The comparison may give some indication of success rates experienced by actors linked to each operation. For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that Noberus affiliates are more likely to advance their attacks at least to the payload deployment stage.
Vectors
The evidence from recent ransomware investigations suggests that exploitation of known vulnerabilities in public facing applications is now the main vector for ransomware attacks. Likely infection vectors in recent ransomware attacks include:
- CVE-2022-47966 ZOHO ManageEngine
- Microsoft Exchange Server vulnerabilities. Exploits were unknown but first evidence of malicious activity in a number of attacks occurred on Exchange Servers.
- Citrix Bleed (CVE-2023-4966) Citrix NetScaler ADC and NetScaler Gateway
- CVE-2023-20269 Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) VPN
Tooling
The number of tools deployed by ransomware actors continues to grow. In particular, there has been a marked increase in the number of dual-use tools (legitimate software installed by attackers for malicious purposes). Tools leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique are also currently popular among attackers. New tools recently seen in ransomware attacks include:
- HopToDesk: A publicly available remote desktop tool, which was used by attackers using a variant of the leaked Conti ransomware. Remote desktop tools are frequently used by ransomware actors, with the most popular being: Atera, AnyDesk, and Splashtop.
- TrueSightKiller: A publicly available tool that leverages the BYOVD technique to disable security software.
- GhostDriver: Another tool that leverages the BYOVD technique to disable antivirus (AV) tools.
- StealBit: A custom data exfiltration tool associated with the LockBit ransomware operation. StealBit appeared to have fallen out of favour among LockBit affiliates for some time. However, usage of the tool resumed in early 2024, where it was deployed in two separate LockBit attacks.
Techniques
Noteworthy techniques that have recently been used by ransomware actors include:
- Esentutl: Dumping credentials using the Windows command-line tool that provides database utilities for the Extensible Storage Engine (ESE). A known technique, in recent weeks attackers have been using it to dump browser credentials.
- DPAPI: Using malicious tools to extract and decrypt sensitive user credentials stored using Microsoft’s Data Protection API (DPAPI).
Ongoing threat
Ransomware will continue to be a major threat for organizations in 2024 and beyond. Incentivised by large payouts, ransomware attackers have proven to be persistent and adaptive, capable of responding to disruption by reorganizing themselves and consistently developing new tactics.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
7ebe51d5a48cc3c01878e06c6db3f4f0189c4f9788bfe57b763b03f4ab910e26 – StealBit
ce26642327aa55c67a564f695ae3038d5afee9b8d14bb5146bf30dd0f1af24e5 – StealBit
c06e320ad2568e15baae155346c6fb92e18fc038e7465adfb5fc2a3f8af9caa5 – HopToDesk
8d5c521d7a52fd0b24d15c61c344a8f87b3b623a1ab3520ab55197b772377155 – TrueSightKiller
09f7622eb9ed3bbd375575c8a190ff152ef3572a717a20c1b2dd5556b8cc9eba – TrueSightKiller
005cfd8a4dd101c127bcb0f94f1fa143b24d91442ee9e1525b4c540c9fe88c63 – TrueSightKiller
4c1346eab3fb23ca0613d73bbd2dd87fedb6ca8b1ba7bf48d69a57868d05854d – TrueSightKiller
13d525588d2f6babe0b6de7d1456a6f3f39a0947128280a94b6f676dd5684201 – TrueSightKiller
6ec7a25adc9bf516e9150bebd773feafa64787769156ffbcb6eccabc579ee03a – GhostDriver
19707b18f750bae0214e2a6d36735b6723549899bf83751d3650b9ec8125b91f – DPAPI credential dumper
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits
Views: 0