The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

This week, law enforcement in India arrested over 50 individuals in Delhi based on their ties to a global call-center scam operation.

It is alleged that the individuals involved scammed over 4,500 victims out of more than $14 million. The aggressive scammers would contact their victims via phone and proceed to extort funds from them in the form of bitcoin (BTC) or gift cards. The scam involved telling victims that their personal details had been found at a crime scene or that their banking details were being used in some illegal activity. The attackers would then inform the victims that the only way to ‘safeguard’ their money was to transfer funds to specific bitcoin addresses or to buy and transfer gift cards.

Investigators from the Delhi Police Cyber-Crime Unit (pictured below) were able to trace scammed funds from victims in the USA and other countries back to the group in India. The cybercrime unit have also dismantled 25 other scammy call-centers this year. Let’s have a round of applause for these guys!

There’s also some good news associated with the ongoing SolarWinds situation. FireEye, in cooperation with Microsoft and others, have implemented a “kill switch” to prevent ongoing operation of the SUNBURST malware. According to their public statement:

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
“This killswitch will affect new and previous SUNBURST infections…However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.”

We encourage all to keep up to date with the SentinelOne blog for ongoing details around SolarWinds.

The Bad

SystemBC, discovered in 2018, has become a prolific presence in the armoury of attackers across the spectrum of sophistication. Initially, the tool was used to obfuscate or mask command and control traffic by way of SOCKS5 proxies. Early on, the tool was seen in tandem with many financially-focused campaigns involving banking trojans.

This week brought wider attention to the use of SystemBC after it was found to be used in conjunction with common ransomware attacks. According to the recent reports, well-established groups (e.g., Egregor, Ryuk) are using SystemBC for deployment purposes, complementing the use of other commodity malware such as Zloader, BazarLoader & Qot.

These more recently discovered implementations expand the scope of the tool. Attackers can now leverage SystemBC as a persistent backdoor with near-RAT-like levels of functionality. More importantly, it allows for redundancy in the attackers methods of persistence. Attackers will often utilize SystemBC alongside Cobalt Strike and similar frameworks. This opens up more options for post-exploitation activity and, again, can strengthen persistence.

One of the main takeaways from this is the ‘layered approach’ that modern attackers are taking. Just as we encourage a layered, defense-in-depth approach to enterprise security, threat actors are similarly looking at multi-pronged strategies such that if one delivery method fails or payload is detected, they have a different version that they hope won’t be.

Proper cyber hygiene, EDR and strong cloud workload protection are crucial, but as always, these incidents serve to remind us that these controls must also be properly maintained and properly configured.

The SentinelOne Singularity Platform is capable of autonomously detecting and preventing artifacts and behavior associated with SystemBC.

The Ugly

The most impactful story of the week goes to the SolarWinds compromise. In short, SolarWinds provides a host of IT services for a far-reaching set of global customers. This includes management and monitoring of servers, endpoint systems, database management, help desk service systems, and just about anything else you can imagine in that domain. Moreover, their client base is a ‘who’s who’ of high-value targets. As a direct result of this breach, it has already been confirmed that the United States Treasury, Department of Commerce, the Department of Homeland Security and FireEye were also compromised.

A joint-statement from the FBI, ODNI, and CISA was issued on December 17 confirming the scope and apparent origin of the attacks. In addition, CISA released a highly-detailed NCSA Alert AA20-352A) on December 17th, which covers the more technical side of the attack including Indicators of Compromise (IoCs) and links to associated resources. The alert also documents the specific versions of malicious SolarWinds Orion products observed in association with the attack.

Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.

SentinelOne has released new hunting packs for Deep Visibility, allowing for specialized queries against IOCs associated with these events. We encourage all to keep up to date with the situation as it develops. Our team will continue to update the dedicated blog and resources as needed.