Evidence of Lateral Movement
Within a few days of gaining access to the victim’s network, forensic examination revealed that the threat actor performed recon on the network and stole user credentials. Tetra’s investigation revealed that the attacker also modified a script via yet another tool: PowerSploit.
PowerSploit is an open-source, offensive security framework comprised of PowerShell modules and scripts designed to perform a wide range of penetration testing tasks (code execution, persistence, bypassing antivirus, recon, and exfiltration). The PowerSploit modules allow attackers several different capabilities, including maintaining access to a victim’s network, bypassing antivirus products, accessing passwords saved in memory, and executing code. In this case, PowerSploit was used to capture network traffic and steal credentials.
Other Threat Actor Tools
Additionally, Tetra identified evidence of resource exhaustion events for other hosts, meaning that the first compromised endpoint (the COVID19 research device) acted as a Machine in the Middle (MITM) to intercept traffic. The threat actor intercepted administrator credentials using this MITM technique and subsequently used those credentials to move laterally to other hosts within the victim’s network.
In the next phase of the attack, Tetra found that Cobalt Strike was used (and then later removed) for further access to the network. Cobalt Strike is an Offensive Security Tool used by both threat actors and legitimate penetration testers to access a network through “command-and-control” over encrypted ports. This tool grants access to these networks covertly, and threat actors also use these stealthy methods to exfiltrate data in a manner that victims may not detect. Tetra found similar evidence of Cobalt Strike execution on several additional hosts on the victim’s network.
The threat actor also used Remote Desktop Protocol (RDP) to move laterally to additional hosts on the victim network. RDP is not only used when logging into a network from a computer outside the local network, but also to access servers or workstations within a local one. Thus, “remote” does not always imply that the connection originated from an outside source. Tetra identified that lateral movement occurred using numerous RDP logins from several compromised machines on the victim’s network, all while using scraped credentials from various user accounts.
Finally, the threat actor began deploying WastedLocker ransomware to various hosts using RDP and PSExec. PSExec is a yet another legitimate system administration tool that can remotely access endpoints as a privileged user. Threat actors commonly use PSExec during their campaigns to move laterally and deploy software.
The WastedLocker ransomware executable name was personalized to reflect the victim’s name on most machines, complete with its intimidating namesake, “wasted.” However, as the malware ran, WastedLocker ransomware also created copies of itself using seemingly innocuous names like Trace.exe, Diag.exe, and Keyboard.exe. The ransomware established persistence to run after reboot and delete these executables after completion of the encryption process.
Post-Ransomware Deployment Actions
Tetra worked with the organization’s Managed Service Provider (MSP) to isolate infected hosts and also deployed SentinelOne, an endpoint monitoring solution to identify and respond to additional infections. This organization’s MSP continued to rebuild workstations and servers after the ransomware incident. This organization did not pay ransom for decryption of their data because Evil Corp/Dridex, an OFAC-sanctioned organization, is believed to manage the WastedLocker ransomware.
This case in particular relied upon user interaction to initiate the WastedLocker ransomware. The chain of events allowed access to the victim’s network by the threat actor and exploited internal weaknesses to move laterally.
User education might have been helpful in this case, but technical solutions can also be leveraged to prevent this type of attack. According to Drew Hjelm, Senior Director of Digital Forensics and Incident Response at Tetra Defense, “the SocGholish drive-by exploiter is a textbook example of why it’s critical to ensure that that workstations’ operating systems are up-to-date and default settings are configured securely.”
How to Prevent WastedLocker Ransomware
Some other ways to prevent this attack include:
- Blocking SMB traffic to workstations and servers, other than domain controllers and file shares. This can be done at the host-level using the Windows Firewall, using a network firewall, or both.
- Blocking servers from being able to communicate with the internet that don’t need that access.
- Limiting RDP access to hosts within your network except for trusted hosts.
While ransomware is a simple concept at its core, its methods and subsequent effects can be complex. The fight against this attack is never even — threat actors have proven to target opportunistically with a long list of exploits and mis-used tools. As new threats often come in the shape of trusted sources, whether they be news outlets or internet browsers, it is important to stay up to date with cybersecurity best practices.