Out of frustration

Many incident response cases we handle, are linked to ransomware incidents, with LockBit being a recurring group we encounter. Even if, technically, they are not the most advanced ones as they generally rely on well-known tools and don’t have access to 0days, they are undeniably successful criminal enterprises. As defenders, it’s often disheartening to witness the aftermath, with organizations locked out and data exfiltrated. It’s particularly distressing when we’re unable to decrypt the data and prevent the threat actors from leaking it.

The aim of this article is to explain how we were able to block the exfiltration during the initial attempts, how we collaborated with law enforcement on the Cronos operation, and finally to help organizations prevent ransomware attacks by proposing an approach to identify and thwart attacks before it is too late. Ransomware attacks can be prevented. This assertion is grounded on factual evidence derived from our extensive client base, and we remain hopeful that this trend will persist indefinitely.

As part of our expanding CTI initiatives, we were determined to proactively identify targets outside of our client’s monitoring range before it became too late for them. Going the extra mile, we delved deeper and looked for errors made by LockBit affiliates. Fortunately, our efforts paid off, yielding valuable findings. These discoveries were promptly shared with law enforcement agencies as part of our collaborative efforts toward LockBit takedown initiatives.

Please note that there are numerous affiliates associated with LockBit, and the information provided may not apply to all of them. All affiliates operate on their own and in an independent way. We see it as a guerrilla-like structure which contributes to the difficulty in making a lasting impact on these groups with takedowns. If the LockBit encryptor and data exfiltration methods cease to be effective, the affiliates may simply transition to another ransomware-as-a-service and persist in their operations.

To put it differently, defenders cannot completely eradicate a threat actor; instead, we can only diminish the profitability of the cybercriminal industry by increasing their expenses or covertly causing their operations to fail. Regardless of takedown efforts, these actors will persist in their extortion activities, dedicating 9 hours a day to target businesses. They learn every time they are attacked and adapt after a takedown. To not help the criminals some technical details have been omitted but feel free to reach us if you need additional information for the purpose of building solid defenses.

Finding summary

We’ve amassed a considerable amount of data. This presented and is still presenting a challenge for analysis.  Our objective is to provide high-level actionable recommendations derived from the internal operations of these cybercriminal groups.

Some fun facts about threat actors, their servers are badly monitored for intrusion however they have a good random unique password policy for each server. They fall behind with technology like passwordless authentication. They did a good job of enabling automated antivirus updates however it seems that their patching process is failing. At least we were not able to find any documents discussing this topic. Were they a firm based in EMEA or the US, they would be highly susceptible to cyberattacks.

Regarding skills, our findings indicate an abundance of pentesting 101 guides, suggesting that the majority of operators of this affiliate lack advanced cyber offensive knowledge and instead adhere to basic playbooks.

Figure 1 – Translation of one of their manuals

In the next chapter, we provide recommendations that can be taken from the defender’s perspective. If you are a Kudelski Security client and would like to have a direct interaction to discuss certain points, feel free to reach out to your contact point, our detection team can provide insight into action taken to secure your organization.

Most of the recommendations derived from the findings still fall in the category of cyber security hygiene but we think that this is still interesting and valuable intelligence for defenders and could lead to some prioritization of projects.

Targets selection

How

Without big surprise, they are using internet network scan search engines like Shodan, Censys, and Zoomeye. They search for appliances or software that have vulnerabilities and perform then mass exploitation on those. Interesting they are performing those searches per region. The US seems to be a target of choice for them. We found files with Cisco, Fortinet, and other network devices. They then use publicly available exploits. Brute force and password leaks are also still a thing.

 What can be done

• Reduce your digital footprint exposure: Utilize internet scanners to identify potential vulnerabilities within the device and software you deployed. Numerous software options offer features to conceal or alter banners, which can significantly reduce the risk of being targeted by mass exploitation campaigns. Default banners often divulge excessive information. For example, Apache httpd typically discloses its version, operating system, enabled modules, and more by default, which is often unnecessary and only helps malicious actors. This measure won’t protect you against exploitation but might be enough to avoid having your host listed by web scanner when a threat actor looks to mass exploit a specific software version.
• Account validation & brute force: Additionally, we uncovered tools and scripts employed by threat actors to authenticate stolen credentials or sessions, as well as tools for executing brute force attacks. Consider implementing geo-blocking measures; not all management interfaces or assets necessarily need to be accessible from every corner of the globe. When it comes to preventing brute force attacks, ensure the implementation of robust authentication mechanisms. After examining the initial compromise threat actor logs, it became apparent that weak passwords remained a prevalent vulnerability. Operation logs frequently revealed instances where weak passwords were a contributing factor. While it may seem like common sense, numerous organizations still make this mistake. Additionally, local accounts, such as those on firewalls or VPNs, were often overlooked. An intriguing observation was the frequent use of the password “Numlock!123” when threat actors were creating accounts. As a proactive measure, consider blacklisting this password and triggering alerts for any attempted account creation using it.
• Scanner exclusion: You have the option to block IP scanner ranges. While Shodan and Censys provide such information publicly, platforms like Zoomeye and lesser-known ones may offer limited or no data in this regard. However, certain firewall appliances do provide scanner detection and blocking capabilities, which we strongly advocate for. Increasing the difficulty of scanning your infrastructure can significantly slow down attack execution. We suggest investigating the rules or settings related to this feature on your firewall device. Exercise caution when implementing lockout rules and blocking based on UDP traffic, as these measures can be susceptible to spoofing. This won’t protect you but will make your infrastructure discovery harder.
• Critical assets close monitoring: VPN devices should not expose their administrator interface to the internet. Also, they typically establish minimal outbound connections for updates, and depending on the setup, they should not initiate VPN sessions with local accounts. Unexpected reboots should be flagged as suspicious activity. Setting up alerts for deviations from expected behaviors is crucial, as they may signal attempted or successful exploitation. Threat detection often involves identifying anomalies unique to each organization’s setup. While this process is time-consuming and may require fine-tuning, it should be applied to high-value targets. Deploying a dummy VPN service solely for monitoring user account attempts and traffic can also be valuable, as these devices can serve as early warning systems for compromised credentials or scanner detections, enabling organizations to detect attacks at an early stage. Fake VPN setups can even provide access to a fake environment to gather additional intelligence on attackers’ next steps. From the BlueTeam perspective, prematurely blocking an attack without allowing the threat actor to fully reveal their intentions and techniques is regrettable. However, such measures should be implemented in non-production, tightly controlled environments. From the data analyzed, when the initial access was done from the exposed infrastructure, VPN was the initial access. This is expected but it is to stress the fact that organizations should acknowledge that if they have a VPN this will be a target for exploitation and valid account usage. Therefore, special interest should be put into detecting at various levels what deviates from the baseline with respect to the organization. Baselines can be built on:
  • Local account usage
  • Resource/protocol accessed by the VPN client (AD, RDP, SSH)
  • Outgoing connection from the VPN appliance
  • Client VPN county
  • HR account connecting with a Linux machine … named kali.

… be creative to find things that you don’t expect in your environment. Detecting threats is not about finding malware only, it is about flagging things that you don’t expect in your context. “Normal” means something totally different for every organization, this should be taken to your advantage.

On the malware topics, this will be discussed later but most techniques used by the threat actors are using legitimate credentials and commercial legitimate tools.

• Instant Patching: Ensure that are subscribed to advisories of all product or appliance exposed on your perimeter. You must have an instant patching policy for critical vulnerabilities, reducing delays in applying patches except if the operation impact has a higher cost than a security breach. Knowing that security breach will likely at a certain stage cause an operational impact.

Now what ?

Cybercriminals must navigate an entire operation without raising suspicion to evade detection by defenders. Our analysis reveals that criminals consistently document the security products used by their targets and process methods to neutralize some of them. Those experienced in Red Team exercises can attest: that gaining access may be straightforward, but executing actions covertly presents a far greater challenge. Successfully conducting a full operation without being detected in an unfamiliar IT environment equipped with effective detection mechanisms is a .. can be very challenging.

In the fact that defenders cannot achieve a perfect zero-compromise, breach must be assumed, but they can thwart cybercriminal operations at some point. As defenders, we are the architects of the battlefield, strategically positioning our tools and traps. When executed effectively, this places threat actors in a strong disadvantage situation.

In this part 1, we’ve explored strategies for primarily reducing the likelihood of becoming a target for criminals, along with ideas for gathering early indicators of attack stages.

In the subsequent sections, we will deep dive into the later stages of attacks and examine what defenders can do. Stay tuned for more insights.

---