Maze Ransomware Analysis and Protection
Last month, an IT services giant, acknowledged it was a victim of a Maze ransomware attack. Maze ransomware is a malware targeting organizations worldwide across many industries. It is believed that Maze operates via an affiliated network where Maze developers share their proceeds with various groups that deploy Maze in organizational networks. More concerning than just the penetration in the organization, Maze operators have a reputation of taking advantage of assets in one network to move laterally to other networks. Since the affected company is an IT services provider, it is extremely likely that this breach could be leveraged to attack hundreds of customers that rely on their IT services.
Three years ago, I published a short blog post about NotPetya. The blog discusses some of the techniques employed by the ransomware and how these can be mitigated. Three years later, most networks are still vulnerable to the same type of attacks. As I followed up with this Maze story, I thought it would be a good idea to share my insight on why these types of ransomware attacks are prevalent and what actions you can take to mitigate them.
How organizations get infected with Maze
The FireEye blog post shares the tactics, techniques, and procedures used by Maze. The research lists which tools and techniques Maze is using in various stages of the attack cycle (initial access, reconnaissance, lateral movement, and privilege escalation). Reading the techniques list, it is clear that Maze does not typically employ 0-days (one exception is trying to use a 1-day: CVE-2018-8174). This is actually expected – attackers typically don’t use 0-day vulnerabilities for two main reasons: They are extremely hard to find and very expensive and, when used in the wild, they get exposed and fixed very quickly.
Let’s review the techniques:
We can see that in most cases the techniques used by Maze operators are valid credentials that log in to the network via internet-facing servers. It can be an open RDP server or a Citrix/VPN server. How the initial credential was compromised is unclear but standard attack methodologies include guessing default/weak passwords or spear-phishing through a targeted mail with a .docx attachment containing a malicious macro.
Once an initial machine in the network is compromised, the malware starts scanning the network to find vulnerabilities. The malware scans various facets such as open SMB shares, network configuration, and various Active Directory attributes such as permissions, accounts, and domain trusts. The scans could be performed with known open source tools such as smbtools.exe, Adfind, BloodHound, PingCastle as well as built-in Windows commands.
Lateral Movement/Credential Access
After a few days of gaining intelligence on the network, the malware started moving laterally in the network. The easiest option was to find credentials in the compromised machine. These could have been Kerberos tickets or password hashes, Maze also scans compromised machines for files containing plaintext passwords. When these are not found, the malware tries moving laterally in the same network segment using LLMNR/NBT-NS Poisoning to steal network packets for later NTLM cracking and/or NTLM relay attacks. Finally, if none of these techniques work, the malware tries to find weak passwords by brute-forcing user/service accounts. Once a valid credential is found, the malware uses known Windows interfaces such as SMB, WinRM, and RDP to move laterally and execute code on remote machines.
Privilege escalation is a kind of dance. The attacker moves laterally to new machines. Once they’re on new machines they can again use the same lateral movement techniques and find new credentials to compromise and move to additional machines. This dance is typically over once domain admin credentials are found. At this point, the attacker can easily compromise any machine in the network.
As is often the case in these situations. The operator wants to maintain his presence in the network for as long as possible. This means adding various backdoors and ways to retake control over the network. This is done so if malware is detected and removed, the operator can compromise the network a second time. The method discovered in this case is mainly to capture as many user credentials as possible and potentially create new privileged accounts in the network.
The Root Cause
The critical point is that throughout the compromise, most of the malicious activity is executed using valid user credentials. The malware is stealing credentials in various ways. It is using tools like Mimikatz to harvest local credentials and later performing Pass-the-Hash attacks. Maze attempts to find passwords that are stored in local drives and sometimes even engaging attacks to compromise accounts with weak passwords using brute force and credential scanning techniques.
I often engage with customers and review the security posture of their network. I’ve never encountered a network where I couldn’t find any software vulnerability. In some cases, I find trivial security configuration issues allowing one-click elevation of privilege to domain admin. You can find another great talk on this subject by the BloodHound team at SpecterOps delivered last year at BlackHat. Another resource on password hygiene statistics you can find in a blog post I published two years ago analyzing password statistics from a free Preempt analysis tool.
How can Preempt help
The following is a visual matrix representation of the MITRE ATT&CK techniques we’ve reviewed in the previous section and an analysis of what techniques are covered by the Preempt Platform:
As can be seen, Preempt helps mitigate every step in the Maze attack chain. Additionally, Preempt enforces/monitors every technique in Lateral Movement/Credential Access steps.
Roughly speaking Preempt platform offers three types of mitigations:
- Security Assessment – Statically analyzing current configuration and security practices to find security vulnerabilities and holes.
- Threat detection – Monitor network traffic and data continuously and detect malicious activity in real-time.
- Threat Prevention – Define and refine custom Conditional Access policies to block access or trigger MFA based on changing behavior and increasing risk, allowing you to proactively thwart malicious activity in real-time. This deterministic approach reduces user friction when accessing applications/resources.
Let’s review how can Preempt help with every mitigation:
Knowing your vulnerabilities is preventative medicine. Preempt can help you not just to detect an attack but also to avoid it altogether by presenting a smooth attack surface. Here are a few Maze-vulnerable configurations Preempt can scan for in your network:
- Weak Passwords
- Privileged Accounts
- Detect various GPO misconfiguration:
- Open RDP servers with no NLA
- Servers with no SMB signing
- Servers supporting NTLMv1
Most of the initial reconnaissance of Maze can be detected by Preempt: BloodHound, credentials scanning, SMB share enumeration, and LLMNR/NBT-NS Poisoning all have detection modules. Privilege escalation usually involves noisy operations such as dumping domain hashes, creation of new privileged accounts, or executing code on the domain controller. All these are detected by the Preempt Platform. For ongoing security, any user/service account can be monitored for suspicious/anomalous behavior. Vendor or otherwise sensitive accounts should be closely monitored and have their activity logs reviewed periodically.
Policies are the key to automating a security response and are critical to blocking and preventing malicious attacks. I want to give a quote from the blog post I released three years ago: “All it takes to cause serious harm to your network is a few minutes. By the time you see the alerts in your security analytics solution or SIEM, the NotPetyas of the world will have already scrambled all your data”. Detection is important, but sometimes you want to simply block the attack and not allow it to happen at all.
As described above, most of the activity performed in Maze ransomware attacks use existing, valid accounts. The Preempt platform has the ability to deploy a flexible and extensive policy and to block or MFA any actions using valid credentials. Simple policies challenging privileged accounts with MFA and triggering an MFA for anomalous activities can mitigate most of the ways lateral movement is being performed.
I also recommend creating an additional policy to further segment and limit the operations allowed to be performed by external vendors.
Maze Ransomware Summary
Ransomware operators are using old techniques and open source tools such as BloodHound and Mimikatz to compromise and move laterally in networks. They have been doing so for a while with great success. Enterprise networks are getting hacked mostly by compromised credentials and credentials-based attacks. Simple steps like monitoring for weak passwords, limiting account privileges, detecting stealthy admins, and enforcing adaptive authentication can reduce most of the risk of being the next ransomware victim.
My Blog on NotPetya
Posted by Yaron Zinar on May 15, 2020 7:28 AM