US-CERT- AA22-249A: #StopRansomware: Vice Society

Started by Netwörkheäd, September 06, 2022, 08:52:38 PM

Previous topic - Next topic

Netwörkheäd

AA22-249A: #StopRansomware: Vice Society

[html]Original release date: September 6, 2022

Summary

Actions to take today to mitigate cyber threats from ransomware:



• Prioritize and remediate https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.

• Train users to recognize and report phishing attempts.

• Enable and enforce multifactor authentication.



Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing https://www.cisa.gov/stopransomware/stopransomware">#StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.



The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.



Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of https://www.ic3.gov/Media/News/2022/220526.pdf" style="color:#0563c1; text-decoration:underline">sensitive student data accessible through school systems or their managed service providers.



The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.



Download the PDF version of this report: https://us-cert.cisa.gov/sites/default/files/documents/aa22-249a-stopransomware-vice-society.pdf">pdf, 521 KB


Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See https://attack.mitre.org/versions/v11/matrices/enterprise/" style="color:#0563c1; text-decoration:underline">MITRE ATT&CK for Enterprise for all referenced tactics and techniques.



Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of https://www.cisa.gov/sites/default/files/publications/FLASH_CU_000154_MW_508c.pdf" style="color:#0563c1; text-decoration:underline">Hello Kitty/Five Hands and https://www.cisa.gov/uscert/ncas/alerts/aa22-223a" style="color:#0563c1; text-decoration:underline">Zeppelin ransomware, but may deploy other variants in the future.



Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [https://attack.mitre.org/versions/v11/techniques/T1190/" style="color:#0563c1; text-decoration:underline">T1190]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [https://attack.mitre.org/versions/v11/tactics/TA0010/" style="color:#0563c1; text-decoration:underline">TA0010] for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used "living off the land" techniques targeting the legitimate Windows Management Instrumentation (WMI) service [https://attack.mitre.org/versions/v11/techniques/T1047/" style="color:#0563c1; text-decoration:underline">T1047] and tainting shared content [https://attack.mitre.org/versions/v11/techniques/T1080/" style="color:#0563c1; text-decoration:underline">T1080].



Vice Society actors have been observed exploiting the PrintNightmare vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-1675" style="color:#0563c1; text-decoration:underline">CVE-2021-1675 and https://nvd.nist.gov/vuln/detail/CVE-2021-34527" style="color:#0563c1; text-decoration:underline">CVE-2021-34527 ) to escalate privileges [https://attack.mitre.org/versions/v11/techniques/T1068/" style="color:#0563c1; text-decoration:underline">T1068]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [https://attack.mitre.org/versions/v11/techniques/T1053/" style="color:#0563c1; text-decoration:underline">T1053], creating undocumented autostart Registry keys [https://attack.mitre.org/techniques/T1547/001/" style="color:#0563c1; text-decoration:underline">T1547.001], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [https://attack.mitre.org/versions/v11/techniques/T1547/002/" style="color:#0563c1; text-decoration:underline">T1574.002]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [https://attack.mitre.org/versions/v11/techniques/T1036/" style="color:#0563c1; text-decoration:underline">T1036], using process injection [https://attack.mitre.org/versions/v11/techniques/T1055/" style="color:#0563c1; text-decoration:underline">T1055], and likely use evasion techniques to defeat automated dynamic analysis [https://attack.mitre.org/versions/v11/techniques/T1497/" style="color:#0563c1; text-decoration:underline">T1497]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims' network accounts to prevent the victim from remediating. 



Indicators of Compromise (IOCs)




   
      
         
      
      
         
      
      
         
      
      
         
      
   

         

Email Addresses


         

         

v-society.official@onionmail[.]org


         

         

ViceSociety@onionmail[.]org


         

         

OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org


         


 




   
      
         
      
      
         
      
   

         

TOR Address


         

         

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion


         


 




   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   

         

IP Addresses for C2


         

         

Confidence Level


         

         

5.255.99[.]59


         

         

High Confidence


         

         

5.161.136[.]176


         

         

Medium Confidence


         

         

198.252.98[.]184


         

         

Medium Confidence


         

         

194.34.246[.]90


         

         

Low Confidence


         


See Table 1 for file hashes obtained from FBI incident response investigations in September 2022.



Table 1: File Hashes as of September 2022




   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   

         

MD5


         

         

SHA1


         

         

fb91e471cfa246beb9618e1689f1ae1d


         

         

a0ee0761602470e24bcea5f403e8d1e8bfa29832


         

         

 


         

         

3122ea585623531df2e860e7d0df0f25cce39b21


         

         

 


         

         

41dc0ba220f30c70aea019de214eccd650bc6f37


         

         

 


         

         

c9c2b6a5b930392b98f132f5395d54947391cb79


         


MITRE ATT&CK TECHNIQUES



Vice Society actors have used ATT&CK techniques, similar to Zeppelin techniques, listed in Table 2.



Table 2: Vice Society Actors ATT&CK Techniques for Enterprise




   
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
   

         

Initial Access


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Exploit Public-Facing Application


         

         

https://attack.mitre.org/versions/v11/techniques/T1190/" style="color:#0563c1; text-decoration:underline">T1190


         

         

Vice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims' networks.


         

         

Valid Accounts


         

         

https://attack.mitre.org/versions/v11/techniques/T1078/" style="color:#0563c1; text-decoration:underline">T1078


         

         

Vice Society actors obtain initial network access through compromised valid accounts.


         

         

Execution


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Windows Management Instrumentation (WMI)


         

         

https://attack.mitre.org/versions/v11/techniques/T1047/" style="color:#0563c1; text-decoration:underline">T1047


         

         

Vice Society actors leverage WMI as a means of "living off the land" to execute malicious commands. WMI is a native Windows administration feature.


         

         

Scheduled Task/Job


         

         

https://attack.mitre.org/versions/v11/techniques/T1053/" style="color:#0563c1; text-decoration:underline">T1053


         

         

Vice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code.


         

         

Persistence


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Modify System Process


         

         

https://attack.mitre.org/versions/v11/techniques/T1543/003/" style="color:#0563c1; text-decoration:underline">T1543.003


         

         

Vice Society actors encrypt Windows Operating functions to preserve compromised system functions.


         

         

Registry Run Keys/Startup Folder


         

         

https://attack.mitre.org/versions/v11/techniques/T1547/001/" style="color:#0563c1; text-decoration:underline">T1547.001


         

         

Vice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot.


         

         

DLL Side-Loading


         

         

https://attack.mitre.org/versions/v11/techniques/T1547/002/" style="color:#0563c1; text-decoration:underline">T1574.002


         

         

Vice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs.


         

         

Privilege Escalation


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Exploitation for Privilege Escalation


         

         

https://attack.mitre.org/versions/v11/techniques/T1068/" style="color:#0563c1; text-decoration:underline">T1068


         

         

Vice Society actors have been observed exploiting PrintNightmare vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-1675">CVE-2021-1675 and https://nvd.nist.gov/vuln/detail/CVE-2021-34527">CVE-2021-34527) to escalate privileges.


         

         

Defense Evasion


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Masquerading


         

         

https://attack.mitre.org/versions/v11/techniques/T1036/" style="color:#0563c1; text-decoration:underline">T1036


         

         

Vice Society actors may attempt to manipulate features of the files they drop in a victim's environment to mask the files or make the files appear legitimate.


         

         

Process Injection


         

         

https://attack.mitre.org/versions/v11/techniques/T1055/" style="color:#0563c1; text-decoration:underline">T1055


         

         

Vice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process-based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses.


         

         

Sandbox Evasion


         

         

https://attack.mitre.org/versions/v11/techniques/T1497/" style="color:#0563c1; text-decoration:underline">T1497


         

         

Vice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis.


         

         

Lateral Movement


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Taint Shared Content


         

         

https://attack.mitre.org/versions/v11/techniques/T1080/" style="color:#0563c1; text-decoration:underline">T1080


         

         

Vice Society actors may deliver payloads to remote systems by adding content to shared storage locations such as network drives.


         

         

Exfiltration


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Exfiltration


         

         

https://attack.mitre.org/versions/v11/tactics/TA0010/" style="color:#0563c1; text-decoration:underline">TA0010


         

         

Vice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom.


         

         

Impact


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Data Encrypted for Impact


         

         

https://attack.mitre.org/versions/v11/techniques/T1486/" style="color:#0563c1; text-decoration:underline">T1486


         

         

Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.


         

         

Account Access Removal


         

         

https://attack.mitre.org/versions/v11/techniques/T1531/" style="color:#0563c1; text-decoration:underline">T1531


         

         

Vice Society actors run a script to change passwords of victims' email accounts.


         


 



 


Mitigations

The FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at http://www.fbi.gov/contact-us/field-offices" style="color:#0563c1; text-decoration:underline">www.fbi.gov/contact-us/field-offices and https://www.cisa.gov/cisa-regions" style="color:#0563c1; text-decoration:underline">www.cisa.gov/cisa-regions, respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.



The FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:



Preparing for Cyber Incidents




       
  • Maintain offline backups of data, and regularly maintain backup and restoration.  By instituting this practice, the organization ensures they will not be
Let's not argue. Let's network!