Cybercriminals are increasingly exploiting the Cobalt Strike testing toolkit to carry out ransomware campaigns, says Cisco Talos Incident Response.
Ransomware attacks often rely on trojans to infect computers and steal information. Such commodity trojans as Emotet and Trickbot are two of the top players in the game as cybercriminals try to exfiltrate sensitive data that can be held hostage. But as ransomware continues to dominate as a cyberthreat, criminals are increasingly carrying out attacks using Cobalt Strike, an otherwise ethical testing framework. A new report from threat intelligence group Cisco Talos Incident Response (CTIR) describes this trend.
In a blog post published Tuesday discussing the report, CTIR said that it observed ransomware dominating the threat landscape last quarter for the fifth quarter in a row. Ransomware infections tapped into an array of malware families, including Ryuk, Maze, LockBit, and Netwalker. However, another tactic has continued to appear.
Ransomware attacks are now relying less on commodity trojans such as Emotet and Trickbot and more on Cobalt Strike, a powerful toolkit designed for threat emulation and penetration testing.
Instead of using the tool for the ethical purposes for which it was created, cybercriminals are using it to infect and compromise systems from which they can then steal and control data. Last quarter, 66% of all ransomware attacks involved Cobalt Strike, the report said.
In one example cited by CTIR, an engineering company was infected with LockBit ransomware. The attackers used Cobalt Strike for their command and control (C2) purposes as CTIR discovered traffic to a Cobalt Strike C2 system every six minutes. Using an open-source post-compromise tool called “CrackMapExecWin,” the attackers were able to explore large Active Directory networks and force all the systems on the network to perform a Group Policy update.
The Group Policy update then set up a service to execute the ransomware from a single compromised server. User accounts were created on the compromised machines, which the attackers used to launch remote desktop connections. The attackers also used the TeamViewer remote control application to steal information and cleared event logs to erase traces of their actions.
The data exfiltrated from this attack was posted on a website used by Maze to publish stolen information. This action suggests that the LockBit group and other ransomware gangs have teamed up to share compromised data and resources.
“Part of the reason we’re seeing so much Cobalt Strike activity right now is that it’s basically pre-fab construction for malware,” Amy Henderson, from CTIR’s Strategy and Operations for Threat Intelligence and Interdiction, told TechRepublic. “Adversaries use it to plug in any gaps they might have, or for quick and efficient building, so they can focus on the more profitable and complex parts of their attack.”
The trend toward using Cobalt Strike is surfacing not just in ransomware but in other types of cyberattacks. The use of Cobalt Strike beacons, which can emulate legitimate traffic, may be one reason the toolkit is attractive to cybercriminals, according to Henderson.
“We have most commonly seen Cobal Strike beacons utilized for command and control purposes, meaning most threat actors have already compromised a victim from a different attack vector before utilizing this tool,” Henderson said.
Cobalt Strike also comes with an array of features and capabilities that attackers can exploit.
“As a common red-teaming tool, Cobalt Strike offers everything from reconnaissance to post-exploitation tools,” Henderson said. “It gives threat actors all of the Lincoln logs to build their cabin, including the telephone poles to dial out.”
Another ethical toolkit being exploited for unethical purposes is the Telerik UI framework, according to CTIR. Normally used for software development, the Telerik framework was recently found to have a vulnerability (CVE-2019-18935) that could allow for the execution of remote code. Such a vulnerability can be particularly hazardous as many ASP.NET applications may be running older versions of Telerik UI that can leave users exposed.
In one example, an attacker hit a tech company’s server running Telerik UI. The cybercriminal was able to open a command prompt to run malicious commands that resulted in a ransomware attack. In another example, the Telerik server of a manufacturing firm was exploited, allowing the attacker to deploy APSX.NET web shells to perform malicious tasks on the web server.
To help protect your organization from ransomware attacks, Henderson offers the following advice.
- Use a strong email solution. Email remains the top initial attack vector we have observed, so organizations should have a strong email security solution. This not only includes product-based security but also the training of employees to spot and report advanced phishing attacks.
- Establish the right policies. Establish policies that limit underprivileged users from having access to PowerShell or CMD applications and other powerful applications. Such policies should prevent attackers from escalating privileges as a way of establishing persistence and moving laterally across the network.
- Improve endpoint detection. Improve endpoint detection and monitor deployed network detection solutions that can alert you to methods an adversary can use for lateral movement through remote access tools and the Remote Desktop Protocol (RDP). Also, enforce multi-factor authentication for all remote access and for administrator user account access.
- Remove Domain Users from Admin Group. Remove the Domain Users from the local administrators group and use the Local Administrator Password Solution (LAPS) to randomize local administrator account passwords. Adversaries will use the local administrator account to pivot around a network until they find a host where they can steal a domain administrator account.
- Back up critical data. Make sure you have backups of critical data that cannot be modified using domain credentials. This could mean offline backups or other methods to secure the backups. Online backups are nearly always targeted by an adversary prior to executing ransomware. Having secure backups is key to being able to restore data without needing to pay the criminal.