How to improve cyber attack detection using social media

Community

There are thousands of incident responders worldwide, and of course, some of them like to share their findings from IR engagements. We already looked at some threat research reports, but it usually takes quite a lot of time to create one. Therefore, responders and researchers often use other media to share their findings in a short form. A very popular media platform for such sharing is Twitter.

If you are dealing with a human-operated ransomware attack and you already identified the strain, you may find quite a lot of information on the threat actors, including TTPs. Understanding the threat actor is critical. Usually, certain ransomware affiliates use specific tools and processes during certain stages of the attack life cycle.

Let's start with RagnarLocker ransomware and have a look at the following tweet from Peter Mackenzie, Director of Incident Response at Sophos (https://twitter.com/AltShiftPrtScn/status/1403707430765273095):

So, what can we learn from this tweet? First of all, we can see that RagnarLocker affiliates potentially use ProxyLogon (Common Vulnerabilities and Exposures (CVE) - 2021-26855) for obtaining initial access to their targets. ProxyLogon is a vulnerability in Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate the administrator.

To collect information about internal networks, RagnarLocker affiliates use Advanced IP Scanner, a free network scanner from Famatech Corp that is quite popular among various RaaS programs' affiliates.

Just as with many other threat actors, RagnarLocker affiliates use Cobalt Strike for various post-exploitation activities, including lateral movement (alongside RDP). To distribute beacons on remote hosts, the threat actors use PaExec, an open source alternative to PsExec from Sysinternals.

To have redundant access to a compromised network, RagnarLocker affiliates use ScreenConnect, legitimate remote-control software. Despite the fact it is legitimate, it can be leveraged by threat actors to obtain access to a compromised network.

Collected sensitive data is archived with help of WinRAR and exfiltrated with the help of Handy Backup, a commercial backup solution installed on the target hosts by threat actors. Zipping and password-protecting are common techniques used by threat actors during the exfiltration phase. Still, there are a lot of various forensic artifacts sources that can be used to detect it.

As you can see, we can collect a lot of valuable information from just a few tweets.

Let's move forward and look at another tweet by the same author, which you can see here:

Just as with RagnarLocker affiliates, DoppelPaymer affiliates actively use Cobalt Strike for post-exploitation.

Also, we can see that threat actors use Rubeus, a quite popular toolset for interacting with and abusing Kerberos.

Here's another example of a legitimate remote access tool used by threat actors for redundant access -- TightVNC.

Again, we can see that DoppelPaymer affiliates use RDP for lateral movement -- a very common technique used by threat actors both for initial access and accessing remote hosts in the target network.

Another interesting technique mentioned is creating a virtual machine (VM) to run the ransomware payload inside it. Originally, this technique was introduced by Maze and RagnarLocker affiliates, but it's currently used by other groups, including DoppelPaymer, as well.

Just as with many other threat actors, DoppelPaymer affiliates have a Dedicated Leak Site (DLS), so they exfiltrate data. From the source we are analyzing, we can see that they use the MediaFire service to store data.

One more time, we can see that we can collect a lot of valuable data on this or that threat actor involved in ransomware attacks, from just a single tweet.

Let's look at one more example, this time a tweet from Taha Karim, Director of Threat Intelligence at Confiant, which you can see here:

It's interesting that this tweet emerged long before any information on Clop affiliates' TTPs was published publicly.

As we can see from the tweet, Clop affiliates used phishing campaigns to infect their victims with FlawedAmmyy RAT. FlawedAmmyy is a common remote access trojan (RAT), usually attributed to TA505. The RAT is based on Ammyy Admin's leaked source code and enables threat actors to manipulate the compromised host in a hidden manner.

We have already learned that ransomware affiliates are in love with Cobalt Strike, and Clop ransomware affiliates are no exception. As you can see, it enables them to bypass User Account Control (UAC) and use common credential dumping tools such as Mimikatz. Despite the fact it's very noisy, we still see it leveraged by ransomware affiliates very often.

Finally, we can learn that Clop affiliates abuse Service Control Manager (SCM) to deploy ransomware enterprise-wide.

Of course, it's not always possible to collect a lot of information about the TTPs used by threat actors during the attack life cycle. At the same time, you may need to get some information about the ransomware itself. Here's a tweet by Andrew Zhdanov, who is actively tracking BlackMatter ransomware samples:

As you can see, there's not a lot of information on TTPs, but the tweet contains a link to the analyzed sample, as well as information on some of its functionality.

Twitter isn't the only media platform for such intelligence collection -- another good example is LinkedIn. Also, you can always ask your fellow incident responders and CTI analysts to share some data -- just don't be afraid of the global community.

Oleg Skulkin

About the author
Oleg Skulkin is the head of the digital forensics and incident response team at Group-IB. Skulkin has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Skulkin has authored and co-authored multiple blog posts, papers and books on related topics and holds GCFA and GCTI certifications.