SecPro #48: Breaking the Web, Understanding Burp, and Decrypting SunCrypt
Another week, another weekly insider. In a month that has seen the revitalization of a long thought dead adversary, the SecPro team has been focusing on building guides that help you defend your systems (or attack them, depending on which team you are on). Not only will these walkthroughs help you understand your network better, but also help you identify how ransomware such as SunCrypt might infiltrate your perimeters.
As chance should have it, our Top Ten breakdown of the most common MITRE ATT&CK techniques used by the adversary is related to ransomware – the somewhat brutish art of combining encryption types and how to defend against these advanced techniques. For people who are not on the frontline of fighting off ransomware, hopefully, you’ll click off this email with a better understanding of how the adversary attempts to gain access.
For people into web development or Burp Suite, Andy and Indrajeet have been focusing on how to flex your skills with some highly recommended tools. All of that is available in the Weekly Insider, along with an eBook giveaway, access to our exclusive Discord server, and all new features as we introduce them to the newsletter.
As always, thanks for reading our content and sticking with the SecPro team. Check out the survey below to claim your free eBook and tell us what you thought of the articles this week.
T1468 – Data Encrypted for Impact
By Austin Miller
Encrypting data to force an organization’s hand has been a part of the adversary’s arsenal since the late 80s, but advanced techniques are now causing ransomware to one of the top concerns for CISOs and other security leaders. By combining otherwise legitimate and common encryption practices and algorithms, threat actors not only shut down business operations but also hold sensitive data such as PII and PHI to hold extortion over the victim’s head.
Although the tactics of techniques of the adversary have changed since the first ever “ransomware” – the brainchild of the eccentric Dr. Popp, who would later avoid prosecution for his malware by wearing a cardboard box to protect himself from radiation – the most damaging ransomware use similar techniques that consistently work against everyone from unsuspecting home users to governmental institutions.
How is data encryption used by the adversary?
WannaCry. Nefilim. Cryptolocker. RangarLocker. It’s not hard to build a rogue’s gallery of ransomware that has caused havoc for security professionals, business leaders, hospital staff, and other would-be victims. But thanks to poor reporting in the mainstream media and some presupposed knowledge from some technical repositories, the question “how do ransomware gangs use encryption?” goes unanswered.
In truth, they aren’t doing anything special. They use symmetric encryption, asymmetric encryption, or a hybrid of the two to lock down the systems of their victims. As noted in the Red Report, there are 37,987 existing samples of ransomware that largely use the same techniques, generally only varying in their choice of encryption method.
Symmetric encryption and ransomware
Desirable due to its speed and simplicity, symmetric encryption was initially popular for encrypting files on a victim’s machine. However, this technique no longer works and hasn’t since the first “proto-ransomware” appeared in 1989. Dr. Popp’s AIDS Trojan – which worked by loading software to a machine and then encrypting all files after it had been restarted 90 times – was quickly remedied by security researchers, allowing the victims to avoid the modest $189 unlocking fee.
Because the secret key used to decrypt the files is stored on the victim’s machine, all it takes to fix the problem is an eagle-eyed security researcher who has spotted the key. From this point, it just takes some backwards engineering to create a tool that decrypts the files.
Although this method is unsuccessful alone, symmetric encryption algorithms such as AES, DES, 3DES, Salsa20, ChaCha20, and Blowfish are still used by the adversary to this day.
Asymmetric encryption and ransomware
By introducing a private key and a public key, the adversary using asymmetric encryption now has a stronger position when a machine is inflected. Not only is the final piece – the private key – of the ransomware puzzle in the hands of the ransomware gang, but different public keys can be generated for each machine. This means the painstaking task of analyzing the public key may actually only get a security professional a little closer to unlocking a singular machine as opposed to cracking the entire code.
But this method isn’t watertight for the threat actor either. Asymmetric encryption is slower than its symmetric counterpart, meaning that IT teams with their finger on their network’s pulse may intervene before the adversarial attack takes hold.
We see a lot of asymmetric encryption methods today, mainly RSA. But just like symmetric encryption, it’s not generally used on its own.
This is the chosen approach of the modern adversary – using a combination of symmetric and asymmetric techniques to cover the weaknesses of the respective techniques when separate. This means that the adversary almost always uses a combination of a symmetric method and an asymmetric method. Three particularly infamous ransomware examples use the following algorithms:
|Ransomware||Symmetric encryption algorithm||Asymmetric encryption algorithm|
|Nefilim||AES||RSA – 2048-bit|
|REvil||Salsa20||RSA – 2048-bit|
|Conti||ChaCha20||RSA – 4096-bit|
How does the adversary use cryptographic keys?
Although a growing number of encrypting malware samples are targeting Linux or macOS using languages such as Go, the vast majority of ransomware attacks take aim at Windows machines. Thanks to the suite of tools included with Windows systems, living off the land (LotL) attacks are easy for ransomware gangs to important cryptographic keys and encrypt files easily.
For example, Nefilim uses the Microsoft Enhanced Cryptographic Provider to important the keys and then encrypt data. By leveraging Windows APIs for symmetric and asymmetric algorithms, the adversary always has an easy way to cause havoc on a system.
How do I defend my systems?
Standard defences against ransomware is always recommended for countering malicious encryption, but the MITRE ATT&CK framework offers two mitigations that will help your resistance against the adversary:
Zero-day hay day, the top vulnerabilities, and Log4Shell in retrospect
More 0-day attacks are being logged than ever
If you’ve been responsible for audits over the last year and a half, you may have noticed something that cybersecurity firms such as Mandiant and Project Zero are now officially stating in public – 0-day attacks are on the rise, jumping up well over 100% between 2020 and 2021.
Mandiant observed 30 zero-day attacks in 2020, but this increased to 80 overall in 2021. Project Zero, on the other hand, discovered 25 in 2020 and 58 in 2021. What is leading to this drastic increase? Has the adversary gotten that much better at identifying novel weaknesses in software that they are now several steps ahead of the security researchers?
The answer is, probably, no. Although the adversary is becoming more sophisticated and new threats seemingly emerge every day, security researcher Maddie Stone says that the rise in observed 0-days is actually a good thing. Much like a disease that goes undiagnosed is still a problem for a person, 0-day vulnerabilities would have gone undiagnosed in the past. Now, the defensive team is finding them before the adversary can weaponize them.
Although it would be too much to say that security researchers are now 100% ahead of threat actors or no longer in cahoots with government agencies such as in the Russia-Ukraine crisis or the Eternal Blue leak, it does mean that we can expect to hear more about 0-days and patch issues before they become issues.
The Mandiant report is not publicly available at this present time, but the Project Zero report can be accessed here.
The Top Vulnerabilties of 2021
In a joint declaration by the CSA of the US, Australia, Canada, New Zealand, and the UK (along with multiple declarations from international intelligence committees), the top 15 vulnerabilities from last year have been released to the public with methods for mitigating the issues and securing your systems.
Altogether, the most serious issues that cybersecurity professionals have been dealing with are:
- CVE-2021-44228, or Log4Shell
- CVE-2021-40539, an RCE on Zoho ManageEngine AD SelfService Plus
- CVE-2021-34523, or ProxyShell – elevation of privilege
- CVE-2021-34473, or ProxyShell – RCE
- CVE-2021-31207, or ProxyShell – security feature bypass
In retrospect, the number of issues from the previous years is somewhat startling to see first-hand, but unsurprising in the world we live in. For many organizations, it simply shows that cybersecurity is overlooked until it is too late and simply adhering to existing advice would be enough to stop the adversary in their tracks.
If anyone is surprised that Log4Shell is top, I assume you’ve been living in a cave for the past year. The fallout that followed that particular leak was truly spectacular and I predict that exploits of Log4Shell and its derivatives will be felt by disorganized or underfunded IT teams in the years to come as well.
If you would like to see more vulnerabilities that the international coalition has identified as exploitable over the course of 2020, check out the full CISA document here.
Catch up on all the news by clicking the link below!
This Week’s Weekly Insider Articles
Missing out on this week’s premium articles? Sign up for the 7-day free trial and find out what SecPro has to offer!
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Click-Jacking Vulnerability Scanners
- eras/ClickMuteJack: Eliminates input device noise from a jack stream by muting it, based on evdev event timing
- machine1337/clickjack: An efficient tool To Find click jacking vulnerabilities in easiest way with poc
Log4j Vulnerability Scanners
- cisagov/log4j-scanner: log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities
- google/log4jscanner: A log4j vulnerability filesystem scanner and Go package for analyzing JAR files
- proferosec/log4jScanner: log4jScanner provides the ability to scan internal subnets for vulnerable log4j web services
Burp Suite Extensions
- sting8k/BurpSuite_403Bypasser: Burpsuite Extension to bypass 403 restricted directory
- nccgroup/BurpSuiteHTTPSmuggler: A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
- summitt/Burp-Non-HTTP-Extension: Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.