Carlos Cabral and Henrique Pina

TL;DR

  • Double extortion incidents happen through the combination of two extortion-related behaviors: one that threatens victims of having their data leaked and the other that makes data access unavailable by using a ransomware.
  • It’s a misconception that double extortion attacks are a traditional malware attack. In fact, it’s a more damaging attack where the operators act as pentesters, looking for a variety of flaws and adapting their techniques according to the target. Therefore, there is no “silver bullet” for the problem. Even though most of the tactics and resources in use are well documented.
  • In this report we cover the activity of the operators of the eight most prolific threats at the moment: Maze, Snake, RagnarLocker, Clop, REvil (Sodinokibi), Netwalker (Mailto), DoppelPaymer and Nefilim.
  • According to studies published so far, the operators of these threats fall into eleven distinct groups.
  • The groups use a variety of techniques, some of which require in-depth knowledge.
  • Sixteen vulnerabilities in different technologies are exploited during the attack process. The oldest was released in 2015 and the newest on June 10.
  • Several security management vulnerabilities are also exploited by the groups
  • There are indications that part of these operators are forming a cartel, in which they share resources and share the profits according to each one’s specialties.

About the attack

Double extortion incidents happen through the combination of two extortion-related behaviors: threatening victims with data leaks and making data unavailable by encrypting it using a ransomware. If the victim doesn’t come to an agreement with the threat operators, they leak their sensitive data.

The criminals behave like a pentester but with malicious intent, using a variety of techniques selected according to the characteristics of each target to break into the companies’ environment, move around the network in search of systems with critical information, steal gigabytes of data, and activate the ransomware.

The victim usually learns about the attack when their environment comes to a halt due to data encryption by the ransomware in the final phase of the campaign. However, the attackers may have spent days collecting data from the company.

There are reports where the victim’s network had been compromised in previous attacks and their access was sold to ransomware operators to conduct double extortion attacks.

Threats Analyzed

Este documento contempla informações de diversas fontes de inteligência a respeito das oito principais ameaças usadas nessa modalidade de crime.

This document includes information from various intelligence sources regarding the top eight threats used in this form of crime.

Maze – The most widely used threat and the one with the most analysis material. It accounts for the largest number of victims, 110 organizations attacked by the time this report was closed. Among the victims, there are Brazilian companies.

There are three groups using this threat. One of them is FIN6, which has a long history of operating in bank fraud. Each group uses different techniques in different phases of the attack and all three groups exploit at least eight vulnerabilities to take control of the targets.

Snake – Threat used in the recent incident against a major vehicle manufacturer and has a history of attacks against industrial environments. It can exploit at least three vulnerabilities in its attacks.

RagnarLocker – Was used in early April against a Portuguese energy company whose ransom was set at approximately US$10 million.

Clop – Operated by the same group behind the Dridex banking trojan, Locky ransomware and the Necrus botnet.

REvil (Sodinokibi) – Very active threat that encrypts all eligible files on mapped network drives if running with system level privileges.

Netwalker (Mailto) – first documented in May last year, this threat has been frequently used in attacks against healthcare institutions.

DoppelPaymer – recently involved in an attack against a company providing services to NASA.

Nefilim – Threat with a history of attacks against some targets, especially in Brazil.

Product vulnerabilities

Below are vulnerabilities in technology products that are exploited by the operators of each threat.

CVE-2018-4878 – A user-after-free vulnerability in Adobe Flash Player versions prior to 28.0.0.161, allows arbitrary code execution. Fixed in February 2018 and predominantly exploited by Maze operators.

CVE-2018-8174 – Remote code execution vulnerability in the way the VBScript engine handles objects in memory. Affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. Patched in August 2018 and predominantly exploited by Maze operators.

CVE-2019-19781 – An issue found in ADC (Citrix Application Delivery Controller) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal attacks. Fixed in December 2019 and exploited by Maze, Nefilim, Snake, and DoppelPaymer operators.

CVE-2020-0796 – Remote code execution vulnerability in how the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, also known as CoronaBlue and SMBGhost. Fixed in March 2020 and exploited by Maze, RagnarLocker and Netwalker (Mailto) operators.

CVE-2020-12695 – Vulnerability in the Universal Plug and Play (UPnP) protocol called CallStranger. It may allow denial of service attacks and data extraction by bypassing security products. The flaw can affect devices from up to 190 manufacturers. Exploited by Maze and RagnarLocker operators.

CVE-2018-1150 – NUUO NVRMini2 with versions lower than 3.8.0 contains a backdoor that allows access to an unauthenticated remote attacker. Fixed in September 2018 and predominantly exploited by Maze operators.

CVE-2018-15982 – User-after-free vulnerability in Flash Player versions 31.0.0.153 and earlier and 31.0.0.108 and earlier. Successful exploitation could lead to arbitrary code execution. Fixed in December 2018 and predominantly exploited by Maze operators and predominantly exploited by Maze operators.

CVE-2019-11510 – Vulnerability in Pulse Secure Pulse Connect Secure (PCS) 8.2 in versions prior to 8.2R12.1; 8.3 in versions prior to 8.3R7.1, and 9.0 in versions prior to 9.0R3.4. Allows an unauthenticated remote attacker to send a specially crafted URI to execute an arbitrary file read. Fixed in April 2019 and exploited by Maze, Snake and REvil (Sodinokibi) operators.

CVE-2017-0213 – Privilege escalation vulnerability that occurs when the attacker runs a specially crafted application. Affects several versions of Windows. Fixed in November 2017 and predominantly exploited by Nephilim operators.

CVE-2020-0549 – Cleanup errors in the cache behavior of some Intel(R) processors. May allow an authenticated user to obtain information via local access. Released in January 2020, but depends on application from operating system manufacturers. Exploited by Snake and RagnarLocker operators.

CVE-2019-0708 – Known as Bluekeep, this is a Remote Desktop Services remote code execution vulnerability. It affects several versions of Windows. Fixed in May 2019 and predominantly exploited by Nephilim operators.

CVE-2019-1978 – A vulnerability in the reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA and Cisco Firepower Management Center Software. It allows an unauthenticated remote attacker to bypass filtering protections. Fixed in August 2019 and predominantly exploited by DoppelPaymer operators.

CVE-2019-2725 – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Easily exploitable, the flaw allows unauthenticated attackers with network access via HTTP to take control of Oracle WebLogic Server. Fixed in April 2019 and predominantly exploited by REvil (Sodinokibi) operators.

CVE-2018-8453 – Windows privilege escalation vulnerability. Occurs when the Win32k component does not properly handle objects in memory. Affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Server. Fixed in September 2018 and predominantly exploited by REvil (Sodinokibi) operators.

CVE-2015-1701 – Win32k.sys in kernel mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to escalate privileges. Fixed in May 2015 and predominantly exploited by Netwalker (Mailto) operators.

CVE-2019-1458 – Windows privilege escalation vulnerability when the Win32k component does not properly handle objects in memory. Affects multiple versions of the operating system. Fixed in October 2019 and predominantly exploited by Netwalker (Mailto) operators.

Vulnerabilities in Technology Management

The vulnerabilities in the different technologies exposed in the section above aren’t the only means used by criminals to gain control of environments. In fact, even more important are the flaws in the security management of the technology. The main ones are described below:

Remote Desktop exposed to the Internet – There is a preference for the use of RDP (Microsoft Remote Desktop) exposed to the Internet. Many of them, with flawed security.

Configuration Flaws – Servers with default configurations, usually insecure, exposed to the Internet.

Phishing – Lack of training and awareness that helps people identify such attacks.

Outdated or unsupported systems – No process for patching and updating software versions.

Poor user management – Poor or lack of strict control over access credentials across all technologies.

Absence of password policies – Inefficiency in forcing the adoption of strong passwords and periodic changes.

No MFA – Lack of adoption of multi-factor authentication.

Lack of access control – Environments where ordinary users have very high access privileges to technology.

Shadow IT – Ability for people to install technology without approval from the areas responsible for assessing its risks.

User Creation – Lack of controls preventing an unauthorized person from creating users with administrator privileges on the computer or domain.

Task Scheduling – Absence of controls preventing an unauthorized person from scheduling tasks on the computer.

Registry changes – Lack of controls preventing an unauthorized person from changing the Windows registry.

Failure to monitor – Failure to monitor and generate alerts that identify suspicious activity such as:

  • User creation
  • Changes in user accesses
  • Changes in GPOs
  • Changes in operating system folders
  • Changes in the Windows registry
  • Creating and running tasks
  • Installing software
  • Activities at non-standard times
  • Network anomalies

Lack of control of the supply chain – Failure to control the data that is exchanged with suppliers and the accesses that these companies have in the environment.

Lack of periodic review of exposed technologies – Failure to control which assets are exposed, keeping on the Internet only what is necessary.

Techniques in use

There is no standard in the techniques used by each threat operator, because they adapt to the conditions of each target. However, through recently published analysis by FireEye and CarbonBlack on Maze and Snake activity it’s possible to map this behavior using the MITRE ATT&CK® classification of tactics and techniques catalogued.

Maze Group 1

Initial Access — T1133: External Remote Services e T1078: Valid Accounts.

Execution — T1059: Command-Line Interface, 1086: PowerShell, T1064: Scripting e T1035: Service Execution.

Persistence — T1078: Valid Accounts e T1050: New Service.

Privilege Escalation — T1078: Valid Accounts.

Defense Evasion — T1078: Valid Accounts, T1036: Masquerading, T1027: Obfuscated Files or Information e T1064: Scripting.

Credential Access — T1110: Brute Force e T1003: Credential Dumping.

Discovery — T1087: Account Discovery, T1482: Domain Trust Discovery, T1083: File and Directory Discovery, T1135: Network Share Discovery, T1069: Permission Groups Discovery, T1018: Remote System Discovery
e T1016: System Network Configuration Discovery.

Lateral Movement — T1076: Remote Desktop Protocol e
T1105: Remote File Copy.

Collection — T1005: Data from Local System.

Command and Control — T1043: Commonly Used Port, T1105: Remote File Copy e T1071: Standard Application Layer Protocol.

Exfiltration — T1002: Data Compressed e T1048: Exfiltration Over Alternative Protocol.

Impact — T1486: Data Encrypted for Impact e T1489: Service Stop.

Maze Group 2

Initial Access — T1193: Spearphishing Attachment.

Execution — T1059: Command-Line Interface, T1086: PowerShell, T1085: Rundll32, T1064: Scripting, T1204: User Execution e T1028: Windows Remote Management.

Persistence — T1078: Valid Accounts, T1050: New Service e T1136: Create Account.

Privilege Escalation — T1078: Valid Accounts e T1050: New Service.

Defense Evasion — T1078: Valid Accounts, T1140: Deobfuscate/Decode Files or Information, T1107: File Deletion e T1036: Masquerading.

Credential Access — T1003: Credential Dumping, T1081: Credentials in Files e T1171: LLMNR/NBT-NS Poisoning.

Discovery — T1087: Account Discovery, T1482: Domain Trust Discovery, T1083: File and Directory Discovery, T1135: Network Share Discovery, T1069: Permission Groups Discovery, T1018: Remote System Discovery
e T1033: System Owner/User Discovery.

Lateral Movement — T1076: Remote Desktop Protocol e
T1028: Windows Remote Management.

Collection — T1074: Data Staged, T1005: Data from Local System e
T1039: Data from Network Shared Drive.

Command and Control — T1043: Commonly Used Port, T1219: Remote Access Tools, T1105: Remote File Copy, T1071: Standard Application Layer Protocol e T1032: Standard Cryptographic Protocol.

Exfiltration — T1020: Automated Exfiltration, T1002: Data Compressed e
T1048: Exfiltration Over Alternative Protocol.

Impact — T1486: Data Encrypted for Impact.

Maze Group 3 (FIN6)

Initial Access — T1133: External Remote Services e T1078: Valid Accounts.

Execution — T1059: Command-Line Interface, T1086: PowerShell, T1064: Scripting e T1035: Service Execution

Persistence — T1078: Valid Accounts e T1031: Modify Existing Service.

Privilege Escalation — T1055: Process Injection e T1078: Valid Accounts

Defense Evasion — T1055: Process Injection, T1078: Valid Accounts, T1116: Code Signing, T1089: Disabling Security Tools, T1202: Indirect Command Execution, T1112: Modify Registry, T1027: Obfuscated Files or Information, T1108: Redundant Access e T1064: Scripting.

Credential Access — T1003: Credential Dumping.

Discovery — T1087: Account Discovery, T1482: Domain Trust Discovery, T1083: File and Directory Discovery, T1069: Permission Groups Discovery e
T1018: Remote System Discovery.

Lateral Movement — T1097: Pass the Ticket, T1076: Remote Desktop Protocol, T1105: Remote File Copy e T1077: Windows Admin Shares

Collection — T1074: Data Staged e T1039: Data from Network Shared Drive.

Command and Control — T1043: Commonly Used Port, T1219: Remote Access Tools, T1105: Remote File Copy, T1071: Standard Application Layer Protocol e T1032: Standard Cryptographic Protocol.

Exfiltration — T1002: Data Compressed.

Impact — T1486: Data Encrypted for Impact, T1490: Inhibit System Recovery e T1489: Service Stop.

Snake

Persistence — T1060:Registry Run Keys / Startup Folder e T1067:Bootkit.

Defense Evasion — T1089: Disabling Security Tools, T1045:Software Packing, T1497:Virtualization/Sandbox Evasion e T1089: Disabling Security Tools

Credential Access — T1081: Credentials in Files

Discovery — T1083: File and Directory Discovery, T1057:Process Discovery e T1497:Virtualization/Sandbox Evasion

Collection —T1119:Automated Collection e T1005:Data from Local System

Impact — T1486: Data Encrypted for Impact e T1489: Service Stop.

1. Business in transformation

Security experts and the trade press have documented some changes in the management of resources used in these attacks. This is because the facility to find companies whose environment has vulnerabilities such as those documented above has become evident to many cybercriminals.

In one hand, this condition has caused new entrants to emerge; groups have formed from recruiting people with the necessary skills to conduct these attacks.

On the other hand, the more experienced groups have sought to optimize the attack process and extract as much money as possible from the data. The Netwalker (Mailto) controllers, for example, have started recruiting individuals in a model similar to that dubbed as “uberization”. That is, after the criminals took control of the technology, they would install the ransomware. Netwalker (Mailto) would in turn take control of negotiating the ransom and distributing the payments or leaking the information.

The REvil operators have created an auction page so that data hoarders can bid for victims’ information, and there are also records of criminals trying to create platforms that automate much of the process of managing the ransomware and payments to affiliates.

In other words, this is a criminal market whose operations are still getting accommodated, and the latest news in this regard was that some of these groups are organizing themselves into a cartel, through which they would share efforts and tools to massify attacks.

Analyst Comment and Recommendations

Considering the modus operandi of the criminals described in this paper and the vulnerabilities they exploit, whether in the products that companies use or their problems in managing cybersecurity, it’s clear that there is no “silver bullet” or single action to be taken that will prevent the problem. Essentially, what needs to be done is to apply best practices in information security, some of which have been discussed for a long time.

However, we present below a number of practical, but not exhaustive, steps that can help prevent environments from attacks like these:

Disable Built-in Administrator account – Associate processes and systems to accounts with specific privileges and disable default accounts. This measure raises the level of credential management and prevents several attacks.

Implement a policy of monitoring and automatic account blocking – This is essential to avoid brute force attacks.

Perform a scan of the services exposed to the Internet and make sure that there are no unnecessary or unprotected services.

Make sure that systems such as antivirus, endpoint protection, and similar are active and up-to-date in every environment. Both on workstations and on servers.

Implement a strong password policy – a measure that prevents users from creating weak passwords and forces people to change their passwords from time to time.

Implement multiple authentication factors – this is an indispensable feature to prevent attacks as it requires another authentication factor (biometrics, token, application, etc.) to grant users access to the environment.

Restrict the allowed logon types – Important limitation that specifies which user types and conditions can access RDP servers. Implement using the parameters below.

  • GPO Setting: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment
  • Policy: Deny log on through Remote Desktop Services
  • Add the group: Local account and member of Administrators group (SID — S-1–5–114)

With this setting, all local accounts and accounts assigned to the Administrators group will be prevented from logging on through RDP. The accounts will remain active and have full administrative rights and can access the system from the network or perform administrative accesses. However, logon to the system via RDP will be denied. The value shown is only an example and administrators in each environment will need to analyze and identify the appropriate values for their respective scenarios.

Specify access times: Determine which users can access the servers and at what times.

Keep all systems up to date.

Train your employees to identify phishing attacks.

Disable the WPAD protocol: Web Proxy Auto-Discovery is a feature used for the automatic discovery and configuration of proxy addresses in the environment. Adversaries abuse this protocol to gain access to user credentials. In some cases it’s possible to obtain credentials with privileged access.

 

  • GPO configuration: User Configuration / Preferences / Windows Settings
  • Right-click on Registry and select New – Registry item
  • Select hive: HKEY_CURRENT_USER
  • Navigate to the path: SOFTWARE/Microsoft\Windows\CurrentVersion\Internet Settings
  • In the Value name field, configure with the name: WpadOverride
  • In the Value type field, select the DWORD option
  • Set the decimal value to 1
  • Click Ok.

Disabling the service: You can configure a GPO on the organizational unit of domain member workstations and servers with the following directives:

  • GPO Configuration: Computer Configuration\Policies\Windows Settings\Security Settings\System Services;
  • Configure Service: WinHTTP Web Proxy Auto-Discovery Service
  • Status: Disabled
  • Click OK.

Disable Link-Local Multicast Name Resolution (LLMNR) protocol: Adversaries might forge an authoritative source for name resolution in the environment, responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, poisoning the service for victims to communicate with the adversary-controlled system. If the requested host belongs to a resource that requires authentication, the username and NTLMv2 hash will be sent to the adversary-controlled system.

You can configure a GPO on the organizational unit of the domain member workstations and servers with the following directives:

  • GPO configuration: Computer Configuration\Administrative Templates\Network\DNS Client;
  • Configure the parameter: Turn Off Multicast Name Resolution
  • Select the Enabled option
  • Click OK.

Disable Wdigest: After a user logs on to the system, a variety of credentials are generated and stored in the LSASS (Local Security Authority Subsystem Service) process in memory. These credentials can be collected by an administrative or SYSTEM user. WDigest is one of the protocols that keeps the credential information stored in plain text in the operating system’s memory. You can configure a GPO in the organizational unit of the domain member workstations and servers with the following directives:

  • GPO Configuration: Computer Configuration\Preferences\Windows Settings
  • Right-click on Registry and select the option New -> Registry Item
  • Select the Hive: HKEY_LOCAL_MACHINE
  • Set the path: SystemCurrentControlSetSetControlSecurityProviders
  • Set the Value Name: UseLogonCredential
  • Set the Value Type to: REG_DWORD
  • Set the Value Date: 0
  • Click Ok.

Eliminate the use of default passwords for the local Administrator account with the same password across multiple assets – It’s common to find in organizations the Built-in Administrator user accounts enabled and configured with the same password for all systems. This scenario is a facilitator for adversaries, and once they have administrative access on an asset, they are able to move laterally through multiple assets in the environment in search of other domain-level administrative credentials. To make these steps more difficult, it’s important to ensure that the passwords for this privileged accounts are random and unique for each asset. Microsoft provides the LAPS tool for free, which performs internal system administrator account password randomization and stores the password information in an attribute of the computer account object within Active Directory.

Prevent authentication of local accounts by remote systems: Local credentials with the same password are heavily used by adversaries when making lateral moves across the network in search of domain credentials. You can configure a GPO on the organizational unit of domain member workstations and servers with the following guidelines:

  • Configure GPO: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment;
  • Configure the user right: Deny access to this computer from the network;
  • Add the group: Local account and member of Administrators group (SID – S-1-5-114);
  • Click OK.

Starting from this configuration, even if an adversary gains access to a workstation or server member of the environment with the local administrator credential, he will not be able to move laterally to the other computers in the environment, even if they have the same user account and password set.

Restrict the types of logon that are allowed: An important step in trying to make it harder for adversaries to move laterally is to implement restrictions on privileged credentials from accessing all assets in the environment. Domain administrative credentials, in theory, should only access the domain’s management systems, while for managing workstations and member servers administrative credentials should be created specifically on these types of systems. Thus, when gaining access to a workstation or member server, adversaries are less likely to find domain-level administrative credentials on these assets. Once you have properly segmented and assigned privileges for specific accounts, you can configure a GPO on the organizational unit of domain member workstations and servers with the following guidelines:

  • GPO Configuration: Computer Configuration\Policies\Windows Settings\Local Policies\User Rights Assignment;
  • Configure the user right: Deny log on locally;
  • Add the group: Domain Admins, Enterprise Admins, Administrators (domain groups);
  • Click OK;
  • Set the user right: Deny log on as a batch job;
  • Add the group: Domain Admins, Enterprise Admins, Administrators (domain groups);
  • Click OK;
  • Configure the user right: Deny log on as a service;
  • Add the group: Domain Admins, Enterprise Admins, Administrators (domain groups);
  • Click OK.

This way, domain administrative credentials will not be exposed on domain member workstations and servers, making it difficult for adversaries to find a valuable credential.

Enable the option “Account is sensitive and cannot be delegated” in the properties of users that belong to the groups ‘Domain Admins’, ‘Enterprise Admins’ and ‘Administrators’: Delegated authentication occurs when a network service accepts a request from a user and assumes the identity of that user to initiate a new connection to a second network service. Allowing super-privileged credentials to be impersonated increases the chances of adversaries being able to elevate their privileges. You can check the Active Directory Users and Computers (DSA.MSC) console for the properties of user accounts belonging to the groups: Domain Admins, Enterprise Admins, and Administrators;

  • For each user account, enable the check box: Account is sensitive and cannot be delegated
  • Click Ok.