CTI Roundup: New CISA tool detects hacking activity in Microsoft cloud services
A joint advisory on LockBit 3.0 ransomware, CISA’s latest tool which detects hacking activity in Microsoft cloud services, and ScarCruft’s evolving arsenal
Up first in this week’s roundup, CTI explores a new advisory about the highly successful LockBit 3.0 ransomware variant. Next, CTI dives into the latest of CISA’s recent string of commendable initiatives — a new open-source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments. Also included is a look at new activity attributed to APT37 (ScarCruft), a suspected North Korean cyber espionage group.
1. New joint advisory issued for LockBit 3.0 ransomware
A March 16 joint cybersecurity advisory authored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) was released to disseminate the latest IOCs and TTPs associated with the notorious – and increasingly successful – LockBit 3.0 ransomware.
The technical information contained within the advisory was identified during the course of FBI investigations which took place as recently as March 2023.
First things first: What is LockBit 3.0?
LockBit 3.0 functions in accordance with the ransomware-as-a-service (RaaS) model. Operations represent a continuation of the activity observed in association with prior versions of the ransomware including LockBit 2.0 and LockBit.
As CISA describes:
Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
What to know about LockBit 3.0
- LockBit 3.0 is the most modular variant of the ransomware to date. Also known as LockBit Black, the latest iteration is more evasive than its forebearers, sharing similarities with other top-tier ransomware families such as Blackmatter and Blackcat.
- Highly adaptable and customizable depending upon the victim environment in which it finds itself, LockBit 3.0 is configured upon compilation with a wide range of options that influence the behavior of the malware.
- LockBit 3.0 contains a built-in mechanism designed to protect its code and deter malware detection and analysis.
- Threat actors are able to gain initial access to victim networks through remote desktop protocol (RDP) exploitation. Other tactics include abusing valid accounts, exploiting public-facing applications, drive-by compromise, and phishing campaigns.
- LockBit 3.0 performs a check for its current privilege level. If the ransomware finds this attribute lacking, it will attempt to escalate privileges that are more to its liking.
- LockBit 3.0 has repeatedly been observed leveraging a wide variety of open-source tools during intrusions. These tools are designed to aid in a range of activities, including network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.
In addition, LockBit 3.0 has proven adept at utilizing PowerShell and Batch scripts in most observed intrusions. These utilities serve to aid in system discovery, reconnaissance, password/credential hunting, and privilege escalation.
CISA also highlights LockBit 3.0’s encryption capabilities:
LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions… After files are encrypted, LockBit 3.0 drops a ransom note with the new filename .README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].
In addition, CISA points LockBit 3.0’s exfiltration feature:
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file-sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file-sharing services to exfiltrate data as well [T1567].
Outlook and guidance from CTI
CTI has previously identified LockBit ransomware as a top-tier, financially motivated cyber threat. This latest multi-agency cybersecurity advisory confirms this assessment.
LockBit has proven itself capable of bouncing back from a major disruption at the hands of a disgruntled developer (who released the builder code for LockBit 3.0), and in a big way. The ransomware operation’s victimology counts several high-profile private businesses – along with critical infrastructure entities – among its ranks.
According to TheHackerNews, “Industrial cybersecurity firm Dragos, earlier this year, revealed that LockBit 3.0 was responsible for 21% of 189 ransomware attacks detected against critical infrastructure in Q4 2022, accounting for 40 incidents. A majority of those attacks impacted food and beverage and manufacturing sectors.”
In November, the U.S. Department of Justice reported that the LockBit ransomware strain has been used against at least 1,000 victims worldwide, netting the operation over $100 million in illicit profits.
From CISA:
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Additional practical mitigations can be viewed in the original advisory.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“This advisory comes at an interesting time for ransomware and the larger cyber threat landscape, as more and more ransomware operations are shying away from extortion via encryption in favor of straight-up extortion via data theft. For example, the BianLian ransomware group has shifted its focus from encrypting its victims’ files to pure data theft extortion attacks. This is a trend CTI expects to continue well into 2023 and beyond.”
2. New CISA tool detects hacking activity in Microsoft cloud services
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released a new open-source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.
In the InfoSec community’s long-standing tradition of assigning goofy names to serious things, the Untitled Goose Tool is a Python-based utility developed jointly with Sandia Laboratories and capable of dumping telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.
From CISA:
Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
The above-mentioned telemetry is augmented by additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
What the Goose can do
According to BleepingComputer, with the help of CISA’s cross-platform Microsoft cloud interrogation and analysis tool, security experts and network admins can:
- Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
- Query, export, and investigate AAD, M365, and Azure configurations.
- Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
- Perform time bounding of the UAL.
- Extract data within those time bounds.
- Collect and review data using similar time-bounding capabilities for MDE data.”
CISA’s on a roll
CISA’s latest attempt at aiding defenders follows a string of proactive, transparent, and collaborative efforts to increase its participation in protecting enterprises belonging to government, private, and critical infrastructure organizations.
For example, CISA recently released an open-source tool called Decider to help defenders generate MITRE ATT&CK mapping reports. Just before releasing Decider, CISA released a best practices guide about MITRE ATT&CK mapping in January, highlighting the importance of using the standard.
What’s more, CISA is now warning critical infrastructure entities of Internet-exposed systems that are vulnerable to ransomware attacks.
The latter initiative has apparently already yielded results.
From CISA:
Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.
According to BleepingComputer:
This followed the launch of a new partnership in August 2021 to protect U.S. critical infrastructure from ransomware and other cyber threats, known as the Joint Cyber Defense Collaborative (JCDC).
The cybersecurity agency previously released in June 2021 a new module for its Cyber Security Evaluation Tool (CSET) known as Ransomware Readiness Assessment (RRA) to help organizations assess their readiness to prevent and recover from ransomware attacks.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“CISA and its leadership are displaying a serious commitment to improving the cybersecurity of enterprises belonging to government, private, and critical infrastructure organizations, and this is to be commended. Many of us have waited a long time for the nation to adopt a comprehensive cybersecurity policy/infrastructure, and these latest initiatives represent a positive step in that direction. Well done, CISA.”
3. ScarCruft’s evolving arsenal
Zscaler has been monitoring the TTPs of APT37, also known as ScarCruft, which has been very active in February and March 2023.
APT37 is a North Korean state-sponsored cyberespionage group. The group has historically targeted victims in South Korea, Japan, Vietnam, Russia, etc. APT37 has previously leveraged infection vectors including watering holes, exploitation of vulnerabilities, and phishing emails containing malicious attachments. APT37 is commonly observed distributing the Chinotto PowerShell backdoor.
Researchers recently discovered a GitHub repository owned by a member of APT37. Due to what is believed to be an operational security failure of the threat actor, Zscaler was able to gain access to information regarding the malicious files leveraged by the group. This repository was used to stage many different malicious payloads leveraged by the threat actor.
The information retrieved from the GitHub repository also gave researchers insight into the types of themes APT37 uses in its social engineering lures. Some of these themes include geopolitical-related lures, academic institutes, and South Korean companies.
Recent TTPs
- CHM: APT37 regularly uses a Chinotto PowerShell backdoor, which it deploys on the endpoint via a malicious Windows help file or CHM file. The CHM files are distributed within archive files, most of which contain two components: the malicious CHM file and the decoy file that is displayed to the victim. The observed decoy files are often password-protected, with the password contained within the CHM file.
- MS Excel add-in: In a campaign observed on March 15, APT37 was observed uploading a malicious Excel Add-in to the GitHub repository. This was the first time the group was seen leveraging XLL files. This XLL file extracts an XLS file and drops it in the following path: C:\programdata\20230315_SejeongSupport[.]xls. It displays the dropped XLS file that is a decoy and used strictly as a social engineering lure. It then launches MSHTA to download an HTA file from a yangak[.]com URL. The downloaded HTA file contains the PowerShell backdoor, Chinotto.
- LNK: Some LNK files were recovered from the GitHub repository that had been uploaded in August 2022 and were seen in the wild in attacks around the same time. The LNK files were present inside RAR archives. An HTML file was also present masquerading as a sign-in page of the South Korean company LG. The LNK files were used to execute MSHTA and download the malicious HTA files from the attacker-controlled server. The attack chain results in the same PowerShell backdoor, Chinotto.
The metadata of the LNK files revealed they were generated on a Virtual Machine running VMWare, with the Mac address 00:0c:29:41:1b:1c. The threat actor used the same virtual machine to generate multiple payloads, making it useful for threat hunting and future attribution.
- Macro-based MS office file: APT37 was also observed uploading a macro-based MS office Word file to the GitHub repository. The macro launches MSHTA to download Chinotto.
- HWP file with embedded OLE object: APT37 also deployed Chinotto on the endpoint using HWP files with embedded OLE objects. The OLE objects are in the form of a clickable element that the victim must click for the malicious PE payloads to execute.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“APT37 is yet another APT that is incredibly sophisticated and constantly evolving its TTPs. Its ability to maintain a GitHub repository of malicious payloads for over 2 years without being detected or taken down further highlights the operations sophistication.”
“The use of CHM files to deliver malware was recently observed being leveraged by another North Korea-affiliated group, Kimsuky. Kimsuky used CHM files to distribute a backdoor responsible for gathering clipboard data and keystroke data.”
“Are CHM files the next big thing for North-Korean APTs? Only time will tell.”
Do you have insight on these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.