Courageous action by defenders can prevent maximum damage from attackers.
Incident response firm Sygnia was contacted by a company to investigate suspect activity on its network. Sygnia rapidly concluded the company was experiencing a ransomware attack and was in imminent danger of having its entire environment encrypted. It recommended immediate and bold action — disconnect from the internet.
The company (which we’ll now call the victim) complied. The attack was blocked, and the attacker could neither continue to the encryption phase nor delete its trail. The attacker was BlackCat, and Sygnia now had access to the detailed history and progress of the attack – and has reported on its analysis.
It was a supply chain attack. The supplier (which we’ll now call the vendor) provided technical assistance to the victim — and the entry route for BlackCat. For reasons of customer confidentiality, Sygnia’s CEO Ram Elboim declined to give SecurityWeek the name of either the victim or the vendor. It has, however, now published a detailed analysis of the progress and outcome of the BlackCat attack.
The attack started with attempts to access the victim from the previously compromised vendor. On day one, the attackers attempted RDP and SMB logon to two of the victim’s servers. Three successful logons were achieved on one of the servers. On day two, the attacker attempted brute force authentication attacks. On day three, it successfully connected over RDP with a victim server that became the ‘pivot’ server for reconnaissance and lateral movement.
The basic history of the attack is not unfamiliar. The victim’s security controls rapidly provided alerts to anomalous activity, but the victim did not immediately recognize the alerts as serious — it’s the standard problem of alert fatigue and possible false positives.
Still on day three of the attack, the attacker rapidly consolidated its position. A cat-and-mouse game between live attackers and automated security controls began. “The ‘C:\Intel\exp.exe’ file was created on the pivot-server during the RDP session, and its execution was detected and blocked by MDE,” reports Sygnia. “An analysis of ‘exp.exe’ indicated that it is a privilege escalation tool based on the exploitation of CVE-2022-24521 – a vulnerability in the Windows Common Log File System (CLFS) driver, known to be used by several ransomware groups.”
The attacker created a new file and executed it using PowerShell. This injected malicious code into the ‘drfgui.exe’ process, which contacted a Cobalt Strike C2 server on a domain that resolved to a Cloudflare CDN. It then created a malicious file named ‘C:\Intel\svchost.exe’ on the pivot server, trying to mask the malware as benign activity.
Reconnaissance continued with the attacker using a version of the SoftPerfect Network Scanner, searching for passwords, accessing remote folders via Windows Explorer, and ping testing network connections.
On day five, Cobalt Strike Beacon was downloaded and injected into ‘drfgui.exe’. On the same day, the attacker executed ‘BG00Q.exe’, a renamed version of AccountRestore, that performs dictionary attacks to extract passwords; and executed a Kerberoasting attack to retrieve password hashes from Active Directory.
On day six, the lateral movement second phase of the attack began. This lasted another two weeks. Numerous tools were used, including Netscan and Stowaway — an open source tool used for the creation of a chained proxy service between a series of hosts.
The bottom line, however, is that by the time the victim called on Sygnia for help, it had become a noisy battlefield. The victim knew it was under attack, and the attacker knew its presence was probably known, or at least suspected. This alone adds urgency to both sides – an urgency that Sygnia immediately recognized.
“When responding to an incident, one of the areas that should be looked at is ‘What will the attacker understand and how will they react?’ – this is one of the areas that makes IR work for professionals,” Elboim explained. “On one hand, response activities should do the maximum to contain and remediate, but on the other, they should be done carefully so that the attacker will not know that activity is taking place – or at least not fully understand the type and scope of activities that are being done.”
It was too late in this instance. “Cutting the Internet connection is a severe action that was unavoidable in this specific case, but there are many cases where we have taken a more careful approach and planned our activities so that the attacker isn’t informed of our activities, until we and the company we assist, are fully ready,” he added.
The important point here, however, is that the victim’s senior management was brave enough to take that severe action. By now, the attackers had succeeded in exfiltrating data, but had not yet commenced encryption. That encryption was blocked. It did not prevent BlackCat from attempting to extort the victim over the stolen data, and for the next three weeks the attacker attempted to do so. Details of this process are unknown, or at least undisclosed, but some inference may be deduced by the subsequent disclosure of victim data on BlackCat’s leak site.
“Attackers always exaggerate the importance of the data they steal,” Elboim said. “In this case it was not as important as they thought. If they could have continued, they would have exfiltrated more data.”
There are numerous takeaways from this case. Early and expert incident response is always advisable – but in the end, decisiveness and the courage to take drastic steps can save the day, even very late in the day. It is questionable whether the victim would have succumbed to the double extortion of system encryption and more expansive data theft, but if an attack that cannot be prevented can at least be limited to a questionable single extortion attack, survival is more likely.
Related: Change Healthcare Confirms BlackCat Ransomware Attack
Related: US Offers $10M for Info on BlackCat Ransomware Leaders
Related: BlackCat Ransomware Gang “Unseizes” Website, Vows No Limits on Targets
Related: US Gov Disrupts BlackCat Ransomware Operation, Releases Decryption Tool
