The Analyst Prompt #40 Ransomware; TA505; Iranian Nation State

Threat Actor Update: TA505 Shifts Towards Exploitation of Publicly Exposed Applications for Initial Access

The cybercriminal group known as TA505 exploits publicly available SolarWinds Serv-U servers vulnerable to CVE-2021-35211 (1) for initial access (2). Exploitation executes Base64 encoded PowerShell deploying Cobalt Strike Beacon. TA505 occasionally hijacks theRegIdleBackup scheduled task and abuses the COM handler to gain persistence and to execute the FlawedGrace remote access trojan. The intrusions are likely preparation for the deployment of ransomware (3).

TA505’s exploitation of CVE-2021-35211 represents a shift in initial access techniques. Historically, TA505 relied on socially engineered phishing campaigns with a malicious attachment or link (4). This technique requires users to manually click on the attached file or link for execution, whereas exploitation of public facing vulnerable servers requires no user execution for initial access. EclecticIQ recommended SolarWinds Serv-U users visit the official SolarWinds security advisory for affected products and patches (1).

Threat Actor Update: Iranian Nation State Groups use of Ransomware Highlights Continued Dominance of Ransomware Threat

Six Iranian threat groups are deploying ransomware with the goal to disrupt or collect funds from their targets (5). PHOSPHORUS gained initial access by exploiting vulnerabilities affecting Fortinet FortiOS SSL VPN (CVE-2018-13379) and - in the latter half of 2021 - by targeting unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). After compromise the actor moved laterally deploying Bitlocker to encrypt and ransom the victim. Multiple Iranian groups are also moving away from unsolicited phishing emails towards targeted social engineering for user execution and credential theft.

Ransomware is and will remain the most significant cyber threat for public and private organizations. Iranian based threat groups use of ransomware represents a growing emphasis by threat groups (6) on ransomware, for both financial and non-financial motivations. This shift will continue due to the effectiveness of encrypting an organization’s or individual’s data for monetary or disruptive reasons.

New & Noteworthy: U.S. Justice Department Charges Ukrainian and Russian Nationals in Continued Escalation Against Ransomware Threat

The U.S. Justice Department charged one Ukrainian and one Russian national for their involvement in deploying Sodinokibi/REVil ransomware against U.S. businesses and government entities (7). Yaroslav Vasinskyi, a Ukrainian national and Yevgeniy Polyanin, a Russian national have been charged with conducting ransomware attacks, including the Kaseya attack in July 2021 (8). The Department also seized $6.1 million USD, traceable to ransom payments obtained by Yevgeniy Polyanin. Vasinskyi was taken into custody in Poland awaiting extradition by request from the U.S. Polyanin remains at large.

The charges against Vasinskyi and Polyanin represent a continued escalation by the U.S. government in response to the ransomware threat. The charges are part of a larger effort by the U.S. government and the newly setup Ransomware Task Force to directly disrupt and counter ransomware groups using four lines of effort (9). The U.S. Department of the Treasury sanctioned the cryptocurrency exchange SUEX in September for its role in facilitating financial transactions related to ransomware (10), showing the willingness of the U.S. to disrupt financial infrastructure used by ransomware groups. International partnerships are also key, with the arrest of Vasinskyi involving multiple international partners including Poland (7).

Appendix

1. https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
2. https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/
3. https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
4. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
5. https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
6. https://www.theguardian.com/uk-news/2021/oct/25/ransomware-attacks-in-uk-have-doubled-in-a-year-says-gchq-boss
7. https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
8. https://us-cert.cisa.gov/kaseya-ransomware-attack
9. https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/13/fact-sheet-ongoing-public-u-s-efforts-to-counter-ransomware/
10. https://home.treasury.gov/news/press-releases/jy0364