and log the creation of new policies

 

Closing Notes

Organizations should expect that any major vulnerability disclosed is likely to become a target for spreading ransomware.

Due to the unpredictability of TTPs that may be used in individual incidents, we advise organizations to adopt a wider array of Active Defense techniques to build resilience against a variety of ransomware operator strategies.

We also encourage organizations to adopt Active Defense and deception strategies in the following parts of their IT environment:

  1. DMZ (both external and internal segments)
  2. Data center segments hosting business-critical applications for east-west lateral movement
  3. Active Directory
  4. Privileged endpoints
  5. Endpoints of personnel interacting with sensitive applications

Learn more about Kaseya Supply-Chain ransomware attack by viewing our webinar hosted by ThreatlabZ.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.