Yesterday, December 3, The United States Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC), and the Federal Bureau of Investigation (FBI) issued an activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. This blog shares summary of the above analysis including vulnerabilities that bad-actors are using to deploy the SamSam ransomware. In addition, I have adapted this report as well as recommendations for prevention and mitigation, in support of our clients.
- Bad-actors are targeting multiple industries, including some within critical infrastructure. Victims have been located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.
- The bad-actors are exploiting vulnerable Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, bad-actors have used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines has indicated that bad-actors generally use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, bad-actors will either use brute force attacks, stolen login credentials, or previously stolen credentials from the dark-net market. Detecting RDP intrusions can be challenging because the malware enters through an approved access point and often goes undetected.
- After gaining access to a particular network, the bad-actors escalate privilege for administrator rights, drop malware onto the server(s), and install and run executable(s) (e.g., advanced hacking toolkits), all without victims’ awareness, action, or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email, clicking on an attachment, or visiting a compromised website, RDP allows bad-actors to infect victims with minimal detection.
- Analysis of tools found on victims’ networks indicated that successful bad-actors had purchased stolen RDP credentials from known dark-net marketplaces. FBI analysis of victims’ access logs revealed that bad-actors can infect a network within hours of purchasing such credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam ransomware. This activity is a possible indicator that the victims’ credentials were stolen, sold on the dark-net, and used for other illegal activity.
- The bad-actors then leave ransom notes on compromised and encrypted computers. These instructions direct victims to establish contact through a Tor (anonymous) hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network. Note – since bad-actors are bad, they may very likely not give you the ability to recover but rather they will demand more ransom.
Illustration of common attack leveraged by SamSam ransomware actors to gain control and lateral movement. Notice the Microsoft countermeasures that can greatly reduce the threat.
SamSam Ransomware Technical Details
NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam ransomware variants. This is not an exhaustive list.
- MAR-10219351.r1.v2 – SamSam1
- MAR-10166283.r1.v1 – SamSam2
- MAR-10158513.r1.v1 – SamSam3
- MAR-10164494.r1.v1 – SamSam4
For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.
Mitigation and Preventative Measures
DHS, FBI, and certainly Catapult recommends that you apply the following best-practices and insights to strengthen the security posture for your organization.
- Review any system (network) configuration changes before implementation, and investigate all unapproved changes, to detect and potentially avoid unwanted impacts caused by lapses in system and network configurations.
- Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
- Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
- Enable strong passwords and account lockout policies to defend against brute force attacks. Consider a mandatory password reset (across the board), especially if you have been previously compromised or suspect you have been.
- Deploy multi-factor authentication (e.g., MFA, 2-step authentication, two-factor authentication, biometrics) across your user community. MFA can eradicate nearly 85% of identity-related attacks. Catapult regularly held clients deploy MFA and conditional MFA. Conditional MFA is where only those accesses posting the greater risks (e.g., behaviorally unique, improbably/impossible travel, etc.) require the multi-factor verification. This approach helps to greatly reduce user-frustration associated with MFA.
- Regularly apply system and software updates. Patch your systems quickly and consistently, especially security patches.
- Maintain a good back-up strategy. Consider separating authentication between both environments, production and back up environment, respectively.
- Enable logging and ensure that logging mechanisms capture RDP logins, suspicious behaviors, etc. Review the logs regularly to detect intrusion attempts and don’t underestimate low-level alerts. Advanced Persistent Threats (SamSam and others) operate within the noise of your normal regular traffic, hence that low-level alert you ignore could be a bad-actor doing reconnaissance inside your network. Unfortunately, we see these issues a lot during new client assessments and on-boarding into Spyglass (our managed security service).
- When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
- Ensure that 3rd parties who require RDP access follow internal policies on remote access and are subject to additional security controls such as device compliance inspection and MFA (as examples).
- Minimize network exposure for all control system devices. Where possible, disable RDP on your mission critical devices.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Best-practice is to eliminate local administrator on desktop and laptop computers. This is more easily said than done, but given that it’s the “user” that most often clicks the email attachment (or opens the malicious email), the continuation of “local-admin-for-everyone” should be a sunset approach.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication to regulate access to these devices. Partially-intelligent systems, such as those within many printers, network-attached storage devices, as well as many IoT (internet of things) “gadgets” are among the types of targets where a bad-actor will seek to establish a foothold and remain dormant as they explore and exploit your critical systems – so don’t think that these devices are uninteresting targets: they are very interesting to bad-actors.
Applying the above steps and best-practices will indeed help to improve your security posture, and will reduce the threat of APT and ransomware attacks such as SamSam, but there is no guaranteed silver bullet. If you need help with assessing or modernizing your security program, please contact us: Catapult’s Spyglass Security Service – we can help you.
Till next time,