Living Off the Land (LOTL): A Case Study

Living Off the Land (LOTL): A Case Study

Blog | Threat Intelligence Brief

Living Off the Land (LOTL): A Case Study

OVERVIEW

During a recent incident involving LockBit ransomware, we discovered a persistent credential harvester that was hidden as a scheduled task/process. We did a significant amount of investigation before unraveling the clues of what was creating alerts and attempting to beacon-out to certain IP addresses in Latvia.

During this investigation, we uncovered a heavy reliance on inherent functions built into Windows that were abused in order to masquerade as other processes, steal passwords, and exfiltrate them out of the organization.

This behavior is often referred to as “Living Off the Land.” In other words, no malware was used–just clever use of what is already available within the operating system.

 

KEY FINDINGS

Latvian Connection

The use of a Latvian VPN provider was a central part of the attacker’s infrastructure. It was also referred to throughout the scripts in decimal format. The IP address in question, 1484238829, translated to 88[.]119[.]175[.]237 when converted.

 

 

Renaming Powershell

In all cases when Powershell was being used, it was renamed to “modpro.exe.”

 

 

Picking a Name

The scripts would also create a scheduled task, and name it from one of 9 templates:

 

 

Choosing a Birthdate

The newly created tasks would also change their modified dates to be 485 days in the past. This is a process known as “time stomping” and would frustrate any attempts to look for newly created scheduled tasks.

 

 

Conclusion

This malware-less attack was quite sophisticated and complex to unravel. The multiple layers involved and numerous steps associated are all included in our full report. This report also includes references to the different techniques employed and the ATT&CK framework.

IOCs

88.119.175[.]237

88.119.175[.]81

 

More Information

Please see the full report for in-depth details.

 

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Living Off the Land (LOTL): A Case Study

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

Blog | Threat Intelligence Brief

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

Extensive Remote Workforce and Upcoming American Holiday Likely to Attract Significant Increase in Ransomware Attacks

 

Since May 4th, we have seen an eye-catching increase in cyber incidents, email compromise, and ransomware attacks.

As we approach the US Holiday, Memorial Day, we expect this increase to continue. To help improve your awareness, we offer the following trends and fairly consistent indicators pointing back to Eastern European and Russian criminal actors.

Trends

Here are some of the prevalent trends that we have seen recently:

  • Attackers are using compromised admin credentials. The credentials appear to be coming from successful phishing attacks, or brute forcing/guessing. In at least one case we worked, a laptop appeared to be infected with password-harvesting malware—when an administrator remotely logged in, the attackers were able to collect the admin credentials.
  • Organizations with open ports on 3389 and 21 seem to be especially susceptible to attack.
  • Domain controllers are being encrypted, making deployment of recovery tools difficult. We strongly recommend having good backups of domain controllers.

Recommendations

We are sharing the following recommendations, in order of importance, based on recent research and incidents we’ve worked throughout May:

  • Mandate multifactor authentication (MFA), wherever possible. Even if an attacker can obtain login credentials (password and user name), MFA is very effective at deterring full compromise.
  • Implement advanced endpoint protection, such as CrowdStrike. Traditional antivirus is increasingly becoming less effective (as evidenced by the AV server getting encrypted in a cited case).
  • Use complex passwords for admin accounts, especially those shared with outside vendors.

Network Monitoring 

The knowledge we gain through our Incident Response Practice, often gets “re-invested” into PacketWatch as alerts and queries watching for anomalous trends and threats.

Following is a PacketWatch graph showing activity for the past week from Russian IP addresses. This activity is collected via an externally-facing PacketWatch node not filtered by a firewall, affording us tremendous visibility into the holistic nature of internet traffic.

As you’ll notice in the following graph, Russian activity last week noticeably spiked starting around 00:30 AM HRS on Friday, May 15, and subsided the following Tuesday morning.

 

 

When we break this traffic out by Autonomous System Number (ASN), we see that two ASN’s seem to be primarily responsible for this increase in traffic. Please see the following graph.

 

 

We traditionally see a surge in cyber attacks on or around major American holidays, since attackers are keen to exploit victims they suspect may be less vigilant due to vacations, remote work, or the typical excitement and distractions that accompany holiday activities.

Lately, the surge in attack traffic appears to be focused on ports 445, 23, and 3389 (SMB, Telnet, and RDP, respectively). These ports are typical threat vectors for wormable exploits and ransomware deployment. Based on the timing in this swell of activity as well as the targeted ports, we assess with moderate to high confidence that organizations with services open and responding on these ports may face significant targeting over the coming Memorial Day weekend.

Russian Activity Over the Past Seven Days

Looking at Russian activity over the past week, we also see a fair amount of other traffic looking for interesting services such as Secure Shell (port 22, SSH) and port 5900. Port 5900 is associated with Apple’s remote network computing. Database administrators will be interested to see 1433, SQL, makes an appearance here as well.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/