Microsoft Incident Response recently conducted an investigation into a ransomware intrusion that showcased the rapid attack progression and major disruptions caused by threat actors in just five days. The incident highlights the increasing sophistication and frequency of ransomware attacks, emphasizing the need for organizations to be adequately prepared.
During the course of the five-day attack, the threat actor employed a wide range of tools and techniques to deploy BlackByte 2.0 ransomware. These tactics and procedures (TTPs) included taking advantage of unsecured Microsoft Exchange Servers that were accessible online, deploying a web shell to enable remote access, and using existing tools to gather information covertly.
In addition, the threat actor set up Cobalt Strike beacons for command and control purposes and combined process hollowing with vulnerable drivers to evade defensive mechanisms. To ensure long-term persistence, custom-developed backdoors were deployed, along with custom-developed tools to collect and exfiltrate data.
The attack chain began with the exploitation of ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers. By exploiting these vulnerabilities, the threat actor gained administrative access to the compromised Exchange host, retrieved user LegacyDN and SID data, and built a valid authentication token to access the Exchange PowerShell backend. The threat actor then used the New-MailboxExportRequest cmdlet to create a web shell and mimic domain admin users.
To achieve persistence, the threat actor established registry run keys that executed payloads upon user login. Cobalt Strike was used for persistence, with the Microsoft Defender Antivirus flagging sys.exe as Trojan:Win64/CobaltStrike!MSR. AnyDesk, a legitimate remote access tool, was also utilized for persistence and lateral movement.
Further examination revealed the use of NetScan, a network discovery tool, by the threat actor for network enumeration. Security analysts detected successful connections with anonymizer service IP addresses associated with AnyDesk log files. Additionally, the threat actor disabled Microsoft Defender Antivirus to execute the Trojan:Win64/WinGoObfusc.LK!MT file.
The BlackByte 2.0 ransomware demonstrated various capabilities, including antivirus bypass, process hollowing, modification/disabling of Windows Firewall, modification of volume shadow copies, modification of registry keys/values, and additional functionality.
To mitigate the risks associated with such attacks, Microsoft Incident Response offered several recommendations. These included prioritizing patching for internet-exposed devices, deploying Microsoft Defender for Endpoint for real-time visibility, enabling cloud-based protection and regular updates for antivirus solutions, activating tamper protection for Microsoft Defender Antivirus, blocking traffic from IPs listed in the indicators of compromise (IoC), blocking access from unauthorized public VPN services and TOR exit nodes, and limiting administrative privileges.
The rise of ransomware attacks continues to pose a significant threat to organizations worldwide. It is crucial for businesses to remain vigilant and implement robust cybersecurity measures to protect against these evolving threats. By following best practices and staying up-to-date with security patches and solutions, organizations can enhance their defense and mitigate the potential impact of ransomware attacks.
In conclusion, organizations must recognize the growing sophistication and frequency of ransomware attacks and take appropriate measures to protect their systems and data. Microsoft’s Incident Response investigation serves as a reminder of the importance of proactive cybersecurity measures and the need for continuous improvement and adaptation to stay one step ahead of threat actors.