{"id":23282,"date":"2023-10-31T13:21:03","date_gmt":"2023-10-31T21:21:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/31\/news-17012\/"},"modified":"2023-10-31T13:21:03","modified_gmt":"2023-10-31T21:21:03","slug":"news-17012","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/10\/31\/news-17012\/","title":{"rendered":"Step-by-step through the Money Message ransomware"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Tue, 31 Oct 2023 19:56:34 +0000<\/strong><\/p>\n

\n

In August 2023, the Sophos X-Ops Incident Response team was engaged to support an organization in Australia infected with Money Message ransomware.\u00a0 This attack vector, known for its stealth, does not append any file extensions to the encrypted data, making it harder for victims to identify the encrypted files simply by spotting such extensions.\u00a0<\/span>\u00a0<\/span><\/p>\n

In this post, we will look at the incident attack flow, illustrating how threat actors are deploying the Money Message ransomware and what measures can combat attacker efforts at various points along the MITRE ATT&CK chain.<\/span>\u00a0<\/span><\/p>\n

Make a note of it<\/span><\/b>\u00a0<\/span><\/p>\n

As part of its routine, the ransomware drops a ransom note named “money_message.log” directly into the root directory of the C: drive.\u00a0<\/span>\u00a0<\/span><\/p>\n

The ransom note on the target\u2019s system read as follows:<\/span>\u00a0<\/span><\/p>\n

Your files was encrypted by “Money message” profitable organization and can’t be accessed anymore.<\/span><\/i>\u00a0<\/span><\/p>\n

If you pay ransom, you will get a decryptor to decrypt them. Don’t try to decrypt files yourself – in that case they will be damaged and unrecoverable.<\/span><\/i>\u00a0<\/span><\/p>\n

For further negotiations open this <redacted>.onion\/<redacted><\/span><\/i>\u00a0<\/span><\/p>\n

using tor browser https:\/\/www.torproject.org\/download\/<\/span><\/i>\u00a0<\/span><\/p>\n

In case you refuse to pay, we will post the files we stole from your internal network, in our blog:<\/span><\/i>\u00a0<\/span><\/p>\n

<redacted>.onion<\/span><\/i>\u00a0<\/span><\/p>\n

Encrypted files can’t be decrypted without our decryption software.<\/span><\/i>\u00a0<\/span><\/p>\n

<redacted>.onion\/<redacted><\/span><\/i>\u00a0<\/span><\/p>\n

Attack Flow Details<\/span><\/b>\u00a0<\/span><\/p>\n

Initial Access<\/span><\/b>\u00a0<\/span><\/p>\n

Our investigation indicates that the attacker gained initial access via the target\u2019s VPN, which was\u00a0 using single-factor authentication. This is an example of MITRE\u2019s <\/span>T1078 \u2013 Valid Accounts<\/span><\/a> technique.<\/span>\u00a0<\/span><\/p>\n

Guidance<\/span><\/b>\u00a0<\/span><\/p>\n

Implementing multifactor authentication (MFA) for VPN connections is paramount to enhance security and thwart potential unauthorized access. Additionally, continuous monitoring of VPN logs and user activity should be in place to promptly detect any suspicious login attempts or anomalies. Upgrading to a more robust and layered authentication approach, such as MFA, is essential to bolster the first line of defense against potential threat actors seeking to exploit single-factor vulnerabilities and gain unauthorized VPN access.<\/span>\u00a0<\/span><\/p>\n

Defense Evasion<\/span><\/b>\u00a0<\/span><\/p>\n

The threat actor deployed GPO Policy to disable Windows Defender real-time protection. This is an example of MITRE\u2019s <\/span>T1562.001: Impair Defenses: Disable or Modify Tools<\/span><\/a> sub-technique.<\/span>\u00a0<\/span><\/p>\n

[HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows Defender] DisableAntiSpyware: [REG_DWORD_LE] 1<\/span>\u00a0  [HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderReal-time Protection] DisableRealtimeMonitoring: [REG_DWORD_LE] 1<\/span>\u00a0<\/span><\/pre>\n
Guidance<\/span><\/b>\u00a0<\/span><\/p>\n
The first line of defense available to organizations is to use a security agent that has robust tamper protection. In terms of monitoring for this activity, these are detection-ready event sources. While it\u2019s possible a system administrator would disable these protections (at least temporarily) during troubleshooting, given the risk of this activity, it\u2019s something that should be investigated promptly if a corresponding support ticket isn\u2019t found.<\/span>\u00a0<\/span><\/p>\n
Lateral Movement<\/span><\/b>\u00a0<\/span><\/p>\n
The threat actor leveraged psexec to run a batch script with the intention of enabling the RDP port, subsequently using Remote Desktop Protocol (RDP) to traverse the network. This is an example of MITRE\u2019s <\/span>T1021.001: Remote Services: Remote Desktop Protocol<\/span><\/a> sub-technique. RDP is a common finding in cases handled by Incident Response, as shown by our findings from IR cases handled during the first half of 2023.<\/span>\u00a0<\/span><\/p>\n
\"A<\/a><\/p>\n
Figure 1: RDP abuse detections in IR cases for the first half of 2023<\/span><\/i>\u00a0<\/span><\/p>\n
The batch script contents are as follows:<\/span><\/p>\n
reg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server\" \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f<\/span>\u00a0  Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'<\/span>\u00a0  netsh advfirewall firewall add rule name=\"Open Remote Desktop\" protocol=TCP dir=in localport=3389 action=allow<\/span>\u00a0<\/span><\/pre>\n
Guidance<\/span><\/b>\u00a0<\/span><\/p>\n
Securing RDP access can be difficult for many companies, but it is a project worthy of investment. The first item to check off the box is to restrict, by role, which accounts can access other systems using RDP. The overwhelming majority of users do not need this access. Secondly, adopting a centralized jump server, which only admins can access with MFA and blocking at the network level other system-to-system RDP is a strong preventative control. Lastly, a detection should be in place to promptly review anomalous RDP connections to deconflict them with approved system administration activity.<\/span>\u00a0<\/span><\/p>\n
Credential Access<\/span><\/b>\u00a0<\/span><\/p>\n
C:WINDOWSsystem32svchost.exe -k localService -p -s RemoteRegistry<\/span>\u00a0<\/span><\/pre>\n
Guidance<\/span><\/b>\u00a0<\/span><\/p>\n
It is crucial for organizations to prioritize the safeguarding of sensitive credentials. Implementing strong access controls, employing robust endpoint detection and response solutions, and monitoring for any suspicious activity related to SAM hive access are essential steps. Any unauthorized attempts to access or manipulate this critical system component should be promptly investigated, as they may indicate a breach or malicious activity that could compromise the security of sensitive credentials.<\/span>\u00a0<\/span><\/p>\n
\u00a0<\/span>Collection<\/span><\/b>\u00a0<\/span><\/p>\n
A confirmed compromised account was used to access sensitive folders like Finance, Payroll, SalesReport and HR in FileServer. MITRE lists 37 sub- and sub-sub-techniques under <\/span>TA0009: Collection<\/span><\/a>.<\/span>\u00a0<\/span><\/p>\n
Guidance<\/span><\/b>\u00a0<\/span><\/p>\n
Often by the time a threat actor is staging data, it\u2019s too late to have a good security outcome. A good approach to prevent theft of data is to adopt least-privilege access, which means ensuring only the required people have access, followed by granular controls on exporting, sharing, or moving the files. DLP solutions, while having a history of being difficult to implement and maintain, are worth evaluating for high-risk data.<\/span>\u00a0<\/span><\/p>\n
\u00a0<\/span>Exfiltration<\/span><\/b>\u00a0<\/span><\/p>\n
The threat actor leveraged MEGAsync to exfiltrate the data. This is an <\/span>example of MITRE\u2019s <\/span> T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage<\/span><\/a>.<\/span>\u00a0<\/span><\/p>\n
UserAssist entry: 87 Value name: C:Users<redacted>AppDataLocalTemp6MEGAsyncSetup32.exe\u00a0<\/span>\u00a0<\/span>    Count: 1\u00a0<\/span>\u00a0<\/span>    User \u201d<redacted> registered Task Scheduler task \u201cMEGAMEGAsync Update Task S-1-5-21-<redacted>\"<\/span>\u00a0<\/span><\/pre>\n
Guidance<\/span><\/b>\u00a0<\/span><\/p>\n
Organizations should focus on enhancing data loss prevention measures and network monitoring. Implementing robust outbound traffic analysis and content inspection can help identify and block suspicious data transfers. Furthermore, closely monitoring MEGAsync activities and detecting any unusual or unauthorized data transfers can be vital in mitigating data breaches. Rapidly investigate and respond to any signs of unauthorized exfiltration to prevent potential data compromise and minimize the impact on data confidentiality.<\/span>\u00a0<\/span><\/p>\n
Impact<\/span><\/b>\u00a0<\/span><\/p>\n
The threat actor leveraged two ransomware binaries, one for the Windows environment and one for the Linux environment. The Windows version is named windows.exe, and is detected as Troj\/Ransom-GWD by Sophos. This is an example of MITRE\u2019s <\/span>T1486: Data Encrypted for Impact<\/span><\/a>.<\/span>\u00a0<\/span><\/p>\n
The threat actor, using Secretsdump.py (part of the Impacket toolkit), retrieved the SAM registry hive. This is an example of one way of executing MITRE\u2019s <\/span>T1003.002: OS Credential Dumping: Security Account Manager<\/span><\/a> subtechnique.<\/span>\u00a0<\/span><\/p>\n