SecPro #33: Ransomware – Exploring MITRE ATT&CK’s Defense Evasion, Fixing Security Misconfigurations
As mentioned in the last issue, I plan to enhance your community experience and make our conversations real-time and more engaging. Use the button below to join the SecPro Discord community! Here’s what you’ll get access to:
- Exclusive, actionable content, learning resources, and tools
- Private community of security practitioners and tech professionals
- Exciting rewards and ambassador program
- Opportunity to discuss your learning and projects with like-minded professionals in the field of Threat Detection, Red/Blue teams, Pentesting, DevSecOps, and more
- Early access to SecPro events, expert fireside chats, and future announcements!
- MITRE ATT&CK’s Defense Evasion – Ransomware Investigated: How the Adversary Evades the Defences (MITRE ATT&CK)
- OWASP A05: Security Misconfiguration
- Log4j and Defender for Endpoint
- SecPro Bytes: Your Security Binocular
- Secret Knowledge: Building Your Security Arsenal
MITRE ATT&CK’s Defense Evasion – Ransomware Investigated: How the Adversary Evades Defenses
By Austin Miller
Ransomware attacks are a sophisticated bunch. Often exploiting cutting-edge attack vectors to launch a ransomware attack, understanding the most common TTPs of the adversary is key to defending your organization against these effective malware developers. Understanding how to avoid impaired defenses attacks would help in stopping a ransomware malware infection in its tracks. Exploring the MITRE ATT&CK framework’s Defense Evasion section is the best way to learn how ransomware attackers will launch targeted attacks against your systems, making it the best way to understand how to prevent ransomware too. So let’s quantify MITRE ATT&CK’s Defense Evasion!
Understanding the TTPs of Ransomware Attacks
Although ransomware gangs have a wide range of tactics, techniques, and procedures for accessing an organization, research from Recorded Future has shown that Defense Evasion is the most common tactic employed by threat actors.
Within the broad MITRE ATT&CK framework Defense Evasion tactic or MITRE ATT&CK’s Defense Evasion, there are two techniques in particular that ransomware gangs commonly employ: impair defenses and abusing the pre-OS boot process.
MITRE ATT&CK’s Defense Evasion – Impair Defenses: Disable or Modify Tools
T1562.001 is concerned with attackers disabling and/or modifying security tools. For example, Cobalt Strike uses the Smart Applet attacks to disable the Java SecurityManager sandbox and DarkComet uses built-in tools to disable Security Center tools such as anti-viruses and anti-malware software. Because a wide range of techniques is employed by the adversary to infect systems and demand ransom payments, detection can be difficult. But the following techniques are advised by the ATT&CK framework:
- DS0009 – Process Termination detection
- DS0013 – Sensor Health: Host Status detection
- DS0017 – Command Execution detection
- DS0019 – Service Metadata changes detection
- DS0024 – Windows Registry Key Deletion/Manipulation detection
MITRE ATT&CK’s Defense Evasion: Abusing the Pre-OS Boot
Although not in the T1562 series, understanding pre-OS boot attacks is important for identifying defense evasion from malware developers. All these attacks take aim at the target system before the OS boot kicks in, allowing for the adversary to launch attacks through tools such as LoJax, the Hacking Team UEFI Rootkit, and Trojan.Membroni. There are five sub-techniques that you need to understand:
- T1542.001 – System Firmware
- T1542.002 – Component Firmware
- T1542.003 – Bootkit
- T1542.004 – ROMMONkit
- T1542.005 – TFTP Boot
Diagnosing Impair Attacks Against your Organization
Depending on the weaknesses present within your systems, the MITRE ATT&CK framework proposes a number of different mitigation techniques for the adversary’s defense evasion tactics. We discuss the impairing defense mitigation technique here:
Impair Defenses Mitigation
In order to stop the adversary from undermining your defensive tooling, there are three mitigations included in the MITRE ATT&CK framework:
- M1022: Restrict File and Directory Permissions – proper permissions must be set for all files and directories to stop the adversary from disabling or interfering with security software.
- M1024: Restrict Registry Permissions – security tooling must be protected at the Registry level via permissions that are proper.
- M1018: User Account Management – every user account must have the proper permissions assigned to it to stop the adversary from gaining access and launching a downgrade attack.
Stopping Common Attack Vectors for Ransomware
Ransomware is a common worry for all security professionals. By using the MITRE ATT&CK Framework and the D3FEND Matrix, we can build effective defensive postures based on an understanding of the tactics and techniques the adversary uses. Take a look at these articles on the newest forms of ransomware that the best security researchers are discovering in 2022:
- TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang by CrowdStrike
- Night Sky is the latest ransomware targeting corporate networks by BleepingComputer
OWASP: A05 – Security Misconfiguration
By Austin Miller
The weakest part of any security system is the human interacting with it. Although some InfoSec professionals like to think that they are above that adage, human-caused weaknesses are still common enough that OWASP has boosted Security Misconfigurations from A06:2017 to A05:2021. As software becomes more configurable, misconfigurations were bound to occur. That’s why understanding your organization’s security needs, and the way to configure the software is key to secure operations.
Improving Web Application Security
Although individual applications will have specific needs, broad application security practices help organizations get on the right track. By implementing the following, you can prevent security misconfiguration and stop adversaries who aim to gain unauthorized access to your systems.
Changing Default Passwords
Default accounts/passwords shouldn’t be a vulnerability, especially if you are following the ICS-CERT best practices – the default username/password combination should be changed as soon as possible. Accessing secure user accounts might be near impossible, but credentials to an admin account posted online will lead to sensitive data exposure in no time!
Leaving unnecessary ports open is an easy way for the adversary to gain access to your systems. Closing the attack surface as much as possible is key to not giving the adversary the keys to the castle.
Missing Security Hardening
Human error occurs, but systematic and containerized approaches to hardening your systems are the best way to cut down on the chaotic human factor as much as possible. Automated checking for divergent installations is the best way to stop common attacks such as downgrade attacks and malware where the adversary installs unwanted files on your system.
When software is no longer needed, it should be uninstalled from all systems to ensure your organization’s secure configurations. Removing default programs may also be necessary for workstations that have no use for bloatware. Unnecessary software is closely linked to outdated or vulnerable components and software, a separate entry in the OWASP Top 10.
Cutting Out Misconfigurations
The road to overcoming security misconfigurations is difficult without a plan. But securing a web server or application becomes easier when you enforce the following rules and implement proper security controls:
- Hardening your systems (including everything from operating systems to cloud services) should be systematic – implementing new, secure versions of necessary software should be configured.
- Get rid of unused features and software as well as shadow IT installations to secure the entirety of the network – if something isn’t used, it becomes an unnecessary attack vector that possibly isn’t closely monitored by the security team.
- Having a specialized team or workflow for updating the system allows smooth transitions from insecurity to security.
- Security settings should allow for segmented architectures that separate components and allow for better security testing in safe, containerized/segmented sections.
- Any changes from the default configurations in a system should be handled through automation – de-escalation attacks or insider threat actors set off alerts, stopping malicious misconfiguration before it becomes a problem.
Log4j and Defender for Endpoint
By Joe Anich
It is no surprise to anyone that the Log4j is still very much top of mind for security teams, and likely will be for some time as this type of vulnerability is almost a commodity. The image we are all used to seeing, quickly turned into a cringe image in all our minds.
The moral of the story is to identify anything you have in your environments that are internet-facing and ensure its use of the Log4j logging framework. Other systems to identify if you have them are systems running VMware Horizon, there is a ransomware campaign called Night Sky being deployed right now. Ransomware notes for this campaign have been as high as $800,000! For patching information on VMware Horizon systems, please see this link.
SecPro Bytes: Your Security Binocular
WordPress Vulns Run Rampant
In the last year, the number of known WordPress vulnerabilities has doubled and as many as 77% of them are still exploitable. Thanks to research from Risk Based Security, we now know that 10,359 individual vulnerabilities were reported at the end of 2021. 2,240 of those vulns are new, a 142% increase on the reports from 2020.
Attackers are now focusing on exploitable vulns instead of critical ones – like the high-profile Log4Shell crisis, which is quickly tackled by the community at large. For WordPress hackers, finding a weak plug-in would let the adversary in.
The Elephant Beetle in the Room
The threat team wreaking havoc in Latin America has been named Elephant Beetle that used over 80 tools and scripts to infect an organization’s financial operations also inject fraudulent transactions. Elephant Beetle’s tools change, but the approach stays pretty much the same:
- Infect a system and build operational capabilities while laying low.
- Slowly build an understanding of the victim’s network and start to mimic legitimate transactions.
- Inject fraudulent transactions that appear to be legitimate.
- If discovered, return to laying low and start operations again when the coast is clear.
96 New Security Updates for Microsoft
Another series of critical and 0-day vulnerabilities from the Microsoft security team. In fact, there are 9 critical patches and 6 0-days which hopefully have been successfully installed on your systems by now. Here are the top picks from the batch:
- CVE-2022-21907 – a CVSS 9.8 vulnerability that allows remote code execution through the HTTP protocol. Discovered by Mikhail Medvedev.
- CVE-2022-21849 – a CVSS 8.5 vulnerability that allows remote code execution through the IKE extension.
A full list of the patches and the relevant security issues addressed through them can be found on the official Microsoft January 2022 Security Updates page.
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.
New & Trending
- j3ssie/osmedeus – Build your own reconnaissance system with Osmedeus, a workflow engine for offensive security.
- Shogan/kube-chaos – A chaos engineering style game where you seek out and destroy Kubernetes pods, twin-stick shoot-em-up style. Powered by the Unity engine.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.