Operations

6/20/2018
02:30 PM
Ajit Sancheti
Ajit Sancheti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Inside a SamSam Ransomware Attack

Here's how hackers use network tools and stolen identities to turn a device-level compromise into an enterprise-level takedown.

Hospitals, municipal governments, and schools are bracing themselves, anxiously aware that they could be the next target of SamSam ransomware's ongoing campaign of destruction and extortion.

According to an updated warning issued by the US Department of Health and Human Services, a new variant of SamSam (also referred to as SamSa and Samas) has been deployed in more than eight unique cyberattacks in the United States so far in 2018. These include an industrial controls system (ICS), two hospitals, the City of Atlanta, and the Colorado Department of Transportation. Colorado DOT was attacked twice; it took six weeks, millions of dollars, and hundreds of cybersecurity specialists, including the FBI, to get the department (2,000 computers) back to 80% functionality. What would happen to organizations with fewer resources in the aftermath of a SamSam hit?

In the latest reported attack, an Indiana healthcare provider network discovered it had been compromised on May 17 and is now working with the FBI; it did not disclose whether it paid the ransom. Indeed, many public-sector victims decide it is better to concede to hacker demands immediately than to risk extended recovery time (not to mention complications). As dependency on real-time data and networked systems becomes the norm, recovery speed is critical. Ransomware exploits this vulnerability for straightforward financial gain.

SamSam and its variants, active since 2016, have evident commonalities; as more attacks are investigated, we have gained insight into their tactics. SamSam campaigns do not target the most lucrative enterprises. Instead, they extort organizations that have a near-zero tolerance for downtime: public-facing civil sector and healthcare organizations. The pressure is on when lives, physical health, critical infrastructure, and public safety are at risk. The longer it takes, the higher the stakes.

Assume Breach
While regular patching, security updates, and consistent monitoring can be effective defenses, let's assume the obvious: The perimeter will eventually be breached. SamSam attackers specialize in scanning for exploits and known vulnerabilities — public network protocols, in particular — when targeting a victim. An analysis of SamSam incidents suggests that the ransomware is "typically deployed after the threat actors have exploited known vulnerabilities on perimeter systems to gain access to a victim's network."

The hackers behind SamSam are sophisticated and appear to be learning more tricks as they go along. Their latest scheme is to spread thousands of copies of malware on a single network all at once and then demand "per computer" or "volume discount" ransom amounts to fix what they've broken.

Let's take a closer look at how ransomware attackers use network tools and stolen identities once they are inside the network to turn a device-level compromise into an enterprise-level takedown. According to the Verizon 2018 Data Breach Investigations Report, the use of stolen credentials is the No. 1 most common action attackers take during a successful breach. Privilege misuse is fourth on the list.

SamSam follows this playbook. It uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and other common tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through a network and do damage. Once hackers have compromised a set of privileged credentials, they use the stolen identity to access additional assets in the network. Next, attackers use legitimate administrator tools, such as PsExec or WMIexec, to remotely run code on additional machines.

Hacker Innovation
When it comes to stringing together vulnerabilities to avoid detection, prolong dwell time, and infect larger numbers of machines, hackers are innovative. For example, Remote Desktop Protocol (RDP), a standard Microsoft component, has been identified as a weak point that hackers seek because it provides an easy channel of attack. All they have to do is crack the password, and they are free to move laterally, execute malware, and encrypt data.

Likewise, hackers leverage vulnerabilities in Microsoft's credential protocol (CredSSP), along with RDP and distributed computing environment/remote procedure call (DCE/RPC) application services, in much the same way. RDP is so handy that hackers have created databases containing the location and attributes of systems running RDP and sell the records to other bad actors.

These tools are hard to blacklist, let alone control. For example, Mimikatz relies on Windows NT LAN Manager (NTLM) for techniques such as pass-the-hash. The challenge for IT teams is that, by design, virtually any Windows protocol can be downgraded to NTLM. Tools like PsExec use a remote procedure call (RPC), which is also historically difficult to control inside most enterprises.

The good news is that innovations now make it possible for organizations to directly analyze these protocols, see abnormalities, and challenge them in real time. For example, suspicious internal traffic could trigger a multifactor authentication challenge the user has to pass before access is granted. By controlling these protocols, admins can disable the skeleton key tools that attackers use to steal identity and spread to new machines. It may not be possible to prevent every infection, but it's always better to catch them early and box them in. There's no reason to make it easy for the bad guys to take down the entire organization.

SamSam relies on known vulnerabilities. To defend your organization, don't forget security basics. Make sure patching and configuration is up to date. Keep passwords strong and change them often. Limit privileged accounts and use vulnerable protocols only when necessary. Segment networks to contain damage and ease recovery.

Most importantly, focus on what's happening inside your network in real time. Monitor and control access to legitimate credentials and network tools by detecting anomalous patterns and challenging abnormal use. That will make SamSam and its variants ineffective or, at a minimum, keep them from spreading like slime mold through your network.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Ajit Sancheti is CEO and co-founder of Preēmpt. He has over 20 years in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the corporate ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/23/2018 | 6:38:20 PM
Re: BACKUP, BACKUP, BACKUP
@REISEN: Indeed, you raise an important point. Sometimes, security fails, and attacks transcend into BC/DR issues. Whether natural disasters or manmade, these are things you have to plan and account for. Consequently, it's not just a security-team failure; it's an IT-administration failure.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/20/2018 | 3:58:51 PM
BACKUP, BACKUP, BACKUP
How many of us remember those three hallowed words from 25 years ago???   And yet nobody seems to do it right.  Atlanta lost ALL DASHCAM VIDEOS, ALL OF THEM.  So ANY failure would have killed the lot, not just a ransomware attack.  Server failure, hard drive failure???    DOES anybody have an updated, TESTED, restoration plan in place???  i think not.  IT departments hate to test these as it is hard work and tough on schedules.  BFD.  It has to be tested and for the simple reason that when it is NEEDED AT 2AM ..... well, the mind does not think straight at that hour, does it???    But still crashes don't happen, rigjht???    And ransomware won't get into OUR SYSTEM right????  
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
The Morris Worm Turns 30
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/9/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12174
PUBLISHED: 2018-11-14
Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE 2018 Update 3 may allow an authenticated user to potentially escalate privileges via local access.
CVE-2018-3621
PUBLISHED: 2018-11-14
Insufficient input validation in the Intel Driver & Support Assistant before 3.6.0.4 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVE-2018-3635
PUBLISHED: 2018-11-14
Insufficient input validation in installer in Intel Rapid Store Technology (RST) before version 16.7 may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access.
CVE-2018-3696
PUBLISHED: 2018-11-14
Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.
CVE-2018-3697
PUBLISHED: 2018-11-14
Improper directory permissions in the installer for the Intel Media Server Studio may allow unprivileged users to potentially enable an escalation of privilege via local access.