Cyber Intel Brief: May 23 – 29, 2024

Attackers Use VBS Script to Hijack BitLocker, Encrypting Entire Volumes

Data Encryption – VBS Script – PowerShell – BitLocker Abuse – All Industries

Insights & Determinations

• Sophisticated Threat: The VBS script represents a refined and targeted threat with significant risks to data confidentiality, system integrity, and operational continuity.
• Advanced Capabilities: The script manipulates disk partitions, disables system protections, and uses legitimate tools like BitLocker for malicious purposes.
• Global Reach: Instances of the script have been detected in Mexico, Indonesia, and Jordan, indicating a wide geographic spread.
• System Evasion: The script includes multiple functions tailored for different Windows versions, ensuring broad compatibility and evasion of defenses.

Threat Analysis

Note: The following is based on Kaspersky’s analysis of a VBS script, Drive.vbs, with the hash 842f7b1c425c5cf41aed9df63888e768. The script and modified versions have been spotted in Mexico, Indonesia, and Jordan.

While it’s unclear how the script was delivered, it was discovered in the C:\ProgramData\Microsoft\Windows\Templates\ directory. Some evidence suggests the delivery of this script occurs later in the attack chain, potentially in the middle to final stages of the attack. 

The script’s first lines contain a function that converts a string to its binary representation. It is later used to encode data in an HTTP POST request.

The first step of the main function is to query information about the operating system using Windows Management Instrumentation (WMI). The script then checks if the current domain differs from the target for each object within the results. Then, it checks if the operating system name contains “xp,” “2000,” “2003,” or” Vista.” If one of these checks is true, the script automatically terminates.

Next, the script continues using WMI, querying information about the OS. It then performs disk resizing operations on fixed drives (DriveType = 3), which may vary depending on the OS version.

The script checks the primary boot partition and saves this information, saving the index of the different partitions to resize Windows Server 2008 or 2012 local drives. Then, it performs the following actions:

1. It shrinks the size of each non-boot partition by 100 MB, creating 100 MB of unallocated space in each partition.
2. Splits the unallocated space into new 100 MB primary partitions.
3. Format the partitions with the override option, forcing the volume to dismount first if necessary and assigning a file system and a drive letter to each.
4. Activate the partitions.
5. If the shrink procedure was successful, save “ok” as a variable so the script can continue.

The script also changes the label of the new boot partitions to the attacker’s email address (TEL onboardingbinder@proton[.]me).

If the operation is successful, the script uses the bcdboot utility and the previously saved drive letter as a boot volume to reinstall the boot files on the new primary partitions. The partition shrink operations for other OS versions are similar.

The script then adds several registry entries to disable RDP connections, enforce smart card authentication, and require the use of a BitLocker PIN, among other things.

The script includes multiple functions, each intended for a different version of Windows, to carry out these operations. In certain conditions, it verifies if the BitLocker Drive Encryption Tools are active using the ID 266 of Remote Server Administration Tools. Then, the script checks if the BitLocker Drive Encryption Service (BDESVC) is running and starts the service if it is not.

The script then disables and deletes the protectors used to secure BitLocker’s encryption key. The deletion method varies depending on the OS version. In Windows Server 2008 or Windows 7, the script uses VBS features and then PowerShell to force the deletion of the protectors. After completing the deletion, it enables a numerical password and encryption feature as a protector.

Next, the script generates a 64-character encryption key using a random multiplication and replacement of the following elements:

• A variable with the numbers 0–9;
• The pangram, “The quick brown fox jumps over the lazy dog,” in lowercase and uppercase.
• Special characters.

The randomness of this encryption key is accomplished by a seed made of various elements of the affected system, such as used memory and network statistics. Later, this information is sent to the attacker. 

The script then uses PowerShell to convert the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory—effectively enabling BitLocker on the drives.

The script then creates an HTTP POST request with the following:

• Use WinHTTP version 5.1.
• Accept the French language.
• Ignore SSL errors.
• Disable redirects.
• Victim’s IP address, computer name, Windows version, drives affected, and password string.

HTTP POST requests are sent to a legitimate domain, trycloudflare.com, which is used to obfuscate the actual address, scottish-agreement-laundry-further. If an error occurs, the script attempts these requests up to five times. 

After removing the BitLocker protectors and configuring drive encryption, the script validates if the computer name matches a hardcoded value, and if it does, deletes the following files:

• \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
• \scripts\Login.vbs
• \scripts\Disk.vbs
• C:\ProgramData\Microsoft\Windows\Templates\Disk.vbs

Then, the script:

• Clears the Windows PowerShell and PowerShell Operational logs with wevtutil. 
• Turns on the system firewall and deletes all of its rules. 
• Deletes the tasks VolumeInit and VolumeCheck. 
• Performs a forced shutdown.

After the shutdown, the victim will see the BitLocker screen. If users try to use the recovery options, they will only see the message, “There are no more BitLocker recovery options on your PC.”

Risk & Impact Assessment

This script represents a sophisticated and targeted threat with significant risks to data confidentiality, system integrity, and operational continuity. The script’s advanced capabilities and evasion techniques make it a persistent and dangerous threat, necessitating robust defensive measures to mitigate its impacts. Organizations must be prepared to address such an attack’s immediate and long-term consequences, including potential legal, regulatory, and reputational damage.

The primary risks associated with this script lie in its ability to manipulate disk partitions, disable system protections, and encrypt systems using BitLocker, posing a significant threat to organizational operations, systems, and data. The direct impacts of these risks include:

• Encrypting entire volumes with BitLocker and stealing the encryption key leads to loss of access to critical data, resulting in operational downtime and potential revenue loss.
• The forced shutdown and reconfiguration of system partitions disrupt business operations, causing significant delays and productivity loss.
• The potential exfiltration of data compromises sensitive information, leading to breaches of confidentiality.

Beyond these risks and impacts, organizations suffering from such an infection could face other risks and impacts, such as: 

• Reputation Damage: Loss of trust among customers, partners, and stakeholders could severely damage an organization’s reputation and lead to a business decline and difficulty acquiring new customers.
• Legal and Regulatory Risks: Legal risks associated with data breaches, including litigation from affected parties and penalties from regulatory bodies for failing to comply with data protection laws.
• Long-term Strategic Changes: Beyond immediate consequences, there can be long-term strategic impacts, such as the need to overhaul cybersecurity practices, implement new security technologies, and possibly retrain staff, all of which require significant investment.

Source Material: Kaspersky (Securelist), ShrinkLocker: Turning BitLocker into ransomware

Defending Against Virtual Environment Ransomware Attacks

Ransomware – Virtual Environments – Mitigation Strategies – All Industries – VMware ESXi

Insights & Determinations

• Increasing Threat: According to Sygnia, ransomware attacks targeting virtual environments, particularly affecting VMware ESXi infrastructures, are on the rise.
• Common Attack Pattern: Most attacks follow a common pattern, from initial access to lateral movement, access validation, ransomware delivery, and backup compromise.
• Operational Impact: Virtual machines are critical for business operations, and attacks on these systems can lead to substantial data loss, operational disruptions, and significant financial impacts.
• Security Measures Needed: Effective defense strategies include robust monitoring, secure backups, strong authentication and authorization, system hardening, and strict network restrictions.
• Sygnia’s Observations: Sygnia’s Incident Response team has identified these patterns and provided detailed strategies to mitigate the risks associated with these attacks.

Overview

In recent years, Sygnia’s Incident Response team has observed increased ransomware attacks targeting virtualized environments, especially VMware ESXi infrastructure. These critical IT infrastructure platforms often have misconfigurations and vulnerabilities, making them prime targets for ransomware groups like LockBit and BlackMatter.

Common Virtual Environment Ransomware Attack Chain

Sygnia discovered that ransomware attacks on virtualization environments follow a common attack chain:

1. Initial access:
   • Phishing attacks. 
   • Downloading malicious files. 
   • Exploiting known vulnerabilities in internet-facing assets.
2. Lateral movement and privilege escalation:
   • Escalate privileges to obtain credentials for ESXi hosts or vCenter, such as:
     • Altering domain group memberships for domain-connected VMware. 
     • Employing brute-force attacks. 
     • Executing RDP hijacking attempts that target IT personnel.
     • Utilization of exploits such as ESXiArgs.
3. Access validation: After securing initial access to the virtualization infrastructure, attackers validate their ability to interface with it.
   • If denied, attackers use vCenter to enable SSH on all ESXi servers. They might also reset server passwords or execute commands remotely using custom-made vSphere Installation Bundles (VIBs).
4. Ransomware delivered on ESXi hosts. 
5. Compromise of backups: Attackers then might try to seize control of backup systems by:
   • Encrypting or deleting backup storage and, in some instances, changing the passwords for the backup system.
6. Exfiltrate data to external locations. 
7. Ransomware Execution: Shut down all virtual machines and encrypt the ESXi filesystem’s ‘/vmfs/volumes’ folder.
8. Additional ransomware deployment: Attackers with access to deployment mechanisms, such as SCCM or Active Directory, may spread additional ransomware to non-virtualized servers and workstations.

Risk & Impact Assessment

Attackers targeting virtual machines (VMs) with ransomware can cause substantial data loss, operational disruption, and financial strain for organizations.

VMs are critical for many business operations. Attacks on these systems compromise data, disrupt services, and impact financial stability.

Risks & Impacts:

• Data Loss:
  • Encrypted VM data becomes inaccessible.
  • Compromised backups prevent recovery.
• Operational Disruption:
  • VM shutdowns lead to significant downtime.
  • Interruptions in services relying on VMs, such as databases and applications.
• Financial Impact:
  • Costs due to downtime and lost productivity.
  • Expenses for incident response and potential ransom payments.
  • Long-term financial impact from reputational damage.
• Security and Compliance Risks:
  • Exposure of sensitive data through exfiltration.
  • Non-compliance with data protection regulations can lead to legal penalties.
• Increased Vulnerability:
  • Attacks on VMs may expose other network areas.
  • Attackers may gain footholds for additional attacks.
• Resource Allocation:
  • Significant resources may need to be diverted to incident response.
  • Increases the need for investment in security infrastructure and training.

Source Material: Sygnia, ESXi Ransomware Attacks: Evolution, Impact, and Defense Strategy

The Rise of Rust-Based Embargo Ransomware

Embargo Ransomware – Rust – Double Extortion – ALPHV (Blackcat) – All Industries

Insights & Determinations

• Rise of Rust: A new variant of Embargo ransomware has been developed using the Rust programming language. Rust has become a popular choice by developers due to its safety, performance, and productivity features. The trend of malware being written in this Rust will likely continue.
• Double Extortion Tactics: The threat actors behind the ransomware used this strategy of encrypting the data and then threatening to publish it. This increases the pressure on victims to comply with ransom demands. 
• 4 Victims and Counting: It has been disclosed that four victims from the United States, Germany, and Australia have been impacted by Embargo. This number is highly likely to rise.
• That looks familiar: There are many similarities between Embargo ransomware and ALPHV (Blackcat) ransomware, including the structure of their leak sites. 

Threat Analysis

The behavior of this Rust-based version of Embargo ransomware can be passed arguments via the command line that offers greater flexibility to the Threat Actors. Upon execution, to check for certain arguments it calls GetCommandLineW() which can be used to provide options that include self-deletion, resource usage (threads), logging, running multiple instances on the same system, list of systems to target, specific file paths, or disabling the searching for network resources to encrypt.

The inclusion of hardcoded commands for operating this ransomware binary offers insights into the threat actors’ strategies and tactics. These examples indicate the specific types of folders and directories typically targeted during their attacks. The directories identified by the threat actors include:

•  R:\backups\
• – \\files01\finance
• – \\10.0.3.2\D$\Accounting

After retrieving the command-line arguments, the ransomware binary creates a mutex named “LoadUpOnGunsBringYourFriends” using the CreateMutexW() function. Unlike other ransomware variants, this one employs a hardcoded mutex name rather than generating it dynamically at runtime.

Next, the ransomware clears the recycle bin by invoking the SHEmptyRecycleBinW() function. This action is typically intended to prevent the victim from recovering deleted files after encryption.

Windows recovery is then disabled by the ransomware by executing the following command:

“C:\\Windows\\System32\\cmd.exe /q /c bcdedit /set {default} recoveryenabled no”

The ransomware then captures a snapshot of active running processes using CreateToolhelp32Snapshot() and iterates through them with Process32First() and Process32Next(). It checks if any of the specified processes are running and terminates them if a match is found.

The ransomware proceeds to fetch the active services operational on the victim’s system. Initially, it invokes the OpenSCManagerW() function to acquire a handle to the service control manager database. It then utilizes EnumServicesStatusExW() to list the services within the service control manager database, thereby obtaining details such as their names and current states. Upon completion, the ransomware verifies if any of the running services correspond to specific targets.

Upon finding a match, it terminates the service by employing the CloseServiceHandle() function.

The ransomware initiates an exploration of device volumes utilizing the FindFirstVolumeW() and FindNextVolumeW() functions. Following this, it utilizes the GetVolumePathNamesForVolumeNameW() function to retrieve a compilation of drive letters and mounted folder paths for each designated volume.

Following this, it employs the WNetEnumResourceW() function to list the network resources. It begins the process of listing files on the drives for encryption by utilizing the GetDriveTypeW() function alongside FindFirstFileW() and FindNextFileW() functions.

The ransomware refrains from encrypting files located in specific directories on an infected system. The ransomware executable incorporates regular expressions for these directory names.

This ransomware also excludes files with certain extensions from encryption. Notably, the list includes the “.564ba1” extension, which is appended to files post-encryption, ensuring avoidance of duplicate encryption.

This ransomware utilizes ChaCha20 and Curve25519 for file encryption, commonly paired to provide secure key exchange and encryption. Curve25519 establishes a shared secret key, which is then utilized by ChaCha20 for encryption and decryption of file contents.

Following encryption, the ransomware deposits a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each directory it passes through. Notably, this note seems tailored to each victim, as it contains hardcoded date and time values rather than dynamically loading the current date and time.

All encrypted files end up having the “.564ba1” file extension.

Risk & Impact Assessment

The discovery of Embargo ransomware represents a sophisticated threat with significant risks and impacts. As in this case, the adoption of Rust for malware development poses a significant risk as it offers enhanced memory safety features, making it challenging for traditional security tools to detect and mitigate such threats. 

The ransomware employs evasion techniques to bypass detection by security solutions, increasing the difficulty of identifying and neutralizing the malware before it causes damage. This ransomware utilizes strong encryption algorithms, potentially rendering the victim’s files inaccessible without the decryption key. This poses a severe risk to organizations, particularly if critical data is encrypted, leading to operational disruptions and financial losses.

In the event of a successful attack, organizations may suffer data loss and operational disruptions due to encrypted files. This can impact business continuity, leading to productivity losses and financial repercussions. A ransomware attack can tarnish an organization’s reputation, eroding customer trust and confidence. 

Public disclosure of a security breach may lead to negative publicity, damaging the organization’s brand image and long-term viability. Organizations may face legal and regulatory consequences following a ransomware attack, especially if sensitive data is compromised. Compliance violations, lawsuits, and regulatory penalties can further exacerbate the impact of the incident.

Source Material: Cyble, The Rust Revolution: New Embargo Ransomware Steps In

CISA Warns of Vulnerabilities in Apache Flink, Google Chromium, and Justice AV Solutions Viewer Installer

Apache Flink CVE-2020-17519- Google Chromium V8 CVE-2024-5274 – Justice AV Solutions (JAVS) Viewer Installer CVE-2024-4978

The Cybersecurity and Infrastructure Security Agency (CISA) has flagged three vulnerabilities in Apache Flink, Google, and Justice AV Solutions (JAVS) Viewer Installer products as actively exploited, escalating concerns over future cyber-attacks.

Analysis

CVE-2020-17519 – Apache Flink Improper Access Control Vulnerability

• What it allows: Read Access of files
• Risk: This vulnerability allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.
• Due Date: 2024-06-13

CVE-2024-5274 – Google Chromium V8 Type Confusion Vulnerability

• What it allows: Remote code execution
• Risk: Attackers can exploit this flaw to execute malicious code via a crafted HTML page, affecting various web browsers. Users should prioritize updates to mitigate this risk.
• Due Date: 2024-06-18

CVE-2024-4978- Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability

• What it allows: Backdoor and C2 connection
• Risk: The installer for the Justice AV Solutions (JAVS) Viewer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). Upon execution, it creates a backdoor connection to a malicious command-and-control (C2) server.
• Due Date: 2024-06-19

These vulnerabilities highlight the critical need for timely updates and proactive security measures. Organizations must quickly mitigate these risks and safeguard their systems against potential exploits.

Source Material: CISA