The IT Nerd

According to a new (August 23, 2023) report by Sophos – “Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders” — the dwell time of cyber-attacks has fallen two days to a median of eight days in the first half of 2023, requiring a faster response from security teams.  

A frequent strategy used by ransomware gangs is to launch attacks outside of normal business hours when security staff are less available. Of the ransomware attacks analyzed, the final payload was launched outside of traditional working hours 81% of the time, while 43% of attacks were detected on either a Friday or Saturday.  

Researchers also observed that: attackers are moving faster to access Active Directory systems, averaging a quick 16 hours. Moreover, most AD servers are only protected by Microsoft Defender, which bad actors have become skilled at disabling – a technique that made up 43% of AD attacks, up from 36% in the previous year. AD access enables privilege escalation and lateral movement.

Emily Phelps, Director, Cyware had this comment:   

“Cybercriminals don’t take time off – at least not at the same time.” Adversaries are becoming more creative and collaborative, adapting to modern cybersecurity tactics. Overcoming people, data, and tech silos is critical to take defensive action faster. We need to automate and orchestrate threat intelligence into security operations so that the right people get the right information at the right time.”

David Ratner, CEO, HYAS follows with this:   

“With dwell time decreasing, the need for fast and efficient identification of anomalous activity has never been more important.  Early identification can be the critical difference between proactive business resiliency and reactive financial and reputational damage.  The visibility provided by Protective DNS solutions are recommended by CISA for a reason — they enable this early identification, and are increasingly more critical as criminals hone their playbooks and techniques.”

Finally David Mitchell, Chief Technical Officer, HYAS had this comment:    

“The escalation in timing for accessing Active Directory makes complete sense and is not surprising. Once they’ve gained access to all of the credentials, their ability to keep a foothold dramatically increases and makes ridding the attacker from the network much more difficult — especially without any internal interruptions.” 

This reinforces the need to rapid detection and response to any threats. Because the bad guys are more dangerous than ever, and moving faster than ever in order to pwn your organization.

Yesterday, it was discovered by MalwareHunterTeam that Cybersecurity vendor Sophos is being impersonated by a new RaaS dubbed SophosEncrypt, with the threat actors using the company name for their operations:

The ransomware was initially thought to be part of a Sophos red team exercise, but the Sophos X-Ops team tweeted this in response:

We found this on VT earlier and have been investigating. Our preliminary findings show Sophos InterceptX protects against these ransomware samples,” tweeted Sophos.

Little is known about the RaaS operation and how it is being promoted, but a sample of the encryptor was found by MalwareHunterTeam, and researchers are still analyzing it to see if any weaknesses could allow the recovery of files for free.

Carol Volk, EVP, BullWall had this comment: 

“Threat actors continually obfuscate their attacks and will always be one step ahead of the good guys. All we can do is man the walls with the best defenses available, including containment measures for when the walls are breached, as they surely will be.”

This situation illustrates the lengths that threat actors will go to launch attacks. Therefore we all have to be hyper vigilant to ensure that these attacks don’t succeed.

Researchers at Sophos report seeing attackers using an outdated version of a Windows Process Explorer driver (v16.32) to disable EDR processes before dropping their ransomware on the target system.

Dubbed AuKill, the attack uses the Windows Process Explorer’s ability to collect information on active processes to see if Windows Trusted Installer is running. If it is not, it starts the service, duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW, elevating itself to SYSTEM on restart of the process.

To kill active defender products, Aukill starts multiple threads searching for defense products listed on a hard coded list it has and if it finds them disables them by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.

“The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and deploy the ransomware:  In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware,” the report said.

Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “An endpoint agent, which for the most part operates in the kernel space, is traditionally used for AV/NGAV solutions as well as that of more advanced EDR tools and is not tamper-proof. It is based in the root of a layered defense approach where additional controls must always be in place across the identity-network-endpoint triad.

   “This is a technique we’ve seen quite often coming from sophisticated nation state adversaries, that either leverage a technique such as the one mentioned of WPE Processor exploitation, a targeted zero-day exploit, or even a supply chain risk as we’ve seen with the likes of SolarWinds earlier this year. Despite continuous investment trying to strengthen agent tampering, we keep on seeing new exploits in the wild and there will continue to be with Windows OS as the main target.”

This is a very good reminder to keep your Windows systems fully patched. While that won’t stop every attack, it will stop a lot of them. And that’s not a bad thing.

Sophos has released the State of Ransomware 2022 report, which surveyed 5600 mid-sized organizations across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East and Africa. The 2022 report shows that 66% of organizations were hit with a ransomware attack in 2021, a 37% increase from 2020. Additional key findings include:

• The average ransom paid by organizations that had data encrypted increased nearly five-fold to $812,360
• 11% of organizations surveyed admitted paying ransoms of over $1M or over in 2021, up 4% from 2020.
• 46% of organizations which had data encrypted in a ransomware attack paid the extortion demand. 
• 26% of organizations that were able to restore encrypted data using backups still paid ransom

I think the part of this that bothers me is the fact that the ransom was paid as if enough organizations had prevention methods in place, robust backup strategies and took the stance that they don’t pay the ransom, nobody would bother with ransomware.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

“It’s clear that ransomware is an escalating threat that costs organizations worldwide dearly. It’s not just the cost of paying the ransom, which is a staggering $1M or more. It’s also the cost of business disruption or loss, and the time required to restore data and operations. Almost half of all organizations paid the extortion demands if their data was encrypted. The lesson is clear: you will end up paying for ransomware one way or the other. Either you’ll pay cyber criminals to get your data back, or you’ll pay for protection. It is infinitely better and less costly to implement security controls to detect and stop malware payloads, including ransomware. True machine learning powered behavior analytics is a proven cyber defense that will prevent ransomware from getting ahold of your data and your business. Exact revenge by strengthening your defenses.”

Chris Olson, CEO of The Media Trust adds to this:

“The frequency and cost of ransomware attacks have been rising steadily for years in a row, but 2020 saw an acceleration in this trend which has continued until now. Although concerning, it isn’t surprising – from the COVID pandemic to international conflict and the continued growth of darknet markets, multiple factors have exacerbated the incidence of malicious cyberactivity.”

“Above all, organizations have largely neglected digital surfaces like Web and mobile apps which are increasingly used by cyber actors to target their employees. At the Media Trust, we have observed an alarming rise in digital attacks based on polymorphic and obfuscated code, rapid URL shifting and other advanced techniques to deliver ransomware, phishing attacks, and more.”

Ransomware isn’t going away anytime soon. Thus organizations need to take action on multiple fronts to protect themselves. And if the worst happens, they should make the option of paying the ransom a non-starter. The sooner that happens, the better off we will all be.

Security researchers at Sophos have found that threat actors spent more than five months on government agency computers remotely googling for tools from the target’s machines. Behavioral log data from regional US government agency’s suggests that two or more threat groups were active before a final group deployed Lockbit ransomware payloads earlier this year. That basically means that they’ve been hanging around inside an environment undetected before launching an attack.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“One of the biggest enemies of any security operations teams is threat actor dwell time. On average this is over 250 days, which is the time between when a threat actor has bypassed your defenses and is roaming inside the castle walls off the radar and moving about freely, to when they are found and removed from the “grounds”. Threat actors use different tactics and techniques stretched out over weeks or months to hide their activity from traditional SIEM and XDR tools that are rooted in identifying patterns over short periods of time. Manually being able to piece together seemingly disparate indicators of compromise over weeks or months is virtually impossible for a security team and most current solutions struggle to provide the necessary. In addition, behavioral log data is only useful for post-breach once the damage is already done. Organizations must look to add more advanced tools that link disparate events over time using analytics and adaptive and trained machine learning models, not just simple correlation, or rule-based fixed machine learning. In addition, included threat content (sadly most companies charge for out-of-the-box automated threat detection), network traffic analysis to identify unauthorized external communications, and real-time user and entity behavior baselining and analytics can be used to reveal how anomalous behaviors are actual security threats associated with an attack campaign. This changes the game to enabling security teams to be proactive versus reactive.”

This underscores that organizations need to not only keep the bad guys out, but they also need to be able to detect the bad guys if they should get in. Because both are important to avoid your organization getting pwned by threat actors.