SecPro#40: Examining BlackByte’s TTPs and IOC Threat Hunting During a War
The threat landscape hasn’t cooled down much over the last week and increased tension in the global cyberspace means many of our readers are on red alert. In our most recent Community Wisdom research, one reader even described these tensions as “the first cyberwar”. For the security researcher like myself, this means that threat landscape is changing every minute and it’s almost impossible to keep up with new developments. In order to bring the most useful content possible to you, our readers, we have put together a larger than usual News Bytes section this week and finished off our coverage of Examining BlackByte’s TTPs, as well as exploring how threat hunting for IOCs right now can improve your security posture. For everyone who is going to ask me about WisperGate, just keep an eye on your inbox next week to find out exactly how the notorious malware functions.
TL;DR
- Examining BlackByte’s TTPs
- How to Conduct IOC Threat Hunting during a War
- News Bytes: Anonymous, BGP review, and Conti Leaks
- Secret Knowledge: Red Team & Data Security Tools
Malware Analysis
BlackByte – Examining the Malware’s TTPs
By Austin Miller
Last week, we looked at the BlackByte IOCs (which you can catch up on here, if you missed out). But understanding how BlackByte will use when your systems have been compromised is one thing – learning how the adversary will try to infiltrate your security is the best way to find weaknesses in your security posture.
Due to the complex nature of examining BlackByte’s TTPs, it is a difficult piece of ransomware to handle. Through 22 different tactics, techniques, and procedures (TTPs), the cybercriminals have really put their work into making sure that total infection and destruction is practically guaranteed when the ransomware makes its way onto a network.
Examining BlackByte’s TTPs: The Tactics, Techniques, and Procedures
Understanding the TTPs used by the BlackByte ransomware gang is key to hardening your own perimeter. Although there are at least 22 identifiable TTPs used in typical BlackByte breach, I have focused on eleven that are easily addressed within an organizational cybersecurity setting.
Initial Access
T1190 – Exploit Public Facing Application
BlackByte – in both its original form and the “new and improved” version – targets known weaknesses in the Microsoft Exchange Server. In particular, the ransomware exploits the ProxyShell vulnerability by dropping a webshell – malware that creates a backdoor, allowing for remote code execution. The malware could easily go unnoticed as the .aspx extension is common on servers that run the Windows ASP.NET framework.
To protect yourself, make sure that your systems are patched for the following CVEs:
A 9.8 critical vulnerability which allows remote code execution due to a vulnerability in the Microsoft Exchange Server.
A 9.8 critical vulnerability that allows elevation of privileges due to a vulnerability in the Microsoft Exchange Server.
A 7.2 vulnerability that allows defensive evasion due to a vulnerability in the Microsoft Exchange Server.
Depending on the version of the Microsoft Exchange Server that you use, you will need to update your systems to at least the following updates:
Execution
T1053.005 – Scheduled Task/Job: Scheduled Task
Predictably, scheduled tasks are used to launch the ransomware executable and print ransom notes through any printers attached to the infected network. You can identify them as such:
- complex.exe -single <SHA256_hash>
This is the BlackByte executable. The hash may be a form of identifier for the victim.
- cmd.exe /c for /l %x in (1,1,75) do start wordpad.exe /p C:\Users\tree.dll
Launching the command prompt, the trees.dll file – the ransom note – is printed 75 times.
BlackByte also uses PowerShell (T1059.001) and the Windows Command Shell (T1059.003) to launch additional malicious commands on an infected system.
Privilege Escalation
T 1112 – Modify Registry
In an effort to escalate local privileges, share network connections, and ensure full encryption, BlackByte launches a tripartite registry modification.
- reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
- reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
- reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LongPaths Enabled /t REG_DWORD /d 1 /f
Defense Evasion
BlackByte uses multiple evasive measures to work around known defenses to ransomware and the outdated 2019 version.
There is evidence that BlackByte uses Intial Access Brokers (IABs) – cybercriminals who specialize in finding ways where malware can be injected – meaning that their attention is focused on utilizing and improving how they encrypt sensitive data and disrupt businesses.
T1027.002 – Obfuscated Files of Information: Software Packing
T1055 – Process Injection
T1070.004 – Indicator Removal on Host: File Deletion
T1562.001 – Impair Defenses or Modify Tools
T1562.004 – Impair Defenses: Disable or Modify System Firewall
Because of the wide range of TTPs and access to IABs, the only way to protect yourself against BlackByte is through:
- Testing to find the weak spots in your systems with mock ransomware.
- Implementing healthy cybersecurity practices in your organization.
Lateral Movement
T1021.002 – Remote Services: SMB/Windows Admin Shares
Using Cobalt Strike, BlackByte creates SMB shares which spread the ransomware throughout the network. AnyDesk is the program that is distributed via SMB.
Air-gapping critical backups is the best way to stop the ransomware from grinding your business operations to a halt.
Want to read the rest? Click the button below to find the full article.
Threat Hunting
How to Conduct IOC (Indicators of Compromise) Threat Hunting during a War
IOC Threat Hunting is about hunting down cyber-threats in the wild. This means that IOC threat hunters are on the lookout for suspicious activity in live data feeds. While performing IOC Threat Hunting, cyber threat hunters go through many servers, IP addresses and URLs to try and uncover threats. When analyzing IOC Threat Hunting results from a particular dataset, or set of data feeds, it will be very important to note the context of each IOC Hunt result.
These days, threat hunting has become so complex that it needs to be a collaborative effort between attack-minded security analysts, SIEM, and other security technologies. However, this doesn’t mean that IOCs are any less important. Indicators of compromise (IOCs) or indicators of presence (IOPs) are artifacts, activities, behaviors, or design elements present on a system that could be attributed to an adversary. There are various indicators which can help an analyst move from detection of malware infection to analysis of the malware.
In a War, Understanding How to Hunt an IOC is Crucial
While there is a crisis in the world, war going on, and battles being conducted on the streets of other countries, there would always be cyber threat actor groups continuing their efforts to cause damage. It is critically important to keep an eye on the ball and not get detoured or distracted from a foreign Country conflict. This is an excellent opportunity for many threat actors to deploy their tactics and techniques to either steal information, cause damage, or even some cases, cause loss of life. Our responsibility is to ensure our companies, our people, and our businesses can combat these. The question is what we do for and where do we start.
Technical Requirements for Conducting IOCs Threat Hunting on a Warfront
For the best interest of this article, let’s assume that you have some SEIM or an ability to search items of enjoyable in your environment. This can be a tool such as Splunk, Q radar, or even as essential as velociraptor. As we see foreign connections from our Network calling out to areas of interest such as Russia, Ukraine, Belarus, and Chechnya or other known three racking states, here are some IOCs to take into consideration.
| User | Connecting IP | Date (GTM+3) |
| root | 89.163.249.244 | Wed Nov 10 14:11 – gone no logout |
| root | 107.189.31.241 | Wed Nov 10 09:09 – 09:10 (00:01) |
| root | 185.220.103.5 | Mon Oct 25 15:08 – 15:50 (00:42) |
As we peel back the onion on this, we will see that there are also other TCP connections to Conti servers:
Detected TCP Connections on Conti Server
- 1.177.172.158
- 104.244.76.44
- 122.51.149.86
When choosing between tools and manual processes, there can be good reasons to do so
There is no wrong or right answer when it comes to threat hunting either done manually or from an Automator perspective. It all comes down to time, money, labor, and resources. Some organizations have more money than others and some organizations have more labor resources than others. Again, there’s no wrong answer as long as we arrive at a similar result.
Want to read the rest? Click the button below to find the full article.
Cybersecurity News
News Bytes
As the world stood still while tensions rise in Eastern Europe, the cybersecurity world has been kicked into overdrive. Not only do we have evidence of nation state attacks against Belarus, Russia, and Ukraine, hacktivists – hackers breaking into systems “for the right reasons” – have gained an uneasy approval from nations all around the world. Virtual war is raging on and cybersecurity professionals need to be on red alert to protect the systems they are responsible for.
Anonymous, anonymous everywhere
Famed for their decentralized model and Guy Fawkes masks, Anonymous has come back from relative obscurity to make itself a name on everyone’s lips as the cyber warfare rages. The technical skill of Anonymous’s hackers has been called into doubt – with numerous Reddit users referring to them as skiddies with LOIC – but the world infamous group seems have been causing real trouble for Russian websites, banks, and government offices.
Among Anonymous’s claims include:
- Shutting down the Russian Space Agency satellites
- Hacking into the computer on Russian President Putin’s yacht and renaming it
- Leaking Kremlin internal documents
- DDoS-ing Russian news sites and running anti-Putin messages and Ukrainian songs in place of planned programming
Although we can doubt the extent that Anonymous as a group have actually achieved these goals, they have certainly been keeping themselves busy since 24th February.
Ukrainian websites facing ten times the number of cyberattacks
In what some people are referring to as the first real cyberwar, a massive wave of attacks was always on the cards. No one has felt the pinch quite as much as the Ukrainians – a tenfold increase in the number of attempted cyberattacks has left many websites based in Ukraine with interrupted service.
Source: Wordfence
Wordfence, a cybersecurity firm with 8,320 WordPress websites under its protection, recorded 144,000 attacks against Ukrainian domains in a single. And these aren’t en masse DDoS attacks – these are “sophisticated exploit attempts”, according to Bleeping Computer.
Identified as the malware gang “theMxonday”, the adversary has launched a series of hard-to-handle attacks on Ukrainian assets. In response, Wordfence ran a live security feed for .ua websites and prevented attacks against more than 8,000 of them.
Internet Routing Security is undergoing a review by the FCC
Network administrators and cybersecurity professionals may have a part to play in an upcoming decision by the US government – is the Border Gateway Protocol (BGP) secure enough to deal with the modern cyberthreats that people all around the globe face every day?
NIST, the IETF, the Internet Society, and the CSRIC are all backing improvements in global policy in terms of the use of BGP. Establishing secure usage is the central tenet as well as exploring security vulnerabilities in BGP and the possibility of implementing BGPsec on a wider scale.
If you have any views on the topic and wish to make a comment before the review, you can submit a comment here: Russia’s Cyber Tactics Are Prompting the FCC to Address Internet Routing Security – Nextgov
The Conti gang have been compromised
When a ransomware gang gets what’s coming to them, everyone in the cybersecurity world is a bit relieved. When the gang is one as large and notorious as Conti, you know something big has happened. Due to the Conti team’s pro-Russian stance, a Ukrainian security researcher leaked their chat logs to the world.
Although the vast majority of the leak is uninteresting to the average person, we can glean a great deal of information about Conti’s TTPs and general business practices from the logs. Contileaks, a Twitter account dedicated to releasing the details of the leak, seems legitimate due to gaps in activity that match with NSA takedowns of the Trickbot botnet and Emotet malware.
For more commentary on the Conti leaks, check out Brian Krebs’s coverage of the leak here:
- Conti Ransomware Group Diaries, Part I: Evasion – Krebs on Security
- Conti Ransomware Group Diaries, Part II: The Office – Krebs on Security
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Red Team
RustScan/RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
OWASP/Amass: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
zricethezav/gitleaks: Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
sa7mon/S3Scanner: Scan for open S3 buckets and dump the contents
initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Data & Info Security
OTRF/Security-Datasets: The Security Datasets project is an open-source initiatve that contributes malicious and benign datasets, from different platforms, to the infosec community to expedite data analysis and threat research.
opensearch-project/security: Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
bezkoder/spring-boot-spring-security-jwt-authentication: Spring Boot + Security: Token Based Authentication example with JWT, Authorization, Spring Data & MySQL
github/advisory-database: Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open-source software.
FusionAuth/security-scripts: Scripts built from the FusionAuth Guide to User Data Security.
