{"id":25062,"date":"2024-08-13T03:21:24","date_gmt":"2024-08-13T11:21:24","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/13\/news-18792\/"},"modified":"2024-08-13T03:21:24","modified_gmt":"2024-08-13T11:21:24","slug":"news-18792","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/13\/news-18792\/","title":{"rendered":"Don’t get Mad, get wise"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Tue, 13 Aug 2024 09:59:22 +0000<\/strong><\/p>\n

\n

The Sophos X-Ops Incident Response team has been examining the tactics of a ransomware group called Mad Liberator.\u00a0 This is a fairly new threat actor, first emerging in mid-July 2024. In this article, we\u2019ll look at certain techniques the group is using, involving the popular remote-access application Anydesk. We\u2019ll document the interesting social-engineering tactics the group has used and provide guidance both as to how to minimize your risk of becoming a victim and, for investigators, to how to see potential activity by this group.<\/p>\n

Before we start, we should note that Anydesk is legitimate software that the attackers are abusing in this situation. The attackers misuse that application in the manner we\u2019ll show below, but presumably any remote access program would suit their purposes. Also, we\u2019ll note up front that SophosLabs has a detection in place, Troj\/FakeUpd-K, for the binary described.<\/p>\n

What is Mad Liberator?<\/strong><\/p>\n

The activity that Sophos X-Ops has observed so far indicates that Mad Liberator focuses on data exfiltration; in our own experience, we have not yet seen any incidents of data encryption traceable to Mad Liberator. That said, information on watchguard.com<\/a> does suggest that the group uses encryption occasionally, and also undertakes double extortion (stealing data, then encrypting the victim\u2019s systems and threatening to release the stolen data if the victim doesn\u2019t pay to decrypt).<\/p>\n

Typical of threat actors who perform data exfiltration, Mad Liberator operates a leak site on which it publishes victim details, in an effort to put additional pressure on victims to pay. The site claims that the files can be downloaded \u201cfor free.\u201d<\/p>\n

\"A<\/a><\/p>\n

Figure 1: Mad Liberator\u2019s disclosure site<\/em><\/p>\n

Interestingly, Mad Liberator uses social engineering techniques to obtain environment access, targeting victims who use remote access tools installed on endpoints and servers. Anydesk, for instance, is popularly used by IT teams to manage their environments, particularly when working with remote users or devices.<\/p>\n

How the attack works<\/strong><\/p>\n

Anydesk works by allocating a unique ID, in this a case a ten-digit address, to each device it is installed on.\u00a0 Once the application is installed on a device, a user can either request to access a remote device to take control by entering the ID, or a user can invite another user to take control of their device via a remote session.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: An Anydesk session with the ten-digit address prominently displayed<\/em><\/p>\n

We don\u2019t know at this point how, or if, the attacker targets a particular Anydesk ID. In theory it is possible to just cycle through potential addresses until someone accepts a connection request; however, with potentially 10 billion 10-digit numbers, this seems somewhat inefficient. In an instance that the Incident Response team investigated, we found no indications of any contact between the Mad Liberator attacker and the victim prior to the victim receiving an unsolicited Anydesk connection request. The user was not a prominent or publicly visible member of staff and there was no identifiable reason for them to be specifically targeted.<\/p>\n

When an Anydesk connection request is received, the user sees the pop-up shown in Figure 3. The user must authorize the connection before it can be fully established.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: A request from \u201cUser\u201d to connect via Anydesk; as Anydesk admins know but end users may not, anyone can choose any username when setting up Anydesk, so an attacker could even call itself \u201cTech Support\u201d or something similar <\/em><\/p>\n

In the case our IR team handled, the victim was aware that Anydesk was used by their company\u2019s IT department. They therefore assumed that the incoming connection request was just a usual instance of the IT department performing maintenance, and so clicked Accept.<\/p>\n

Once the connection was established, the attacker transferred a binary to the victim\u2019s device and executed it.\u00a0 In our investigations this file has been titled \u201cMicrosoft Windows Update,\u201d with the SHA256 hash:<\/p>\n

f4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe<\/p>\n

This binary was a very simple program that displayed a splash screen mimicking a Windows Update screen. The screen was animated, making it appear that the system was updating, as shown in Figure 4.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: An all-too-unremarkable Windows Update screen\u2026 or is it?<\/em><\/p>\n

This program did not perform any other activity, which made it unlikely to be immediately detected as malicious by most antimalware packages. (Sophos has developed a detection [Troj\/FakeUpd-K] for this particular binary and will continue to monitor developments on this.)<\/p>\n

At this point, to protect the ruse from being discovered and stopped, the attacker took an extra step. Since this simple program could have been exited should the user happen to press the \u201cEsc\u201d key, the attacker utilized a feature within Anydesk to disable input from the user\u2019s keyboard and mouse.<\/p>\n

Since the victim was no longer able to use their keyboard, and since the above screen appeared to be something unremarkable to any Windows user, they were unaware of the activity that the attacker was performing in the background \u2013 and could not have stopped it easily even if they were suspicious.<\/p>\n

The attacker proceeded to access the victim\u2019s OneDrive account, which was linked to the device, as well as files that were stored on a central server and accessible via a mapped network share.\u00a0 Using the Anydesk FileTransfer facility, the attacker stole and exfiltrated these company files.\u00a0 The attacker then used Advanced IP Scanner to determine if there were other devices of interest that could be exploited within the same subnet. (They did not, in the end, laterally move to any other devices.)<\/p>\n

Once the stolen files were under its control, the attacker then ran another program that created numerous ransom notes. Interestingly, these ransom notes were generated in multiple locations on a shared network location which was mapped to the device, rather than on the victim\u2019s device itself.\u00a0 These ransom notes announced that data had been stolen and provided details as to how the victim should pay the ransom to prevent disclosure of those stolen files. (Tactics such as these will be all too familiar to readers of our investigation of pressure tactics currently in use<\/a> by ransomware gangs.)<\/p>\n

\"A<\/a>Figure 5: The ransom note received by the victim; note the threats of reputational and regulatory damage, and note also that no ransom amount is cited<\/em><\/p>\n

The fake Windows Update screen shielded the attacker\u2019s actions from being seen on the victim\u2019s screen. The attack lasted almost four hours, at the conclusion of which the attacker terminated the fake update screen and ended the Anydesk session, giving control of the device back to the victim. We did note that the binary was manually triggered by the attacker; with no scheduled task or automation in place to execute it again once the threat actor was gone, the file simply remained on the affected system.<\/p>\n

Lessons and mitigations<\/strong><\/p>\n

This was a straightforward attack that relied on the victim believing that the Anydesk request was part of day-to-day activity. As far as our investigators could determine, the attack did not involve any additional social engineering efforts by the attacker — no email contact, no phishing attempts, and so forth. As such it highlights the importance of ongoing, up-to-date staff training, and it indicates that organizations should set and make known a clear policy regarding how IT departments will contact and arrange remote sessions.<\/p>\n

Beyond user education, we highly recommend that administrators implement the Anydesk Access Control Lists to only allow connections from specific devices in order to greatly minimize the risk of this type of attack, AnyDesk provide some very valuable guidance and how to do this as well as additional security measures in the following link:<\/p>\n