HG Threat Summary

Herjavec Group’s Threat Management Team leverages this Threat Summary to provide an overview of the most common threats and vulnerabilities we have seen in recent months. This summary will include further information on supply chain compromises, ransomware attacks and targeted phishing attacks. Please see below for a review of emerging threats including their potential impact, and mitigation strategies.

Supply Chain Compromise

One of the most circulated attacks over the last 12 months Affected Versions2 involved SolarWinds. An actor tracked by FireEye as UNC24521 was T Orion Platform 2019.4 HF5, version 2019.4.5200.9083 able to compromise a SolarWinds Orion software update package. The actors were able to create a trojan by inserting malicious T Orion Platform 2020.2 RC1, version 2020.2.100.12219 code into one of the digitally signed DLL components. This code T Orion Platform 2020.2 RC2, version 2020.2.5200.12394 installed a backdoor during the update process affecting every T Orion Platform 2020.2, version 2020.2.5300.12432 organization that updated to one of the compromised versions. After the victim network is compromised, the actors use the T Oion Platform 2020.2 HF1, version 2020.2.5300.12432 remote access to move laterally within the network along with the theft of organizational data.

Ensure that your organization does not fall victim in the same way. Here are our recommendations to mitigate supply chain attacks: ` Keep a detailed software and hardware inventory list that can be referenced to vendor security releases. ` Use verification of distributed binaries through hash checking or other integrity checking mechanisms. ` Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ` Enable Multi Factor Authentication (MFA) on account credentials and shared secrets when possible. ` Ensure service accounts have only the minimum level of privilege required for the role they perform. ` Monitor for and alert on account changes for increased levels of privilege. ` For high privilege accounts, service accounts, and shared secret accounts where MFA (Multi Factor Authentication) is not possible, require the use of randomly generated long and complex passwords with a 90-day rotation policy. HG Threat Summary

Malware

As we closed out 2020, we saw several Malware variants coming into play. Here are some of the top variants noted and being tracked by our HG Threat team:

BazarLoader

A new loader and backdoor has been observed in 2020 as part of attacks against high-value targets of the TrickBot group and used in the attacks against the Healthcare sector3. BazarLoader employs a stealthy approach by having the malware signed by certificates and only loading a minimal initial footprint. Like a growing number of malware families, the operators deploy valid penetration testing tools such as Cobalt Strike to gain access to additional resources within the network4. The approach of signing the malware with certificates is used as a method of evading some anti-virus products. The actors had used legitimate corporations’ information while registering the certificates with trusted certificate authorities to avoid suspicion. The infection chain begins with a sophisticated phishing email, where they use both legitimate organizations as unknowing accomplices, and legitimate email marketing platforms to send the phishing emails to their targets. The emails contain a phishing link that take the target to a decoy page that attempts to trick the user into downloading malware under the guise of the file preview being unavailable.

Ryuk Ransomware

Ryuk is a popular payload delivered by several trojans, such as TrickBot, to obtain a financial gain out of cyber-attacks5. Attacks that lead to ransomware deployment often employ the use of native operating system tools alongside off-the-shelf commercial products. Using these tools is to limit suspicious activity and potential detection by security systems, while allowing the attackers to maneuver throughout the network and achieve persistence on compromised systems. PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) were primarily used to move laterally within the network. Ryuk is configured to disable known antivirus processes, backups, databases, and document editing software by killing the processes and services using taskkill and netstop commands to prevent them from obstructing execution.

Vulnerabilities

Windows “Bad Neighbor” Vulnerability (CVE-2020-5902)

Microsoft released details on a vulnerability affecting the Windows IPv6 stack that allows an attacker to send malicious packets that could execute code on a target system. Proof-of-concepts released that caused a blue screen of death, indicate the potential for attackers to be able to exploit the vulnerability. Windows 10 version 1709 and newer along with Windows Server 2019 version 1903 and newer are vulnerable to this vulnerability6.

Detection of potential exploit packets can be found within incoming IPv6 traffic packets with an ICMPv6 Type field of 134, Router Advertisement type, and an ICMPv6 Option field of 25 for Recursive DNS Server (RDNSS). Malicious packets have been observed with a RNDSS field length value that is even.

Microsoft recommends vulnerable systems are patched with the appropriate security update. If ICMPv6 RDNSS is not being used within an environment, then it is possible to disable it via a PowerShell command provided by Microsoft7.

Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

CVE-2020-1472 is a privilege elevation vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using Netlogon Remote Protocol8. To exploit the vulnerability, the attacker connects to a domain controller using the Netlogon Remote Protocol (MS-NRPC), whereby successful exploitation of the vulnerability could allow the attacker to run a crafted application on a network device with administrator privileges. Microsoft addressed this vulnerability with an initial patch in its August 2020 update release where it allowed the enforcement of secure usage and enabled event logging. A second phase of the update will be released in Q1 2021 to enforce secure Netlogon events to all Domain Controllers9. The update modifies how Netlogon handles the usage of Netlogon secure channels to address the vulnerability. HG Threat Summary

Unpatched software is a vulnerable target for attackers, providing a way for adversaries to gain access across the entire compromised network. Herjavec Group recommends the following measures: ` Organizations must strive to perform regular software update to mitigate exploitation risk. ` Consistent Vulnerability scanning should be leveraged to find and remediate potentially exploitable software vulnerabilities. ` Security system rules should be used to block unexpected traffic from reaching internal resources. ` Monitor vendor security advisories and apply patches in a reasonable timeframe, applying temporary mitigations as required.

Threat Groups

Healthcare Sector Attacks Herjavec Group’s recommended mitigations against ongoing malware and ransomware delivered via phishing A substantial number of ransomware attacks were executed techniques include: against the healthcare sector in Q4 2020. Attackers used T malware loaders such as TrickBot and BazarLoader to deliver Operate a user security awareness and training program. the ransomware. The loaders were sent to victims via malicious T Regularly back up data, air gap, and password protect backup attachments or links in an email. Once executed the loaders copies offline. initiate the infection by downloading and installing payload T Use multi-factor authentication wherever possible. from a command-and-control server onto the victim’s machine. T Scan for and disable unused remote access/Remote Desktop Additional malware was downloaded to the compromised hosts Protocol (RDP) ports and monitor remote access/RDP logs for to allow the attackers to propagate within the network, steal suspicious activity. data, along with causing network and service disruption with the T Conduct audits of user accounts with administrative execution of Ryuk ransomware10. privileges and configure access controls with least privilege in mind. These types of attacks are expected to continue. You have to T Patch operating systems, software, and firmware within a protect your weakest link – your people – through a combination reasonable timeframe of the manufacturers release. of security awareness training and security controls.

Resources 1 Highly Evasive Attacker Leverages SolarWinds Supply Chain, https://www.fireeye. 6 CVE-2020-16898: “Bad Neighbor”, https://www.mcafee.com/blogs/other-blogs/ com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply- mcafee-labs/cve-2020-16898-bad-neighbor, visited January 7, 2021 chain-compromises-with-sunburst-backdoor.html, visited January 11, 2021 7 Windows TCP/IP Remote Code Execution Vulnerability CVE-2020-16898, https:// 2 Advanced Persistent Threat Compromise of Government Agencies, Critical msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16898, visited Infrastructure, and Private Sector Organizations, https://us-cert.cisa.gov/ncas/alerts/ January 7, 2021 aa20-352a, visited January 12, 2021 8 Netlogon Elevation of Privilege Vulnerability. https://portal.msrc.microsoft.com/ 3 Ransomware Activity Targeting the Healthcare and Public Health Sector, https:// en-US/security-guidance/advisory/CVE-2020-1472, visited January 8, 2021 us-cert.cisa.gov/ncas/alerts/aa20-302a, visited January , 2021 9 How to manage the changes in Netlogon secure channel connections associated 4 “Front Door” into BazarBackdoor: Stealthy Cybercrime Weapon, https://www. with CVE-2020-1472, https://support.microsoft.com/en-us/help/4557222/how- advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime- to-manage-the-changes-in-netlogon-secure-channel-connections-assoc, visited weapon, January 12, 2021 January 8, 2021 5. Ransomware Activity Targeting the Healthcare and Public Health Sector, https:// 10 Ransomware Activity Targeting the Healthcare and Public Health Sector, https:// us-cert.cisa.gov/ncas/alerts/aa20-302a, visited January 8, 2021 us-cert.cisa.gov/ncas/alerts/aa20-302a, visited January 8, 2021

Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management, and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom, Canada and India. For more information, visit HerjavecGroup.com or contact us at [email protected].