Rewterz Threat Alert – Ryuk Ransomware Gang Using Zerologon Bug for Swift Attack

Severity

High

Analysis Summary

The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial phish. They used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective. Ryuk has been one of the most proficient ransomware gangs in the past few years, having earned $61 million USD since February, 2020. In previous Ryuk case, the threat actors leveraged access to an environment via the Bazar Loader malware. From this loader we saw initial mapping of the domain, using built-in windows utilities such as Nltest. However, unlike the last case, the threat actors started at a lower privileged user and rather than proceeding slowly or cautiously, they exploited the recently disclosed Zerologon vulnerability (CVE-2020-1472) to reset the machine password of the primary domain controller. Lateral movement was initiated via SMB file transfers and WMI executions of Cobalt Strike Beacons. After moving laterally to the secondary domain controller, the threat actor started on more domain discovery via Net and the PowerShell Active Directory module. From there, the threat actors appeared to use the default named pipe privilege escalation module on the server. At this point, the threat actors used RDP to connect from the secondary domain controller, to the first domain controller, using the built in Administrator account. Once on the main domain controller, another Cobalt Strike beacon was dropped and executed. Then more domain reconnaissance was performed using AdFind. Once this completed, at the four hour mark, the threat actors were ready for their final objective. Four hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup server. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then workstations. The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the 5 hour mark, the attack completed. For attacks like these, organizations need to be ready to act in less than an hour, to make sure they can effectively disrupt the threat actor.

Impact

• Privilege Escalation
• Information Theft
• Data Exfiltration
• Files Encryption
• Network Compromise

Indicators of Compromise

Domain Name

• cstr3[.]com
• quwasd[.]com
• havemosts[.]com

MD5

• 890206f0c506366d480e02fc9fed988a
• 85057b3f1210043ce7821e249ac96b29

SHA-256

• feb8c2bcb71da02dbbeecb999869e053cf96af8cce6f9705cadca4338133d3b5
• 23ac461f9b5128841cafabb4282432252ea7b57874595cf6fe8457fc1ac65007

SHA1

• ba1542d9b55fff21bda9495ed884404b0436cff2
• 72aa6fd75890d657d06ebbd4473f82b5b5c11272

Source IP

• 5[.]2[.]64[.]174
• 88[.]119[.]171[.]94

URL

• http[:]//5[.]2[.]64[.]174[:]443
• http[:]//88[.]119[.]171[.]94[:]443
• http[:]//3[.]137[.]182[.]114[:]443

Remediation

• Block the threat indicators at their respective controls.
• Immediately patch the ZeroLogon vulnerability if it hasn’t been patched already.
• Do not download files attached in untrusted emails.
• Maintain a strong password policy and implement multifactor authentication where possible.