SamSam But Different: MITRE ATT&CK and the SamSam Group Indictment
February 26, 2019
In our latest research report, A Tale of Epic Extortions, the Digital Shadows Photon Research Team highlight how cybercriminals abuse our online exposure to perform extortion campaigns. One particular area of focus is technical vulnerabilities, with our SamSam group case study demonstrating how attackers can monetize weaknesses on public-facing applications and perform ransomware attacks that don’t rely on phishing or exploit kits.
SamSam Group Indictment
On November 28, 2018 the US Department of Justice (DoJ) unsealed an indictment against two Iranian nationals. Known collectively as the SamSam group, they deployed ransomware to extort hospitals, municipalities, and public institutions, causing over $30 million in losses. The attackers compromised a number of organizations in order to deploy ransomware across a significant portion of their target’s IT estate and thereby extort money from the victim organizations. These included:
- Multiple healthcare service providers
- City of Atlanta
- City of Newark
- Colorado Department of Transportation
- Hollywood medical center
- Kansas Heart Hospital
- Port of San Diego
- University of Calgary
Judging by the opportunistic style of the attacks, it seems these organizations were targeted because the attackers believed they could compromise their networks and successfully deploy ransomware, as opposed to targeting them specifically for the nature of their work. We used the MITRE ATT&CK framework to map the details of the indictment and reveal exactly how the group were able to carry out their attacks.
Stage #0: Reconnaissance
PRE-ATT&CK TTPs: Technical Information Gathering
- Acquire OSINT data sets and information
- Conduct active scanning
- Conduct passive scanning
- Determine domain and IP address space
- Enumerate externally facing software applications technologies, languages, and dependencies
- Map network topology
PRE-ATT&CK TTPs: Technical Weakness Identification
According to the indictment, the attackers “conduct[ed] reconnaissance and research to select and target potential victims”. While the indictment does not go into detail about exactly which reconnaissance tasks were performed, we can “reverse” the likely approaches from the follow-on actions. In Stage 1, we will see that the attackers exploited known, public vulnerabilities in Internet-facing software and abused valid credentials for remote access solutions such as Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC).
Based on these approaches for gaining initial access, it’s likely the attackers performed a combination of active and passive scanning to identify exploitable targets. The attackers may also have obtained breach data and brute-forced their way in or used stolen credentials to then gain initial access to the target environments.
Digital Shadows mitigation advice: Much of the information gathered by the attackers was publicly available. Carefully considering which services should be Internet-facing can help an organization reduce the risk of opportunistic exploitation. Any service directly reachable from the public Internet should be considered high-risk and should be inventoried and patched accordingly.
Stage #1: Initial Access
The attackers used two main methods for gaining initial access:
- Exploiting public-facing applications
- Abusing valid accounts for remote access systems
The exploitation of known, public vulnerabilities and poorly configured authentication systems show how the risks of security debt (the accumulation of unpatched systems, exposed services, etc.) extend beyond the theoretical. The SamSam group’s attacks led to financial losses for organizations, and significant disruption that hindered the ability to conduct normal business.
1. ATT&CK TTP: Exploit Public-Facing Application
Unlike many APT-style attacks that have been documented, the SamSam group did not rely heavily on spearphishing for their initial access method. According to the indictment, the “Defendants used a variety of methods to gain access to Victim computer networks, including exploiting known security vulnerabilities in common server software”.
According to open source reporting, the SamSam group exploited vulnerabilities in JBoss, File Transfer Protocol (FTP) servers and potentially Server Message Block (SMB) servers. The attackers were relying on organizations not patching their software against known vulnerabilities with publicly available exploits, and were subsequently able to leverage that initial access to extort an organization.
2. ATT&CK TTP: Valid Accounts
The attackers were found to be abusing valid credentials for remote access solutions through the use of an RDP brute-forcing tool called “NLBrute”. This tool allows an attacker to use a wordlist (a collection of known or often-used usernames and passwords) and try these combinations against multiple target RDP servers in order to see which sets of credentials are valid.
Digital Shadows mitigation advice: An inventory of software and services connected to the publicly-facing Internet is an important first step to securing an organization’s network. This inventory can be used to prioritize patching. Any exploit in-the-wild for a software or service in the inventory should be patched as a priority due to the high level of risk it poses to an organization. Remote access solutions such as RDP should ideally be accessible only over a Virtual Private Network (VPN). In cases where this is not possible, access control lists can be used to restrict which IP ranges can connect to the service. At a bare minimum, lock-out policies should be configured to mitigate brute-force attacks.
Stage #2: Execution
According to the indictment, “the SamSam group makes extensive use of “living off the land” tactics: the use of operating system features or legitimate network administration tools to compromise victims’ networks.”. The main ways which the attackers performed these actions was through the command line (in the case that Linux servers were compromised) or GUI (in the case that Windows servers were compromised). This “living off the land” style is very effective in keeping the hostile activity undetected as it is more challenging for network defenders to differentiate legitimate from malicious activity. The indictment details a “sysadmin trick of launching a file from the \\tsclient\ path over an RDP connection lets the attacker execute files from his own machine on the target system” as one way which the attackers would drop their own tools onto a compromised system.
Digital Shadows mitigation advice: Logging command line activity can be a very useful way to either alert on or hunt for adversary behavior in an environment. Endpoint logs such as event tracing via Sysmon on Windows can also provide vital clues both during and after a compromise as to the extent of attacker activity.
ATT&CK TTP: Windows Management Instrumentation (WMI)
The attackers used WMI to execute additional tools such as Mimikatz. This is often done to evade detection. WMI is typically less well-monitored than other approaches such as Powershell and is frequently the tool of choice for stealthy attackers.
Digital Shadows mitigation advice: Monitoring the execution of WMI, Powershell and other systems administration tools provides crucial visibility into potential attacker activity. An example could be the execution of WMI commands by non-admin users who have never executed WMI before.
Stage #3: Persistence
ATT&CK TTP: External Remote Services
A very simple way for attackers to persist in an environment is for the valid credentials they are abusing to remain unchanged. This allows the attackers to have access to their target on-demand.
Digital Shadows mitigation advice: If there is a suspected compromised account, for example through the kind of anomalous activity identified in the previous section, it is important to revoke the credentials so that the attackers cannot trivially regain access to the target environment.
ATT&CK TTP: Path Interception
While not specifically detailed in the indictment, open source reporting indicates the attackers used the legitimate penetration testing tool “PowerSploit” to invoke Mimikatz in memory to dump credentials. Despite this, it is feasible that the attackers also used PowerSploit’s persistence mechanisms to maintain access to a target’s environment.
Digital Shadows mitigation advice: Eliminating unquoted service paths in an environment reduces the ability of attackers to take advantage of this misconfiguration. Logging command line activity is also recommended for tracking script execution in an environment.
Stage #4: Privilege Escalation
ATT&CK TTP: DLL Search Order Hijacking
Although not mentioned explicitly in the indictment, as detailed in the previous section the attackers were known to use the PowerSploit toolset which includes a set of Powershell scripts called PowerUp – a general, all-purpose toolset for performing privilege escalation on Windows systems. One technique in particular used by PowerUp is Dynamic Link Library (DLL) search order hijacking. This is where PowerUp places a DLL in a directory path used by the Operating System (OS) that is hijackable by PowerUp. One example is where a DLL is loaded by the OS which does not exist on the file system. This results in an attacker-controlled DLL being executed by the OS with elevated privileges.
Digital Shadows mitigation advice: One effective mitigation against such public toolsets is to run them in a controlled way in your environment – for example, a test system or as part of a Purple Team engagement to see which techniques are effective. In general, ensure that there are now unquoted service paths in the default set of environment variables and all DLLs which are expected to be loaded do in fact exist on the file system. An excellent list of Windows privilege escalation techniques can be found here.
Stage #5: Defense Evasion
ATT&CK TTP: Disabling Security Tools
In one case detailed in open source reporting, the attackers were attempting to use the well-known, public tool Mimikatz to dump credentials from memory. In this particular case, however, the Endpoint Protection Platform (EPP) caught the execution of Mimikatz and blocked it. In response, the attackers modified the Windows registry to disable the EPP product. The attackers then proceeded to use Mimikatz unimpeded.
Digital Shadows mitigation advice: This example of Defense Evasion is a perfect demonstration of how security controls provide not only prevention but detection opportunities. The disabling of an EPP product should be a red flag visible in the OS logs or in a SIEM (security information and event management) product. Any unauthorized or unplanned disabling of a security product should be a key indicator of malicious activity, especially when directly preceded by a successful block of malicious activity.
Stage #6: Credential Access
ATT&CK TTP: Credential Dumping
In keeping with the general TTPs of the SamSam group of using public tooling for their attacks, the attackers made use of Mimikatz for credential dumping. The attackers used to download Mimikatz from the PowerSploit GitHub repository and execute Mimikatz in-memory. They also used to trigger this downloading and execution. This style of in-memory execution is used to evade many EPP products that exclusively monitor disk activity for malicious behavior. Mimikatz has a wide range of features for attacking Windows systems, but its most popular usage is to read plaintext credentials or hashes out of the various Windows authentication subsystems such as LSASS (Local Security Authority Subsystem Service). These credentials are then used by the attackers to move laterally to other systems in the target environment.
Digital Shadows mitigation advice: Mimikatz cannot be executed by regular users: it requires Administrator privileges in order to access the OS features it requires. Controlling access to Administrator privileges should be a top priority for organizations looking to mitigate credential dumping attacks. Many EDR systems have in-memory scanners that are capable of detecting in-memory Mimikatz execution. There is, however, a constant evolutionary arms race between offensive toolset developers and the defensive community, so these EDR systems cannot be exclusively relied upon to mitigate the threat posed by such tools. Robust logging and alerting can complement an EDR system by providing detailed information on OS activity that could indicate the usage of tools like Mimikatz in an environment, such as via wmiexec.
Stage #7: Discovery
ATT&CK TTP: Remote System Discovery
According to the indictment, “Once inside a Victim’s computer network, [the] Defendants used sophisticated hacking techniques and tools to conduct reconnaissance and expand their access to the Victim computer networks” and the “Defendants scanned a Victim’s computer network to identify computers to target for encryption”. The SamSam group used a Hyena to scan for hosts inside of the target environment. Hyena integrates with Active Directory (AD) and allows an Administrator to query which machines, users, groups, etc. are present in an AD installation.
Figure 1: Digital Shadows demonstration of Hyena tool in use
The indictment goes on to state that “[e]arly in the conspiracy, this reconnaissance often lasted for weeks. Defendants sometimes deployed the SamSam Ransomware within hours of hacking into a Victim’s computer network”. This shows that as the attackers gained experience of compromising their targets, they moved more quickly to their objective and responders must be able to act quickly to prevent this kind of mass compromise.
Digital Shadows mitigation advice: Monitoring can be used to alert on internal port scans or bulk Lightweight Directory Access Protocol (LDAP) queries in an environment. It is also important to deconflict this alerting with generic Vulnerability Assessment (VA) scans that will look very similar to an intrusion detection system (IDS) or SIEM. Ensuring that the VA scans are appropriately whitelisted helps analysts to more quickly identify anomalous traffic patterns which could indicate malicious activity.
ATT&CK TTP: System Information Discovery
In addition to Hyena, the attackers used the SysInternals psinfo tool from Microsoft to profile a system that they had compromised. From the Microsoft SysInternals page, “PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if it’s a trial version, the expiration date”. This information is used by an attacker to understand if their attack tools will work on a machine that they have compromised. PsInfo uses the Windows registry and WMI to discover information about the machine where it is being run from.
Digital Shadows mitigation advice: Application whitelisting features such as Microsoft AppLocker can be used to detect (and potentially block) application executions in an environment. Attackers typically use Microsoft-signed utilities as part of a general “living off the land” approach to avoid detection. Living off the land generally means using (normally Microsoft) signed binaries that have unexpected features such as the ability to download and execute arbitrary code. A list of LOLBAS (Living Off the Land Binaries And Scripts) is maintained here. Tracing which LOLBAS are executing in an environment is a valuable first step to uncovering malicious activity.
Stage #8: Lateral Movement
ATT&CK TTP: Service Execution
The indictment states: “After conducting reconnaissance, [the] Defendants installed the SamSam Ransomware on as many computers within the Victim network as possible”. In order to achieve this goal, the attackers needed to remotely access one machine from another inside of a target environment. In order to do this, they made use of another signed binary from Microsoft, namely psexec. The attackers, however, did not use psexec just to remotely interact with another machine, they used psexec as part of their ransomware deployment approach. psexec’s remote execution capability allowed them to delete their tools after execution and also to trigger the execution of their ransomware package.
Digital Shadows mitigation advice: As we have mentioned in a previous blog post, John Lambert of Microsoft’s Threat Intelligence Center recommends defeating psexec remote attacks by changing the security descriptor of the Service Control Manager (SCM). Such changes require testing and possible adaptation to the local environment as they may interfere with existing administration techniques. In general, lateral movement should be restricted as much as possible via restricting workstation-to-workstation communication (via firewalling or even private VLANs) and principle of least privilege to ensure that only the necessary personnel have the administration privileges required for certain actions. Additional guidance for securing Active Directory against typical attacks can be found on the excellent adsecurity.org, in particular “The Most Common Active Directory Security Issues and What You Can Do to Fix Them”.
Stage #11: Command and Control
ATT&CK TTP: Remote Access Tools
The attackers appeared to maintain access to their environments and thereby remotely control their compromised hosts through standard remote access tools such as RDP and VNC. No dedicated Command and Control (C2) approaches, such as HTTPS or DNS tunneling, appear to have been used.
Digital Shadows mitigation advice: Remote Access logs should be regularly reviewed to ensure that no unauthorized access has taken place. Users logging in from completely unknown locations (which can take place if a user is on business travel or, occasionally, holiday) could be an indicator of suspicious activity.
The indictment states that: “The simultaneous, mass encryption of a Victim’s computers was intended to-and often did-cripple the regular business operations of the Victims. Without use of their data, most Victims were unable to function normally; many had to shut down or drastically curtail their operations. These devastating attacks often caused substantial losses to the Victims”.
The attackers were successful in extorting and disrupting their target’s networks. Additionally, the “coordinated encryption attack, which was disguised to appear like legitimate network activity, was usually launched outside regular business hours, when a Victim would find it more difficult to mitigate the attack”. This underlines the attacker’s approach was to understanding how their targets operated and then use this understanding to make their attacks more effective.
The SamSam group was a motivated threat actor that used a variety of open source tools to wreak havoc on their targets and caused significant disruption and distress in the process. Through careful analysis of their tradecraft we can extract the highest value and high impact mitigations that organizations can use to protect themselves. In addition, below we’ve provided a list of the freely available tools that organizations can use in Purple Team security assessments as part of an ongoing process to evaluate their own controls.
The SamSam group made use of the following tools:
- JexBoss (CVE-2010-0738 exploit)
- NLBrute2 (WARNING: hacker tool, download at your own risk!)
- Hyena (free 30 day trial)
SamSam’s ability to monetize technical vulnerabilities is just one of the methods extortionists use to take advantage of our online exposure. Check out Photon’s research A Tale of Epic Extortions to learn more, including how extortionists use compromised credentials and sensitive documents for their campaigns, and how extortion guides are lowering the barriers to entry for novice cybercriminals.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.