NetWitness Threat Content and Integrations Report
October 2021
Threat Intelligence Update
BlackMatter
First detected by Recorded Future in July 2021, this ransomware-as-a-service (RaaS) cybergang has been responsible for several high-profile targeted attacks. Of likely Eastern European origin, BlackMatter first gained notoriety for a ransomware campaign targeting medical technology company Olympus in early September. Since then, BlackMatter's suspected victims include a US based real estate brokerage, a French liquor distributor, and an Austrian juicing equipment vendor among others . However, the ransomware group is most widely known for their involvement with the NEW Cooperative attack.
Although originally claiming to spare "Critical infrastructure facilities", BlackMatter struck Iowa agriculture collective NEW Cooperative over the weekend of September 17th, 2021. A ransom demand of $5.9 million USD was requested by the malicious group. BlackMatter also threatened to leak sensitive documents if the ransom was not paid by September 25, a common technique seen amongst RaaS organizations known as "double extortion". As a result of the ransomware, NEW Cooperative had to temporarily take all their IT services offline. At this point NEW Cooperative have said they are working with law enforcement agencies and cybersecurity companies to get back to fully operational, but there has been no publicly disclosed information on whether they have paid any part of the demanded ransom.
Much like it supposed successor Darkside, BlackMatter leverages an affiliate model, recruiting "initial access brokers" to gain access to lucrative ($100M or more in revenue) victim networks. Publicly available code analysis reveals that once inside, BlackMatter operates in several ways similarly to Darkside (responsible for JBS attack), REvil/Sodinokibi (Colonial Pipeline attack), and Lockbit (Accenture attack) ransomwares. Additionally, BlackMatter comes with both Windows and Linux variants. Researchers have seen this ransomware be just as effective proliferating corporate domains as targeting crucial Linux infrastructure such as VMware ESXi hosts.
With a growing list of victims across multiple industries, BlackMatter looks to be a sophisticated and well-funded group that will continue to operate for a good amount of time. Netwitness will continue to monitor for any new developments and adjust our detection capability accordingly.
Blog Posts
PetitPotam NTLM relay attack (RSA Link)
Lionel Gilles, a French-based Offensive Computer Security researcher at Sogeti, an IT services company based in Paris, France recently published a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). This affects organizations that utilize Microsoft Active Directory Certificate Services, (AD CS) a public key infrastructure (PKI) server. PetitPotam is considered a NTLM (NT LAN Manager) relay attack, a form of manipulator-in-the-middle attack.
The following app rules help detect PetitPotam activity in the environment
- Anonymous NTLM logon detected
- Possible PetitPotam authentication attempt
Behavioral Indicators Helpful to Detect Ransomware Activity (RSA Link)
Ransomware operations have increased significantly over the past few years. As we have seen with recently publicized large-scale attacks, ransomware groups are adding a great deal of sophistication to their tactics. These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver their mission-critical services. There is no indication of bad actors stopping anytime soon and new variants of the malware are created and deployed almost every day.
Now is the time for targeted threat detection against ransomware activity. Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform.
AWS CloudTrail - Anomalous Activity Detection Threat Content (RSA Link)
CloudTrail is an AWS service that helps in governance, compliance, and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. One can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help analyze and respond to activity in an AWS account.
As the adoption of AWS increases, the workload that is being dealt by AWS services globally, has grown exponentially and so has the variety of attacks that Threat Actors execute. To effectively identify unexpected, malicious, and anomalous access behavior, and maintaining security monitoring within an account, we have used CloudTrail Events to create Log based Application Rules and Event Stream Analytics (ESA) Rules.
Universal Plugins for AWS (RSA Link)
For customers that run their infrastructure on AWS cloud and would like to ingest logs from various services into NetWitness for security and compliance, we have developed Amazon CloudWatch Plugin and S3 Universal Connector. For customers on NetWitness platform 11.5 or later these universal plugins alleviate the problem of managing multiple connectors, one for each service, faced by our customers.
Application rules
New Application rules used for detecting registry changes
The windows endpoint agent has been updated to report new registry events that are targeted to detect persistence tactics when the malware uses registry API to modify\create registry keys.
The following application rules detect these malware persistence techniques as behavior of compromise.
Modifies Startup Folder Location
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
|
Tactic |
|
|
Technique |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
|
Severity |
High |
Modifies Winlogon Registry Settings
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers Time Provider Dll
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains and adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers Port Monitor Dll
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers Netsh helper Dll
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers AppInit Dll
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs value in the registry keys are loaded into processes. Like process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers AppCert Dll
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs that are specified in the AppCertDLLs Registry key are loaded into every process that calls the ubiquitously used application programming interface (API) functions. Like process injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers LSA Authentication package
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start and they provide support for multiple logon processes and multiple security protocols to the operating system. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location
|
Tactic |
|
|
Technique |
|
|
Severity |
High |
Registers LSA Security package
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
|
Tactic |
|
|
Technique |
Boot or Logon Autostart Execution: Security Support Provider |
|
Severity |
High |
Registers Boot Execute
Adversaries can add programs or processes to the registry value which will automatically launch at boot and can use this configuration location to execute malware, such as remote access tools, to maintain persistence through system reboots.
|
Tactic |
|
|
Technique |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
|
Severity |
High |
Modifies file associations
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and adversaries can modify these values to continually execute arbitrary commands.
|
Tactic |
Persistence/Privilege Escalation |
|
Technique |
|
|
Severity |
Medium |
Endpoint Rules
Ransomware Behavioral Detections - Threat Content
Per our research, we identified that impairing defenses to achieve evasion, tampering with system recovery mechanisms, disabling security tooling are couple of common techniques that are employed by threat actors during the various stages of typical ransomware operations.
Understanding the importance of detecting these exploitation methods used by threat actors, we have come up with endpoint-based application rules that aid in identifying not just malicious ransomware activity, but other adversaries as well that might employ similar techniques.
- deletes shadow volume copies (*Existing Rule Updated)
- deletes backup catalog (*Existing Rule Updated)
- disables windows defender using powershell (*Existing Rule Updated)
- deletes shadow volume copies using powershell
- tampers with windows defender registry
- removes windows defender definitions
- evades scanning within windows defender
- disables windows audit policy
- clears application event log
- clears setup event log
- clears event logs using powershell
- disables event logging service
- enables safe mode
- disables safe mode
Protocol Parsers
DCERPC
- Added extraction of action meta from EFSRPC.
DynDNS
- Added more dynamic DNS providers.
HTTP_lua
- Made performance improvements
TLS_lua
- Improved detection of TLS 1.3
Log Parsers - updated
Microsoft Azure
- Added additional mappings in azure parser for Microsoft Defender ATP alerts received via MSGraph Universal Plugin.
Proofpoint Email Security
- Additional meta mapping
Kaspersky Anti-Virus
- Added additional parser rules to support new fields for customer logs.
Snort/Sourcefire
- Added support for additional FirePower Threat Defense Events and provided fine-parsing for few other events.
Cisco Wireless Lan Controller
- Updated the ciscowlc parser to provide support for Cisco 9800 series with firmware version 17.03.03
Trend Micro IMSS
- Additional meta mapping
Common Event Format
- Added support for 2 new Event sources CEF parsers. Checkpoint Identity Awareness and Trend Micro Email Inspector
Fortinet Fortigate
- Added support for more log formats
Cyberoam UTM
- Additional meta mapping
VMware Workspace One
- Correct mapping for OS meta as it was causing issue in investigation page
Linux
- Additional meta mapping
Log Collections - updated
Salesforce Log Collection
- Fixed bug where the option to disable SSL certificate validation was not working.
Thank you to @DarrenMccutchen , @jeethmathai , @Sarthak , @AhteshamPatel , @ManishJain4 , @RajasSave , @WilliamMotley1 for their help with compiling this report
