Ransomware operators relied heavily on a handful of commodity Trojans, open source reconnaissance tools, and legitimate Windows utilities to execute many of their attacks during the past quarter, according to data from incidents handled by the Cisco Talos Incident Response (CTIR) team.
The data, collected from customer locations between November 2020 and January 2021, showed attackers continuing to overwhelmingly use phishing emails with malicious documents to deliver Trojans for downloading ransomware on victim systems.
But unlike in the recent past where the Emotet and Trickbot malware families were the primary vehicles for distributing ransomware, many of the Trojans used for this purpose in the past quarter were commodity tools such as Zloader, BazarLoader, and IcedID. According to the CTIR team, nearly 70% of the ransomware attacks it responded to over the three-month period used these or similar Trojans to deliver ransomware.
"We saw a variety of commodity Trojans used this quarter, as opposed to previous quarters in which Trickbot and Emotet were dominant," says Brad Garnett, general manager of the Cisco Talos Incident Response team.
For enterprises, the trend could spell even more trouble on the ransomware front.
"Commodity Trojans are easy to obtain and possess numerous capabilities for lateral movement, command-and-control communications, etc., which can increase the efficacy of a ransomware attack," Garnett notes.
The CTIR team's data from incident response engagements showed ransomware dominated the threat landscape during the three-month period just like it has for the past the seven straight quarters. The most prolific ransomware families included Ryuk, Vatet, WastedLocker, and variants of Egregor.
As they have in the past, ransomware operators took advantage of several open source and legitimate admin tools and utilities to facilitate attacks, move laterally in compromised networks, hide malicious activity, and take other actions. Some 65% — or nearly two-thirds — of the ransomware incidents the Cisco Talos team responded to involved the use of PowerShell, and 30% of the incidents involved the use of PsExec. Other commonly used free and commercially available and dual-use tools included Cobalt Strike, CCleaner for deleting unwanted files, the open source TightVNC for enabling remote control of Windows and Linux PCs, and compression software such as WinRAR and 7-Zip.
Abusing Legit Tools and Utilities
The CTIR team also encountered several incidents where attackers used open source reconnaissance tools such as the Active Directory (AD) search utility ADFind, the AD information-gathering tool ADRecon, and the Bloodhound tool for visualizing AD environments and finding potential attack paths.
As one example of how ransomware operators are leveraging these tools, the CTIR team pointed to an incident where the attackers, after gaining an initial foothold on the victim network, took advantage of the Group Policy replication feature in Windows AD to install Ryuk ransomware. In that instance, the adversary leveraged PsExec to move laterally and execute remote commands. They eventually obtained domain administrator (DA) credentials and used it to encrypt some 1,000 endpoints and wipe backup indexes.
"Ransomware continues to pose the greatest threat to enterprises," Garnett says. "Phishing remains the most observed infection vector for these attacks, underscoring the importance of email security and phishing training."
In addition, enterprises must enable multifactor authentication where possible, disable legacy protocols, and limit use of powerful Windows tools in trusted accounts.
Ransomware was the predominant threat. But the CTIR team also responded to multiple incidents involving malware distributed via poisoned updates to SolarWinds' Orion network management technology. Some 18,000 organizations worldwide — including several Cisco Talos customers — were impacted in that breach. However, only one of the incidents that Cisco Talos investigated involved post-compromise activity. In that incident, the attackers had set up a PowerShell script that looked like it was designed to receive more code likely for executing malicious activity.
Looking at the current quarter, Garnett expects Cisco Talos will have to respond to more SolarWinds-related incidents because the full scope and impact of that incident is likely larger than what's known so far. He also expects the CTIR team will have to respond to more incidents involving the believed China-based Hafnium group and its recent attacks targeting four critical zero-day vulnerabilities in Microsoft Exchange Server.
"For Hafnium, we are actively supporting customers globally across different sectors and continue to see an uptick in IR services requests from customers [impacted by the attacks]," he says.