SecPro#37:LockBit 2.0: The Sequel No One Wanted, Managing Vulnerabilities During an Incident, and Dealing with Logging Failures
Here’s another edition of the SecPro and it’s got a bit of something for everyone. The FBI Flash LockBit 2.0 IOC documentation has dominated the SecPro office chat, but that doesn’t mean we’ve forgotten to find new and exciting tools to help with the day-to-day demands of cybersecurity! Even beginners will find a walkthrough on how to use threat modelling tools. There’s something for everyone in the SecPro community, no matter how long you have been battling with the adversary.
TL;DR
- No one wanted LockBit 2.0
- How to Manage Vulnerabilities During an Incident
- OWASP Top 10: A09:2021 – Security Logging and Monitoring Failures
- Beginner’s Corner: Using the Microsoft Threat Modeling Tool
- Secret Knowledge: IaC & Cloud Security
Exploit Detection & Analysis
LockBit 2.0: The Sequel No One Wanted
By Austin Miller
There is a long history of sequels being worse than the first installment. The Exorcist II. Tron: Legacy. And now cybersecurity professionals are getting another sequel that will be worse than the first version – LockBit 2.0. No one wanted LockBit 2.0!
Developed by the same ransomware gang behind LockBit, LockBit 2.0 is the new and improved version of the infamous 2019 ransomware. Known for being evasive, ever-changing, and self-spreading, this piece of malicious software has not only extorted businesses through ransom notes but also turned employees into inside attackers. As you can expect, no one in the cybersecurity world is particularly pleased to hear about its return.
Understanding Ransomware as a Service (RaaS)
Everything is available as a service these days, so it’s no surprise that threat actors found a way to cash in on malicious software. For would be cybercriminals that don’t have the technical know-how to build their own malware, RaaS products are an easy way to launch ransomware attacks and extort money.
Understanding the LockBit Ransomware Attack : No one wanted LockBit 2.0
The LockBit 2.0 ransomware is the hardened form of the original LockBit ransomware. Although the ransomware group behind the attacks remains anonymous, the remotely loaded LockBit ransom note (which appears as the wallpaper on all affected systems) clearly shows this is the same team.
In the wake of the FBI Flash document expanding on LockBit’s IOCs, here is a quick technical guide on how your organization can find evidence of the LockBit. As an inside attack is a possibility, automated response to these IOCs can stop the malware from gaining initial access, pulling down your security software, and removing all backups.
Language codes
In order to presumably not infect systems in the LockBit gang’s home country, the ransomware runs a check on installed language packs. These languages all come from Eastern Europe/Central Asia and include Russian, Belarussian, Tajik, Armenian, Azeri (Latin & Cyrillic), Georgian, Kazakh, Kygrz (Cyrillic only), Turkmen, Uzbek (Latin & Cyrillic), and Russian – Moldova.
In theory, installing at least one of these packages would offer protection.
Command Line Activity
Because the LockBit 2.0 attack runs through many stages, it will run a series of commands that can be clearly identified. Some of these will destroy valuable data like the security log (cmd.exe /c wevtutil cl security) or tell your systems to ignore boot failures (cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures).
Others, however, contain invalid syntax and error out. Although these commands aren’t directly damaging, they may serve as a last-minute warning before the ransomware runs wild on your network.
Files Created
Three different files are created after infection:
These files together give the user all the information they need to pay the ransom and communicate with the malware gang. Promising a decryption key, the now infamous wallpaper also offers would be cybercriminals a chance to become insider attackers and threatens permanent data loss if the victims don’t follow instructions.
And of course, the most notable aspect of LockBit is the file extension – .lockbit will be appended to all encrypted files. If you see that on your systems, get ready for the long journey to restoring backups. How do I defend my network against LockBit 2.0?
No one wanted LockBit 2.0, when your network is dealing with an infected machine, you may already be too far down the infection chain to stop the ransomware from spreading. However, healthy cybersecurity practices always help teams to survive network disabling attacks instead of becoming victims. To avoid weaponized encryption, here are some best practices that will help you mitigate the risk:
–Employ strategies that stop malicious emails from making their way into your organization, including effective staff training.
–Implement strong passwords that are regularly rotated.
–Use multi-factor authentication wherever possible to avoid privileged user accounts from becoming compromised.
–Run effective Group Policies that stop unwanted PowerShell commands, registry changes, system recovery disabling, system recovery file deletion, and Group Policy changes.
Tutorial: How to Manage Vulnerabilities during a Live Incident with OpenVas:
Vulnerability management is not a one-time task; it is an ongoing process to identify, classify, prioritize, remediate and mitigate the weak spots in software systems. Conflict is where opportunities are born, so responding to an incident is the best chance to understand the vulnerable points of our infrastructure.
The Significance of Live Vulnerability Management
Vulnerabilities are the key that leads to an incident or a cyber event. Understanding how these vulnerabilities have been exploited and leveraged to continue the attack will pay tenfold and give large amounts of data with IOCs.
Finding out where the vulnerabilities reside also provides a great inside look of the environment or the application along with the weaknesses that were exploited during the attack.
Technical Requirements for Conducting Live Vulnerability Management
Let’s take a closer look at the technical requirements for vulnerability management during the incident. In some cases, there will be tools that will help us identify and isolate some areas of compromise.
There are a lot of tools like Tenable Nessus, Engine Management and others. Let’s assume for this process that you are a boot-strapped organization that only has access to free or open-source tools. From this point of view, we were more likely to rely on an app called OpenVas.
Looking to read the complete tutorial? Click the button below to access the full tutorial on the SecPro website.
OWASP: OWASP Top Ten – A09: Security Logging and Monitoring Failures
By Austin Miller
Logging is fundamental to effective security practices, but sometimes it goes wrong. It’s not exactly a glamorous role – collecting event logs from various systems, analyzing the data, and then compressing and safely storing everything that has been collected – but failures in logging can be devastating!
For companies that are looking to roll back on their cybersecurity budget, expensive log management tools can be seen as an expendable luxury. But these tools aren’t quite so expendable when the adversary slips through the gaps unnoticed or a sophisticated ransomware gang destroys your event and security logs!
Where Do We See Security Logging and Monitoring Failures?
Getting a clear answer on how many cyberattacks come from security logging and monitoring failures is difficult for one key reason – no one wants to publicly say that they were hacked because they weren’t following basic protocol.
Logging and monitoring failure can also be inflicted on an organization through clever play from the adversary. In this week’s SecPro newsletter alone, we’ve covered one of the most notorious examples – the LockBit 2.0 ransomware, which deletes security and event logs before disabling any future logs from being created.
Want to read the entire report on the OWASP A09? Click the button below to access the full analysis on the SecPro website.
Beginner’s Corner: Using the Microsoft Threat Modeling Tool
We know how to approach threat modeling, so it’s time to look at a tool that we can use. For this example, I’m going to run through the free Microsoft Threat Modeling tool. By exploring the full capabilities of the free tool, you can build deeper threat models and understand how the adversary will approach any potential vulnerabilities in your software.
Getting Started
To get started on assessing the threats in your software, you only need a few basic things for this tutorial:
A machine running Windows. The free Microsoft Threat Modeling Tool which you can download here.
If you are running a test on an existing piece of software, a .tb7 file that contains a map of the application you want to review.
For the purposes of this tutorial, I am using Windows 10.
Using the Microsoft Threat Modeling Tool
This tool is designed to be easy to use but it still offers a wide range of customization options at the same time. Because of that, the simple user interface (UI) can be a little difficult to navigate on your first time. But don’t worry – that’s why we’ve made this guide.
For a fully illustrated guide on how to use a Threat Modelling Tool, check out the Sec Pro website below!
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.
Infrastructure as Code
infracost/infracost: Cloud cost estimates for Terraform in pull requests Love your cloud bill!
accurics/terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
outsideris/citizen: A Private Terraform Module and Terraform Provider registry.
bridgecrewio/kustomizegoat: Demonstrating secure and non-secure Kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.
pulumi/pulumi: Pulumi – Developer-First Infrastructure as Code. Your Cloud, Your Language, Your Way
Cloud Security
carlospolop/PurplePanda: Identify privilege escalation paths within and across different clouds
lyft/cartography: Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
grafeas/kritis: Deploy-time Policy Enforcer for Kubernetes applications
FourCoreLabs/firedrill: firedrill is a malware simulation harness for evaluating your security controls
projectcalico/calico: Calico is a widely adopted, battle-tested open source networking and network security solution for Kubernetes, virtual machines, and bare-metal workloads.
