The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert this week with regards to an imminent cybercrime threat to US hospitals and healthcare providers. The alert was coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), regarded the use of Ryuk and Trickbot malware to perform ransomware behavior at a massive scale. The report was later updated to include the use of Conti ransomware and BazarLoader malware.
The group behind this attack is a financially motivated adversary, labeled as UNC1878 by FireEye Mandiant, that leverages the RYUK Ransomware to encrypt target environments and extort their victims. The group primarily leverages KEGTAP for initial access, ultimately resulting in Cobalt Strike beacon payload deployment and RYUK Ransomware encryption. The most significant component of this group’s operations is the speed at which they transition from initial access to Ransomware deployment, with some environments following the full lifecycle of the attack in just over two days.
Trickbot was first discovered in the wild in 2016. Although Trickbot started out as a banking trojan, it has more recently evolved to become a multi-purpose downloader, used to download additional malware in order to steal sensitive information such as credentials and emails, as well as running ransomware such as Ryuk.
BazarLoader/BazarBackdoor (also referred to as KEGTAP) is thought to be a derivative of Trickbot. Similar to Trickbot, BazarLoader is typically distributed via phishing campaigns containing malicious links or attachments that contain the malware.
The Ryuk family of malware has been tracked for multiple years as targeted toward organizations for ransomware. Over time Ryuk has gone through periods of inactivity during which it is suspected that its operators perform reconnaissance on potential victims and improve their tooling.
Conti ransomware discovered by VMware Carbon Black Threat Analysis Unit (TAU) in June 2020, is thought to be related to Ryuk ransomware due to similarities in the code. Conti introduced a much faster encryption algorithm using up to 32 threads, a novel ability of targeting only network SMB shares for provided IP addresses, as well as a new technique that makes use of the Windows Restart Manager.
CVE-2020-1472, otherwise known as ZeroLogon, is a critical vulnerability affecting Microsoft Windows operating systems. The Department of Homeland Security (DHS) recently issued an emergency directive due to the criticality of this vulnerability. Although Microsoft released a patch on August 11, 2020, Ryuk threat actors have reportedly exploited unpatched servers in order to escalate privileges by resetting the password of the primary domain controller.
Ransomware infections are often only one piece of the attack kill chain. A multi-stage approach is often used as part of sophisticated attacks. Phishing emails are commonly used to deliver the initial payload, backdoor or loader, such as in the case of Trickbot and BazarLoader. Additional tools such as Cobalt Strike, Metasploit or PowerShell Empire may be used to further maintain access, move laterally, or scrape credentials. Ransomware such as RYUK and Conti are then distributed across the network for maximum impact.
Following the CISA alert, several U.S. hospitals have already been targeted with ransomware attacks this week. We have advised VMware Carbon Black customers to ensure they have enabled the Ransomware prevention controls available within VMware Carbon Black Enterprise Standard.
For a detailed breakdown of the MITRE ATT&CK TIDs, please see the table below. To learn more about the VMware Carbon Black TAU, please visit: Threat Analysis Unit.
The table below includes all behavioral MITRE TID’s for Trickbot, RYUK and Conti.
TID | Tactic | Description
T1087.001 | Discovery | Account Discovery: Local Account
T1087.003 | Discovery | Account Discovery: Email Account
T1071.001 | Command and Control | Application Layer Protocols: Web Protocols
T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell
T1543.003 | Persistence, Privilege Escalation | Create or Modify System Process: Windows Service
T1555.003 | Credential Access | Credentials from Password Stores: Credentials from Web Browsers
T1132.001 | Command and Control | Data Encoding: Standard Encoding
T1005 | Collection | Data from Local System
T1140 | Defense Evasion | Deobfuscate/Decode Files or Information
T1482 | Discovery | Domain Trust Discovery
T1573.001 | Command and Control | Encrypted Channel: Symmetric Cryptography
T1041 | Exfiltration | Exfiltration Over C2 Channel
T1008 | Command and Control | Fallback Channels
T1083 | Discovery | File and Directory Discovery
T1562.001 | Defense Evasion | Impair Defenses: Disable or Modify Tools
T1105 | Command and Control | Ingress Tool Transfer
T1056.004 | Collection, Credential Access | Input Capture: Credential API Hooking
T1185 | Collection | Man in the Browser
T1036 | Defense Evasion | Masquerading
T1112 | Defense Evasion | Modify Registry
T1106 | Execution | Native API
T1571 | Command and Control | Non-Standard Port
T1027.002 | Defense Evasion | Obfuscated Files or Information: Software Packing
T1069 | Discovery | Permission Groups Discovery
T1566.001 | Initial Access | Phishing: Spearphishing Attachment
T1566.002 | Initial Access | Phishing: Spearphishing Link
T1055.012 | Defense Evasion, Privilege Escalation | Process Injection: Process Hollowing
T1018 | Discovery | Remote System Discovery
T1053.005 | Execution, Persistence, Privilege Escalation | Scheduled Task/Job: Scheduled Task
T1553.002 | Defense Evasion | Subvert Trust Controls: Code Signing
T1082 | Discovery | System Information Discovery
T1016 | Discovery | System Network Configuration Discovery
T1033 | Discovery | System Owner/User Discovery
T1007 | Discovery | System Service Discovery
T1552.001 | Credential Access | Unsecured Credentials: Credentials in Files
T1552.002 | Credential Access | Unsecured Credentials: Credentials in Registry
T1204.002 | Execution | User Execution: Malicious File
T1036.005 | Defense Evasion | Masquerading: Match Legitimate Name or Location
T1055 | Defense Evasion, Privilege Escalation | Process Injection
T1057 | Discovery | Process Discovery
T1134 | Defense Evasion, Privilege Escalation | Access Token Manipulation
T1486 | Impact | Data Encrypted for Impact
T1489 | Impact | Service Stop
T1490 | Impact | Inhibit System Recovery
T1547.001 | Persistence, Privilege Escalation | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 | Defense Evasion | Hide Artifacts: Hidden Window
T1106 | Execution | Native API
T1049 | Discovery | System Network Connections Discovery
The post TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector appeared first on VMware Carbon Black.