Observations
Over the past thirty days, the Ankura Cybersecurity team has worked with clients to solve cybersecurity challenges involving emerging ransomware tactics, aggressive business email compromises, on-premise exchange server exploitation, and sophisticated cyber espionage campaigns.
As we detail in the pages below, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) has detected an increasing number of ransomware/extorsion groups leveraging new tactics. Additionally, cyber espionage groups continue to exploit both human and technical security risks to achieve their objectives.
Lastly, during this period Ankura’s Cyber Security team has been responding to multiple clients in the financial and legal verticals impacted by the recently exposed “Hafnium” Microsoft campaign. As a first responder Ankura is in a unique position to capture and observe the exploits threat actors are using, near real-time. Our collections and reporting cycle supplies front-line responders with curated and actionable Hafnium related intelligence for use in ongoing and future investigative activities.
Microsoft Exchange Server Exploitation
In the opening days of March, CTAPT analysts have been actively tracking the numerous zero-day attacks against Microsoft Exchange servers. Microsoft initially attributed these attacks to state-sponsored espionage groups out of China called Hafnium[1], who primarily target entities throughout the United States, Europe, and the Pacific Rim. Hafnium is an emerging state-sponsored threat group based out of China and has been known for exploiting vulnerabilities on internet-facing servers and network technologies. Prior, Hafnium has been targeting a wide range of organizations including defense contractors, law firms, and universities throughout America.
Ankura Incident Responders were soon called upon to help clients assess their systems and when warranted, pursue threat actors and contain risk. Ankura can confirm Hafnium actors have a straightforward process to exploit victims. First, they will gain access to an Exchange server using a server-side request forgery (SSRF) vulnerability (CVE-2021-26855). Following, Hafnium deploys a web shell to remotely access the affected server(s). Finally, data can be exfiltrated from the compromised server(s) back to Hafnium infrastructure via remote access. There are several vulnerabilities that are leveraged in this attack. These vulnerabilities serve as a sort of ‘attack chain’ in the order listed below:
- CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. Hafnium utilizes leased virtual private servers within the United States and connects to TCP port 443 (HTTPS) on the targeted, vulnerable servers. This exploitation can be detected via the Exchange HttpProxy logs, specifically in the “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy” directory[2].
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives Hafnium the ability to bypass the needed authorization and run code as SYSTEM on the Exchange server[3]. This requires administrator permission or another vulnerability to exploit. This exploitation can be detected via the Windows Application event logs and specifically creates Application events with the following properties:
- Source: MSExchange Unified Messaging
- Entrytype: Error
- Event Message Contains: System.InvalidCastException
- CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium can authenticate with the Exchange server, then they can use this vulnerability to write a file to any path on the server[4]. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. This exploitation can be detected via the Exchange log files, specifically located in “C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog”.
- CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium can authenticate with the Exchange server, then they can use this vulnerability to write a file to any path on the server[5]. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. This exploitation can be detected via the Exchange log files, specifically located in “C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server”.
Indicators of compromise from this attack can also be found from web shells within Exchange servers. Below is a list of hashes that indicate ASP web shell presence:
- 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
- 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
- 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
- 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
These web shells can be in separate locations on the server. Commonly, Hafnium utilizes the paths below to download their web shells and execute them:
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- C:\Exchange\FrontEnd\HttpProxy\owa\auth\
- C:\inetpub\wwwroot\aspnet_client\
- C:\inetpub\wwwroot\aspnet_client\system_web\
- \inetpub\wwwroot\aspnet_client\
- \\FrontEnd\HttpProxy\ecp\auth\
- \\FrontEnd\HttpProxy\owa\auth\
- \\FrontEnd\HttpProxy\owa\auth\Current\*any aspx file in this directory
- \\FrontEnd\HttpProxy\owa\auth\
Additionally, the following web shell names were attributed to this attack:
- aspnet_client.aspx
- aspnet_iisstart.aspx
- aspnet_www.aspx
- document.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- help.aspx
- one.aspx
- shell.aspx
- web.aspx
- xx.aspx
Microsoft Exchange servers can be found throughout many companies around the globe. Currently, more than sixty thousand (60,000) organizations have reported being compromised from this attack, varying from small businesses to major corporations[6]. However, many of these organizations are small/medium sized businesses since often larger businesses have led the way to utilizing cloud-based email systems. Microsoft is notifying its clientele and has strongly recommended that those impacted update to the latest patch release. Furthermore, organizations should make sure external access from port 443 (HTTPs over TLS/SSL) is prohibited on their exchange server(s). Additional indicators of compromise (IOCs) continue to be released as each day passes. Please see Appendix A for valuable Hafnium IP addresses and web shell scripts.
Recent Ransomware Activity
With the recent arrests of Egregor ransomware affiliates last month, Egregor operations are largely thought to have ceased. Ankura’s CTAPT has detected a response across other ransomware groups as observable postings seem to convey a “on edge” theme, while other groups who are normally actively posting, are now silent. Even so, CTAPT analysts assess that it will not be long before another group picks up where Egregor left off. We witnessed this when the Maze ransomware group first announced their retirement back on November 1, 2020. At the time, the recently emerging Egregor group appeared poised and ready to benefit from Maze’s retirement, as they quickly exploited multiple different victims throughout a variety of business sectors. In one month, Egregor’s dark web site jumped from only three pages of victims to twenty-three. Egregor also proved resilient, responding quickly to countermeasures:
Figure 1: Egregor Release Note after their return
With Maze still retired and Egregor experiencing challenges, it took no time at all for another group to step up. The Conti ransomware group wasted no time in surpassing its predecessors. Conti who has now taken the title of most claimed victims, sits at a 16.7% of all ransomware claimed victims. Higher than Maze group, who still holds 16.1% of all infections and Egregor 12.5%.
Figure 2: Ransomware Group Statistics[7]
Outside of the Conti ransomware surge, other group’s infection rates have shown a decline. It is very likely that ransomware ecosystem developers have learned from the Egregor takedown and applied those lessons to new obfuscation and delivery techniques. One likely tactic evolution is that the Conti group has recently deployed new ransomware strains that laterally across the network using a worm like function. Additionally, Conti is described as a “fileless” ransomware by writing directly to volatile memory, never actually dropping detectable files to the system disk. Conti actors continue to post updates and news related to their progress:
Figure 3: Conti leak last posted on March 9, 2021.
CTAPT collection and analysis operations have detected that within the past week, a few other notable groups have surfaced and made their presence known in various venues. Of note are: CL0P, Darkside, REvil, Nefilm, and Pysa.
These and other indicators lead Ankura CTAPT analysts to assess with high confidence that these groups will evolve and significantly increase their activity these next few months, compared to last month. With a new void to fill, and money to be made, it is very likely those in the ransomware business still seek to rise to the “number one” spot.
Cl0p Operations
Since late December 2020, multiple threat actors have combined multiple zero-day vulnerabilities to create a new web shell to breach up to a hundred companies that use the twenty-year-old Accellion Legacy File Transfer Appliance and steal sensitive files. While a fix for the vulnerabilities was released within 72 hours, the concerted cyberattack on the FTA systems continued into January 2021. Since then, Accellion has identified several additional exploits and has developed and released patches to close each vulnerability[8]. The affected FTA product is often used by government agencies, educational institutions, and other such organizations to share files externally from their organization while maintaining security. From this new vulnerability, up to a hundred (100) different organizations have been affected, by the Cl0p Ransomware team and FIN11[9]. Of these hundred, less than twenty-five (25) appear to have been affected by significant data theft. Since the discovery of the theft, Accellion has patched the vulnerabilities and has added new monitoring and alerting capabilities to flag anomalies associated with the Cl0p and FIN11 attack vectors. Below are the listed the four main exploitation vectors:
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
Of the affected companies, two of the posted data sets on the Cl0p ransomware site are of particular interest; one containing sensitive emails and legal documents from a law firm that represents several powerful people, including former U.S President Donald Trump, the other containing stolen documents from the defense division of the aerospace company Bombardier[10]. According to Cl0p postings online, the law firm breach was not a politically motivated attack, instead they claimed financial gain as the motivation for the breach. Cl0p claims to have accessed and exfiltrated the data directly from the law firm’s systems, but the affected law firm claims that the breach came from the FTA vulnerability, which is why Cl0p did not encrypt their systems in addition to exfiltrating the data. It is possible that the ransomware group has found another vulnerability within the law firm’s system, and until results from the ongoing investigation by the firm are made public, the root cause of the exfiltration will remain unknown. From Bombardier, new reports suggest about one-hundred-thirty employees had their personal information stolen by the threat actors. In addition to the personal information, Cl0p also posted pictures of a CAD rendering of a Bombardier GlobalEye craft, a detailed 3D rendering of what looks to be a radar head schematic and its corresponding mount, an invoice charging Saab for the purchase and shipping of the Global 6000 and mount, an email from a professional aerospace engineer that had previously worked on military conversions of Global 6000 business jets and several other images containing sensitive information.
Figure 1: Invoice order[11]
The CAD rendering shows the conversion of a Global 6000 business jet to carry a distinctive Saab Erieye, which is an Airborne Early Warning and Control System developed by Saab Electronic Defense Systems of Sweden, a plank-style radar that has been mounted on top of the jet’s fuselage. The Global 6000 airframe is also used by the British Royal Air Force as the base of the Sentinel airborne early-warning aircraft. Several anonymous experts have different theories as to what exactly is being shown in the exfiltrated data, such as the schematics are for a passive array antenna with beam-forming waves guides or a mechanically scanning radar head that would be mounted within the aircraft. In addition to the posted images, there are seven (7) different sections of files available for downloading, totaling to eighty (80) files available for download.
Figure 2: Ankura collections listing three sections of exfiltrated files available for download concerning the Global 6000
Normally, Cl0p ransomware targets high-profile companies with the goal to encrypt the company’s systems and files as an extortion method, posting to their onion site that they had breached a company and locked down the systems, and would slowly release the exfiltrated information and documents until payment was received from the affected company, then would decrypt the files and systems and take down the public postings of the company’s data. However, while Cl0p is claiming responsibility for these data leaks, Cl0p did not actually breach the affected organizations; instead, the third-party application used for secure file transfers was breached, and the publicly posted data comes from that service, not the organizations systems. Thus, FIN11 is using the Cl0p ransomware site as a hosting site, their goal to extort the affected organizations to pay for their information to be taken down from their site. This breach should serve as a warning to organizations to start hardening the security of their software supply chains, as software supply chain attacks are on the rise since the SolarWinds attack. Software supply chain attacks are when threat actors manipulate the code in third-party software components in order to compromise the ‘downstream’ applications or organizations that utilize the third-party software. Threat actors leverage the compromised software to exfiltrate data, corrupt targeted systems, or to gain access to an organization’s internal network.
Active since 2017, FIN11 is a financial crime group that focuses its operations on ransomware and extortion. Also potentially linked to UNC902 and TEMP.Warlok, FIN11 is notable for the sheer amount of activity they generate and having a subset of activity related to TA505’s (AKA: Graceful Spider, and Gold Evergreen) later operations[12]. While TA505 and FIN11 are not interchangeable, both groups’ tactics, techniques, and procedures (TTPs) are remarkably similar and often overlap, leading to speculation that FIN11 is a spinoff of TA505. Best known for the Dridex banking Trojan, TA505 is a Russian speaking, financially motivated threat group that targets individuals at financial institutions in the U.S, United Arab Emirates, and Singapore and is behind some of the largest email phishing campaigns ever in order to distribute RATs and ransomware.
Figure 3: Cl0p’s listed services and boundaries, collected by Ankura directly from the Cl0p ransom site
Threat Actor of the Month
CTAPT analysts routinely monitor dozens of underground forums to identify threat actor activity, detect tactic shifts, and identify transaction activity involving sensitive data of interest. As a result, CTAPT enumerates and tracks the most active threat actors over a thirty (30) day period and leverages this data to develop indicators, warnings, and emerging risk. During these reviews CTAPT analysts often detect specific actors that are of interest for one reason or another. The following includes some highlights of one of those actors:
“OKO”, also known as “OKO_VZLOM”, a member of the low-tier forum WWH Club, is advertising commercial disinformation services. These types of services are growing rapidly among dark web forum and marketplaces. The threat actor claim/advertise they provide the following services:
- Positive and negative PR
- Physical surveillance
- Physical and psychological intimidation
The threat actor claims that through their “probiv” services, they can obtain PII data, background checks, public/private records all supposedly harvested using their contacts within the Russian Ministry of Interior, and Russian Federal Tax Service. Additionally, OKO stated they can get “probiv” from Russian cellular operators, such as MTS, Tele2, Megafon, and Beeline. Probiv services or “probiv”, is a commonly used Russian slang word that generally refers to information gathering on organizations and individuals using open and closed sources and databases. OKO has conducted multiple deals on the dark web forum known as “WWH-Club” through the escrow service and maintains a positive reputation among forum members. Based on the information collected thus far, CTAPT analysts assess with medium confidence the actor is credible. However, the monetization of “disinformation” services is of interest and a scheme that will be the credibility of the threat actor as medium. However, the monetization of “disinformation” services is of interest and a scheme that is not so farfetched. Ankura investigations have responded to several cases where cyber exploitation activity was followed with public disclosures intended to embarrass or counter a high value target.
Trending IOCS
Indicator | Type | Attribution |
103.77.192[.]219 | IP | Hafnium |
185.250.151[.]72 | IP | Hafnium |
167.99.168[.]251 | IP | Hafnium |
157.230.221[.]198 | IP | Hafnium |
149.28.14[.]163 | IP | Hafnium |
108.61.246[.]56 | IP | Hafnium |
104.250.191[.]110 | IP | Hafnium |
104.140.114[.]110 | IP | Hafnium |
6b2c3d3e70a8302ca0444f297f39ee00 | Hash | Hafnium |
d70f869d272879f1272e29801d19c7c8 | Hash | Hafnium |
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 | Hash | Hafnium |
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea | Hash | Hafnium |
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 | Hash | Hafnium |
[1] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
[6] https://www.shadowserver.org/news/shadowserver-special-reports-hafnium-exchange-victims/
[7] DarkTracer analysis visualization, contact www.darktracer.com for source
[8] https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf
[9] https://www.securityweek.com/fin11-spun-out-ta505-umbrella-distinct-attack-group
[10] https://www.recordedfuture.com/dewmode-accellion-supply-chain-impact/
[11] Cl0p onion site
[12] https://www.hhs.gov/sites/default/files/sdbbot-analyst-note.pdf
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.