A l'intérieur du SOC
BlackMatter's Smash-and-Grab tactics and the need for RESPOND
Only a few years ago, popular reporting announced that the days of smash-and-grab attacks were over and that a new breed of hackers were taking over with subtler, ‘low-and-slow’ tactics . Although these have undoubtedly appeared, smash-and-grab have quickly become overlooked – perhaps with worrying consequences. Last year, Google saw repeated phishing campaigns using cookie theft malware and most recently, reports of hacktivists using similar techniques have been identified during the 2022 Ukraine Conflict [2 & 3]. Where did their inspiration come from? For larger APT groups such as BlackMatter, which first appeared in the summer of 2021, smash-and-grabs never went out of fashion.
This blog dissects a BlackMatter ransomware attack that hit an organization trialing Darktrace back in 2021. The case reveals what can happen when a security team does not react to high-priority alerts.
When entire ransomware attacks can be carried out over the course of just 48 hours, there is a high risk to relying on security teams to react to detection notifications and prevent damage before the threat escalates. Although there has been hesitancy in its uptake , this blog also demonstrates the need for automated response solutions like Darktrace RESPOND.
The Name Game: Untangling BlackMatter, REvil, and DarkSide
Despite being a short-lived criminal organization on the surface , a number of parallels have now been drawn between the TTPs (Tactics, Techniques and Procedures) of the newer BlackMatter group and those of the retired REvil and DarkSide organizations .
Prior to their retirement, DarkSide and REvil were perhaps the biggest names in cyber-crime, responsible for two of last year’s most devastating ransomware attacks. Less than two weeks after the Colonial Pipeline attack, DarkSide announced it was shutting down its operation . Meanwhile the FBI shutdown REvil in January 2022 after its devastating Fourth of July Kaseya attacks and a failed return in September . It is now suspected that members from one or both went on to form BlackMatter.
This rebranding strategy parallels the smash-and-grab attacks these groups now increasingly employ: they make their money, and a lot of noise, and when they’re found out, they disappear before organizations or governments can pull together their threat intelligence and organize an effective response. When they return days, weeks or months later, they do so having implemented enough small changes to render themselves and their attacks unrecognizable. That is how DarkSide can become BlackMatter, and how its attacks can slip through security systems trained on previously encountered threats.
In September 2021 Darktrace was monitoring a US marketing agency which became the victim of a double extortion ransomware attack that bore hallmarks of a BlackMatter operation. This began when a single domain-authenticated device joined the company’s network. This was likely a pre-infected company device being reconnected after some time offline.
Only 15 minutes after joining, the device began SMB and ICMP scanning activities towards over 1000 different internal IPs. There was also a large spike of requests for Epmapper, which suggested an intent for RPC-based lateral movement. Although one credential was particularly prominent, multiple were used including labelled admin credentials. Given it’s unexpected nature, this recon quickly triggered a chain of DETECT/Network model breaches which ensured that Darktrace’s SOC were alerted via the Proactive Threat Notification service. Whilst SOC analysts began to triage the activity, the organization failed to act on any of the alerts they received, leaving the detected threat to take root within their digital environment.
Shortly after, a series of C2 beaconing occurred towards an endpoint associated with Cobalt Strike . This was accompanied by a range of anomalous WMI bind requests to svcctl, SecAddr and further RPC connections. These allowed the initial compromised device to quickly infect 11 other devices. With continued scanning over the next day, valuable data was soon identified. Across several transfers, 230GB of internal data was then exfiltrated from four file servers via SSH port 22. This data was then made unusable to the organization through encryption occurring via SMB Writes and Moves/Renames with the randomly generated extension ‘.qHefKSmfd’. Finally a ransom note titled ‘qHefKSmfd.README.txt’ was dropped.
This ransom note was appended with the BlackMatter ASCII logo:
Although Darktrace DETECT and Cyber AI Analyst continued to provide live alerting, the actor successfully accomplished their mission.
There are numerous reasons that an organization may fail to organize a response to a threat, (including resource shortages, out of hours attacks, and groups that simply move too fast). Without Darktrace’s RESPOND capabilities enabled, the threat actors could proceed this attack without obstacles.
How would the attack have unfolded with RESPOND?
Armed with Darktrace’s evolving knowledge of ‘self’ for the customer’s unique digital environment, RESPOND would have activated within seconds of the first network scan, which was recognized as highly anomalous. The standard action taken here would usually involve enforcing the standard ‘pattern of life’ for the compromised device over a set time period in order to halt the anomaly while allowing the business to continue operating as normal.
RESPOND constantly re-evaluates threats as attacks unfold. Had the first stage still been successful, it would have continued to take targeted action at each corresponding stage of this attack. RESPOND models would have alerted to block the external connections to C2 servers over port 443, the outbound exfil attempts and crucially the SMB write activity over port 445 related to encryption.
As DETECT and RESPOND feed into one another, Darktrace would have continued to assess its actions as BlackMatter pivoted tactics. These actions buy back critical time for security teams that may not be in operation over the weekend, and stun the attacker into place without applying overly aggressive responses that create more problems than they solve.
Ultimately although this incident did not resolve autonomously, in response to the ransom event, Darktrace offered to enable RESPOND and set it in active mode for ransomware indicators across all client and server devices. This ensured an event like this would not occur again.
Why does RESPOND work?
Response solutions must be accurate enough to fire only when there is a genuine threat, configurable enough to let the user stay in the driver’s seat, and intelligent enough to know the right action to take to contain only the malicious activity- without disrupting normal business operations.
This is only possible if you can establish what ‘normal’ is for any one organization. And this is how Darktrace’s RESPOND product family ensures its actions are targeted and proportionate. By feeding off DETECT alerting which highlights subtle or large deviations across the network, cloud and SaaS, RESPOND can provide a measured response to the potential threat. This includes actions such as:
- Enforcing the device’s ‘pattern of life’ for a given length of time
- Enforcing the ‘group pattern of life’ (stopping a device from doing anything its peers haven’t done in the past)
- Blocking connections of a certain type to a certain destination
- Logging out of a cloud account
- ‘Smart quarantining’ an endpoint device- maintaining access to VPNs and company’s AV solution
In its report on BlackMatter , CISA recommended that organizations invest in network monitoring tools with the capacity to investigate anomalous activity. Picking up on unusual behavior rather than predetermined rules and signatures is an important step in fighting back against new threats. As this particular story shows, however, detection alone is not always enough. Turning on RESPOND, which takes immediate and precise action to contain threats, regardless of when and where they come in, is the best way to counter smash-and-grab attacks and protect organizations’ digital assets. There is little doubt that the threat actors behind BlackMatter will or have already returned with new names and strategies- but organizations with RESPOND will be ready for them.
Darktrace Model Detections (in order of breach)
Those with the ‘PTN’ prefix were alerted directly to Darktrace’s 24/7 SOC team.
- Device / ICMP Address Scan
- Device / Suspicious SMB Scanning Activity
- (PTN) Device / Suspicious Network Scan Activity
- Anomalous Connection / SMB Enumeration
- Device / Possible RPC Lateral Movement
- Device / Active Directory Reconnaissance
- Unusual Activity / Possible RPC Recon Activity
- Device / Possible SMB/NTLM Reconnaissance
- Compliance / Default Credential Usage
- Device / New or Unusual Remote Command Execution
- Anomalous Connection / New or Uncommon Service Control
- Device / New or Uncommon SMB Named Pipe
- Device / SMB Session Bruteforce
- Device / New or Uncommon WMI Activity
- (PTN) Device / Multiple Lateral Movement Model Breaches
- Compromise / Sustained SSL or HTTP Increase
- Compromise / SSL or HTTP Beacon
- Compromis / Activité soutenue de balisage TCP vers un endpoint rare.
- Device / Anomalous SMB Followed By Multiple Model Breaches
- Device / Anomalous RDP Followed By Multiple Model Breaches
- Anomalous Server Activity / Rare External from Server
- Anomalous Connection / Anomalous SSL without SNI to New External
- Anomalous Connection / Rare External SSL Self-Signed
- Device / Long Agent Connection to New Endpoint
- Compliance / SMB Drive Write
- Anomalous Connection / Unusual Admin SMB Session
- Anomalous Connection / High Volume of New or Uncommon Service Control
- Anomalous Connection / Unusual Admin RDP Session
- Device / Suspicious File Writes to Multiple Hidden SMB Shares
- Anomalous Connection / Multiple Connections to New External TCP Port
- Compliance / SSH to Rare External Destination
- Anomalous Connection / Uncommon 1 GiB Outbound
- Anomalous Connection / Data Sent to Rare Domain
- Anomalous Connection / Download and Upload
- (PTN) Unusual Activity / Enhanced Unusual External Data Transfer
- Anomalous File / Internal / Additional Extension Appended to SMB File
- (PTN) Compromise / Ransomware / Suspicious SMB Activity
List of IOCs
Credit to: Andras Balogh, SOC Analyst and Gabriel Few-Wiegratz, Threat Intelligence Content Production Lead