Threat Actors Do the Funniest Things - Peter Mackenzie

Give it a couple minutes if we're early then. Should I wait? >> Everything is very wobbly around here. I'll give it one minute.

>> Yep. >> Okay. Hello everyone. My name is Peter McKenzie and I want to talk about some lighter side. This is not a technical talk or at least not for this audience. Um, and I'll start by saying uh imagine put yourself in the scene. There's a company about a thousand devices. They got hit by ransomware. My team were brought in to help investigate neutralize the threat, you know. And we're about 5 days into it and we identified initial access. We'd worked out some of the accounts that were being used. We worked out what had been stolen and we were on a daily update call with a customer about five of my team and I don't know 10 of the

customer and it was perfect timing because I said to them I believe we've removed the threat actor from your estate and one of their admins responded with my mouse is moving and that mouse went to the ransom note on his desktop opened it up and just left it Um so we didn't feel as confident anymore that we'd remove them. And what had happened was um this customer was wasn't necessarily the easiest one to work with and they had refused to move to out of bound communications. So they were still using the corporate email which the attacker was monitoring. So they knew when our meeting was and they'd refused to let us block screen connect because the admins wanted to use

it. Well, even though we told them we thought the attacker was too, this gave us the proof. They had waited for our meeting. They' connected via screen connect and they'd gone and open the ransom note live on screen. So, the engagement lasted a little bit longer than we were expecting it to. But anyway, oh, I turned the clicker off. Sorry. Who am I? Um, so I've been at Sophos for 14 years. Um yeah I run a team global team about 60 people um whole variety it's it's IR it's defa it's tabletops IR plans whole variety of people I no idea how many engagements I've been involved in now hundreds hundreds thousands probably uh and yeah I'm so sick of ransomware I

am absolutely sick of ransomware marketing teams have asked me what's next it's just more of the same I'm sorry to tell you but yeah and Um, someone asked me this yesterday. Is it a 9 to-five job? No, it is not a 9 to5 job. It can be, but you you work in a situation where you've got a hospital, you can't tell them, oh, just park the ambulances, turn off the ventilators, we'll come back at 9 on Monday. You know, it doesn't work like that. Uh, why am I here? Um, first of all, that's not actually me. I I put my profile picture into Chat GP and said, "Put me in a t-shirt like that." And it

did it. And that freaks me out a little bit to be honest. But anyway, yeah, no, I just really enjoy digital forensics instant response. And one of the things that annoys me when I go to conferences is you see the red team village and you see the blue team village and there's always a longer queue for the red team village cuz that's the hackers. That's you look at those people and you think sexy, don't you? Um, but I I I prefer the blue team. You know, the you're a detective. You're using your brain. You're solving mysteries. you're helping people, you're helping, you know, ambulances get back to working, operating theaters, uh, reopening. You know, I think it's very serious and

entertaining work. So, I'm going to go through a few stories today. Um, they're from the last few years. The dates aren't really important, but um, I'm sure you'll recognize some of the names. I've hidden most of the dates to be honest. Anyway, we'll start with multiple attackers. So, involving three different ransomware groups. So the attack we we think there was probably an initial access broker here because we saw initial access happen April 2nd exposed RDP obviously you know ransomware deployment protocol we still see it as initial access so many times that was April 2nd uh a little bit time goes on April 1st we then I'm not showing the entire attack just some sort of key points here

but we see exfiltration of data up to Mega the New Zealand cloud storage provider commonly used. And then April 28th, we see Mimikats again getting some admins, domain admins, things like that. And then May 1st, few more days later, Lockbit Bit gets deployed across the network with Microsoft PS exact. Very common tool used for that kind of thing. 4 hours, oh sorry, and there's the ransom note for the lock bit attack. 4 hours later, Hive ransomware. Literally 4 hours later, Hive ransomware deployed via GPO. Very devastating way of doing ransomware in my opinion. And it was different accounts. We did track it back to the same initial access account, same admin account, but as far

as we could tell, they were doing things on some different computers using different accounts, different tools. They went and got domain admin in their own way. And we're like, I don't think this is the same attack. We think this is two different attackers just happen to be on the machine at the same time. as the uh uh high ransomware note and couple of weeks are going past. Victims still trying to recover. They haven't got back to normal. They haven't involved anyone. We're not involved at this point. And then event logs start getting cleared. Something else is going on. That's when Blackat ransomware. They deploy their ransomware via PowerShell to another method. You know, there's their ransom note. Now you've got three

different attacks, two weeks. Absolutely devastating. The customer hasn't done anything, you know. Sorry, had to use that. So that that's when they they um they called uh my team in and we start investigating. Interestingly, they didn't even know about the Hive ransomware attack. They knew they'd got hit by ransomware and then they got hit two weeks later. It was us that told them, "By the way, there's three here." They hadn't worked at all. But one of my team, I don't know, six hours into the investigation and he hurriedly comes to me going, "Look at this screenshot. Look at this screenshot." So this is from their file server. ignore the files. Doesn't matter. And if we just dig into this a

little bit, there's an original file name util.pack.pbl right? That's just normal file. It got encrypted. So lockbit encrypted it and they added their extension onto the end. But then Hive ran four hours later. They found a file. They don't care. They don't know it's encrypted. They encrypted it and they added their extension. But Lockbit Bit was still running on the server. So it then found the file again, encrypted it a second time, but Hive was still running on the server. So it then found it again. And then two weeks later when they hadn't recovered, they still had the encrypted files lying around. That's when black catat came in, encrypted it for a fifth time. Quintuple. I had to Google that

word, but yeah, quintuple times. And if you look close, you can also see there's a black cat ransom note. And there's an encrypted lockbit ransom note. So if you were to try and pay, you would first have to pay black cat before you could even look at the ransom note for lockbit. And you'd have to pay that to I mean, you're just not you're not getting your files back. I I mean I don't think anyone's ever tested if you can actually get them back in that situation, but I wouldn't spend your money to be honest. And yeah, we've never seen we've seen double encryption before. I've seen an attack I forget the group. Um but they

excfiltrated data that had been encrypted from an attack a few weeks earlier. So they exfiltrating encrypted data like well they that's not really that useful. But anyway, my next story. So, black cat turned blue hat. I don't I if you know the name black cat, they normally go alf. You see the alf. Can I just make sure everyone knows it's not a v. It's an upside down a. They think they're cool. It's Well, they thought they were. So, it's alpha. Alpha is actually the name, not alv. Anyway, completely irrelevant to the story. So, the attack in this one isn't anything interesting. You know, black cap ransomware. They got into a network. It was a large US school, thousands of

students, and they launched their ransomware. 6,000 uh $600,000 ransom demand. What is the funny part is what happened after that. So, here's the ransom note. They're talking about uploading 500 GB of data. That roughly aligned with what we found as well. So, they were probably telling the truth there. The victim negotiated and got the ransom down to a 100,000. They paid it. Their backups were gone, their virtual hosts were gone, everything was gone. They were completely stuck. So they paid $100,000 to get the decryptor and a report. I know, don't bother trying to read that. I'm going to zoom in, but report.ext is what the attackers provided them along with the decryptor. And I'll show you um some of the

thoughts, some of the bits that sort of stood out for me in this one. So those points should answer most questions. If you want to know anything else or have any problems with decryption, let us know. Aren't they nice and helpful? Isn't that nice? Uh we had an old uh critical log forj vulnerability not fixed on horizon. This is how we were able to get in. We confirmed that as well. So they weren't lying. This was genuinely how they got in. Once inside your Horizon VM, we dumped credentials, got some domain admin, crack the hash, and able to move laterally. It's absolutely madness to have 3,000 computers on the same domain. You should split all your machines for

different domains, etc., etc. You get the idea. Now, I read that and I thought, well, yeah, that's obvious. This is good advice. I saw that and I said, "Tell me you've never had a real IT job without telling you you've never had a real IT job." But yeah, also you should routinely review sensitive information like passports, bank accounts, and so on. Try searching on your file servers, passport, driving license. Yeah. Um I always tell people this is a very simple command. Go to your CEO or whatever. Go to your HR server and show him or her this command. Go to your C drive diir/ a slash s asterisk you need the asterisk passport password pass whatever and it will just

list everything it finds that has that file name or that word in the file it's like a poor manzie discovery right there are always people's passports and they are always the executives because their assistants have saved your passport somewhere so they can book your travel. We always find passports and they're so easy to find. Once network was scanned, we went for the backup servers. We should uh you should have on a different domain under five different keys. 2FA is quite extreme, but fair enough. Don't use any massively used backup software. It's a gold mine for us. Can't go deeper on that. Just don't use any of the big names. So, it's why I had my tinfoil hat

prop. But what we assume they mean by that is the big names. They see them more often. They know how to use them. Therefore, it's easier for them. Simple as that. So, I wouldn't say avoid the big names, but just understand that they probably know how to use them better than you do. At this point, it should be clear that having your database of passwords for all services, servers, whatever on the local network, they had an Excel file with all their passwords in um called password obviously. Um we have the I didn't Okay, fair enough. I did bold this line. Um we have to say Sophos is a good AV. However, no one monitors the

logs on your network or at least don't on weekends. I Okay, I did show this bit just because of the reference to us, but it is true. It doesn't matter what technology you got. It doesn't matter if it's soft, crash strike, whatever it is. If no one knows how to use it, if no one's monitoring it, it it's just a matter of time before they eventually win. General recommendations we're into now. Um, install hard to write override antivirus. Uh, they spel Let me just correct that typo. Yeah, soft. Yeah. Um, obligatory 2FA function. Yeah. Blah blah blah. I just wanted to make that joke. Um, I would say if your organization like yours, Sophos is good. No need to

buy 3,000 licenses. Just install Sophos on your servers, which are domain controllers, file servers, backups, critical servers. Again, this comes back to the earlier point of, you know, it's madness to have everything on the same network. They're talking about, oh, only install software, only install antivirus, whatever on the things that would have slowed us down. No concept or awareness that actually this school has other threats to deal with like the students generally, you know. So, yeah, wherever possible, 2FA must be enabled at least for domain admins, at least for most important service. Now, read that again in like a pleading voice. This is the attacker like wherever possible you know 2FA must be enabled you know at

least your domain ads at least like please do security better it's been an honor working with you know very debatable we don't have to say we don't like to [ __ ] over schools or kids this is just business and it's been a cheap lesson for you again I think that's a matter of opinion um you can't have thousands species on the same domain blah blah blah. We are just money motivated. There are some people out there which could have um deleted encrypted and never reply. Yeah, aren't they nice? And then the absolute favorite part of this. Now this is a US school. Best wishes. Keep up the good maple syrup and trucker protest. So maple syrup can only be a reference

to Canada. There were trucker protests going on in Canada at the time. This school didn't have the word Canada in the name. It was nowhere near Canada. We have no idea why they think they're Canadian. But anyway, >> people show up in the US. >> Well, maybe maybe. But there was a truck of protest in Canada going, so that was our assumption. But um anyway, >> right onto my last one. Uh imposter among us. So again, the actual attack isn't, you know, the fascinating part here. a threat actor got onto a network. It's about 50,000 employees, very large company and once they gained access, they stole our soft installer file. So, this is not a

product pitch, but if um you have our cloud managed console, you get our installer, you go put it on a machine, that machine installs our product, it registers with the console, right? They came in, they did some stuff and the the customer actually noticed and they managed to deal with it, but they had taken this install file. Now, we didn't know about any of this at the time, but the customer contacted us couple weeks later saying, "I'm getting these weird detections for this malware stuff, and it's on a machine called Sophos. I don't I don't have a machine called Sophos. I certainly don't have a domain called RSA and a user called SH. What's going on

here?" So, they looked at the machine. So this is the softos device local IP 19268 137 217 not a range they were using and there's a whole bunch of different malware detections and you can see maybe not but at the bottom um you've got the messages of what you see when a new machine installs and registers you know you've got new computer there's a name there's the user and you know it's starting to install itself so first thing it install uh first user was a user called KK but then it quickly gets the RSA domain and the SH user And then malware starts getting picked up and very much looking sort of like a test machine here.

Then the customer after they spotted this they went and looked at that IP range and saw there's another machine on the network. This one's called MSE, Microsoft Endpoint, but had Sophos installed on it, we think by mistake. And there's a whole load more malware being dumped. All very sort of credential related, you know, mimikats, things like that, proc dump. And same range. First user on it was also the one called KK. So definite, you know, link here. So what we knew about the attack at the moment was you've got a threat actor that's clearly stolen the soft installer. They're running it on some machines. Obviously, the first question the customer is, what risk is this for

me? Um, very little. They don't they have no access to the management console. They have no access to the network. At best, the threat actors now got a free license. Um, at worst, we're thinking, well, technically these machines get the customer's policies by default, so they could do a very specific test against that customer's policies, but we think they were probably just more free license than anything else. But we didn't know a huge amount. The MSSE machine was off for the time we got to it. The Sophos one was still online but only for about an hour. So we did manage to capture some basic information. VMware machine, English language, Pacific time zone. We put the

IP 6 and MAC. It was first ever set up in September 21st, 2021, which it was then given its sort of random virtual machine name. It was then immediately renamed to something that clearly looks like a keyboard mash. And then it was named Sopos. and clearly being used as a Sophos test machine since then joined the not really the RSA but RSA domain and we pulled its public IP address as well but then it went offline there was no EDR software on these machines we couldn't really get much information especially with the time we had two weeks go past we're like h that's it oh well that's a pity but then the customer called us back very excitedly saying a

server's come online it's called ad Windows 20 uh 2022 same IP range this is yeah rsa.com pulled its public IP address and everything like that and what we think happened is the attacker did install our software on their domain controller for their test network and the DR software went onto it as well and it was online so this allowed us to start going right we can start pulling some information here. What else can we find? So, I started with let's just saying let's let's just look at the drives. Okay, it's got some, you know, C drives. It's got some shares. Okay, let's go look at some of the files on dis. Oh, yep. There's the KK user. Whole

bunch of Mimikat stuff. You know, it's very much feeling like a test machine. I went and pulled the users. Look at those users down the bottom. Trend Micro Semantic EC Cabberski Sopos Macaffy. Very interesting. I thought I'd have a look at some network traffic. So, this was just what processes were connecting out to what IP addresses. It looks like I've redacted it. That's just a indication of volume of traffic. By the time I finished, I realized that I was now the highest volume of traffic on that machine. Um, but yeah, so I thought, right, okay, so Oh, yeah. And it had been installed about a day before the customer realized. So, we've been capturing some

of the commands the attacker had actually been running live on this machine. Again, it's feels very much like a testing machine. User KK password 1 2 3 4. You'd think they'd know better, but no. So, we got our AD server. We've got an MSE and a SOPOS machine. We realized from this is from the authentication logs. We can see the user MS was logging in from MSE. SH was logging in from SOPOS. Cav was logging in from Cavsperski. EST from ESET, Trend Micro, TM, Semantic, SY, and last certainly least, we had MC from Macaffy. So, yeah, the attacker was testing their attacks on all the main vendors out there. We always knew they did that kind

of stuff, but it was just fascinating to see it play out in real time. And pulled a few more details. We pulled the public IP address, the default gateway information. Um, I'm not going to go too much of that, but we were able to get a few more bits of details, identify the hosting provider, and then we remembered, wait a sec, we've got our ADR product on here. We've got remote shell. So, we had remote shell to this AD server, a system. And I'm sure I don't need to tell you guys, but with remote shell, you could obviously do a lot of interesting things now. Install things, take things. So, what did we do? we passed it over to the FBI. Um yeah,

so we thought, yeah, it's time to let someone else have a go. So, um we don't know what happened after that, but um I'm sure someone had a bad day or hope someone had a bad day eventually. And that was it. I've got obviously many more stories. I don't know how I'm doing for time. >> Got nine minutes. >> I've got nine minutes. Okay, that was a lot slower.