During a recent client engagement, the LIFARS DFIR team encountered the REvil/Sodinokibi Ransomware group. The typical attack vector chosen by this group is either the exploitation of vulnerable network devices or brute-force attacks on Remote Desktop Protocol servers. In this case study we will present selected artifacts that will provide important insight into the threat actors’ behavior.
The patient zero machine was a development server with a public IP address. In this article we will focus on artifacts identified on this host, even though different artifacts, and the ransomware sample itself were identified on other affected systems. Patient zero had ports 139(NetBIOS) and 3389(Remote Desktop Protocol) open, which was most probably the initial vector of compromise. As previously stated, REvil/Sodinokibi threat actor looks to brute force the RDP service. We were able to find evidence that is consistent with this claim (high volume of failed logon attempts), but other artifacts lead the team to believe the attacker first used anonymous logons via NetBIOS to gain important account information, for example usernames. Having port 139 open within your Local Area Network (LAN) is necessary: It enables applications and network hosts to communicate with network hardware and transmit data across the network. Contrary to needing port 139 open within your LAN, having this port on your Wide Area Network (WAN) or over the internet is an enormous security risk. The presented case is an excellent example how can attackers leverage such configuration. These two open ports coupled together made the initial attack vector quite simple, even for script kiddies themselves.
User Assist Artifacts
Execution of the following executables was attributed to the initially compromised user account:
- Kiwi Parser.exe
The UserAssist registry key allows examiners to see what programs were recently executed on the system by a specific user, using GUI. For this part of the examination process we chose to use the tool Registry Explorer, which helped the team identify a trove of executables that were run by the threat actors. Although most of these files were deleted, they were able to provide useful insights into some of the steps taken by the attacker. These executables were run by the user which we initially suspected was the victim of the brute force attack. We suspected this user because of the multiple failed logon attempts followed by a type 10 successful logon, which equates to a Remote Desktop connection.
For example, on the desktop of the initially exploited user we found CVE-2017-0213_x64.exe, a Windows COM privilege escalation vulnerability. If this file contained exploit of this vulnerability, attackers could run it to elevate privileges within a network. We could not verify this hypothesis, as the file was no longer present on the system and it could not be recovered from the disk. Neither have we found additional artifacts that would throw any light on what happened after executing this file.
UserAssist key also provided the team with evidence that SharpHound.exe was executed. SharpHound is an ingestor – official data collector – for the popular penetration testing tool BloodHound. BloodHound is a powerful GUI application that will map an entire active directory environment, while also identifying attack paths and detecting the shortest path to privileged accounts or domain controllers. Figure 1 shows the BloodHound results used in a simulated environment; Figure 2 shows another feature of the tool that provides information and references to abusing a certain permission…
Download “REvil Sodinokibi Ransomware Case Study” Technical Guide to learn more.
- Sodinokibi Ransomware
- Clipper AutoIt v2 – QUILCLIPPER AutoIt Malware