Read the original article: Navigating the MAZE: Tactics, Techniques and Procedures Associated With
MAZE Ransomware Incidents
Targeted ransomware incidents have brought a threat of disruptive and
destructive attacks to organizations across industries and
geographies. FireEye Mandiant
Threat Intelligence has previously documented this threat in our
investigations of trends
across ransomware incidents, FIN6
activity, implications
for OT networks, and other aspects of post-compromise ransomware
deployment. Since November 2019, we’ve seen the MAZE ransomware being
used in attacks that combine targeted ransomware use, public exposure
of victim data, and an affiliate model.
Malicious actors have been actively deploying MAZE ransomware since
at least May 2019. The ransomware was initially distributed via spam
emails and exploit kits before later shifting to being deployed
post-compromise. Multiple actors are involved in MAZE ransomware
operations, based on our observations of alleged users in underground
forums and distinct tactics, techniques, and procedures across
Mandiant incident response engagements. Actors behind MAZE also
maintain a public-facing website where they post data stolen from
victims who refuse to pay an extortion fee.
The combination of these two damaging intrusion outcomes—dumping
sensitive data and disrupting enterprise networks—with a criminal
service makes MAZE a notable threat to many organizations. This blog
post is based on information derived from numerous Mandiant incident
response engagements and our own research into the MAZE ecosystem and operations.
Mandiant Threat Intelligence will be available to answer questions
on the MAZE
ransomware threat in a May 21 webinar.
Victimology
We are aware of more than 100 alleged MAZE victims reported by
various media outlets and on the MAZE website since November 2019.
These organizations have been primarily based in North America,
although victims spanned nearly every geographical region. Nearly
every industry sector including manufacturing, legal, financial
services, construction, healthcare, technology, retail, and government
has been impacted demonstrating that indiscriminate nature of these
operations (Figure 1).
Figure 1: Geographical and industry
distribution of alleged MAZE victims
Multiple Actors Involved in MAZE Ransomware Operations Identified
Mandiant identified multiple Russian-speaking actors who claimed to
use MAZE ransomware and were seeking partners to fulfill different
functional roles within their teams. Additional information on these
actors is available to Mandiant
Intelligence subscribers. A panel used to manage victims
targeted for MAZE ransomware deployment has a section for affiliate
transactions. This activity is consistent with our assessment that
MAZE operates under an affiliate model and is not distributed by a
single group. Under this business model, ransomware developers will
partner with other actors (i.e. affiliates) who are responsible for
distributing the malware. In these scenarios, when a victim pays the
ransom demand, the ransomware developers receive a commission. Direct
affiliates of MAZE ransomware also partner with other actors who
perform specific tasks for a percentage of the ransom payment. This
includes partners who provide initial access to organizations and
pentesters who are responsible for reconnaissance, privilege
escalation and lateral movement—each of which who appear to work on a
percentage-basis. Notably, in some cases, actors may be hired on a
salary basis (vs commission) to perform specific tasks such as
determining the victim organization and its annual revenues. This
allows for specialization within the cyber criminal ecosystem,
ultimately increasing efficiency, while still allowing all parties
involved to profit.
Figure 2: MAZE ransomware panel
MAZE Initially Distributed via Exploit Kits and Spam Campaigns
MAZE ransomware was initially distributed directly via exploit
kits and spam
campaigns through late 2019. For example, in November 2019,
Mandiant observed multiple email campaigns delivering Maze ransomware
primarily to individuals at organizations in Germany and the United
States, although a significant number of emails were also delivered to
entities in Canada, Italy, and South Korea. These emails used tax,
invoice, and package delivery themes with document attachments or
inline links to documents which download and execute Maze ransomware.
On November 6 and 7, a Maze campaign targeting Germany delivered
macro-laden documents using the subject lines “Wichtige informationen
uber Steuerruckerstattung” and “1&1 Internet AG – Ihre Rechnung
19340003422 vom 07.11.19” (Figure 3). Recipients included individuals
at organizations in a wide range of industries, with the Financial
Services, Healthcare, and Manufacturing sectors being targeted most
frequently. These emails were sent using a number of malicious domains
created with the registrant address gladkoff1991@yandex.ru.
Figure 3: German-language lure
On November 8, a campaign delivered Maze primarily to Financial
Services and Insurance organizations located in the United states.
These emails originated from a compromised or spoofed account and
contained an inline link to download a Maze executable payload.
On November 18 and 19, a Maze campaign targeted individuals
operating in a range of industries in the United States and Canada
with macro documents using phone bill and package delivery themes
(Figure 4 and Figure 5). These emails used the subjects “Missed
package delivery” and "Your AT&T wireless bill is ready to
view" and were sent using a number of malicious domains with the
registrant address abusereceive@hitler.rocks. Notably, this registrant
address was also used to create multiple Italian-language domains
towards the end of November 2019.
Figure 4: AT&T email lure
Figure 5: Canada Post email lure
Shift to Post-Compromise Distribution Maximizes Impact
Actors using MAZE have increasingly shifted to deploying the
ransomware post-compromise. This methodology provides an opportunity
to infect more hosts within a victim’s environment and exfiltrate
data, which is leveraged to apply additional pressure on organizations
to pay extortion fees. Notably, in at least some cases, the actors
behind these operations charge an additional fee, in addition to the
decryption key, for the non-release of stolen data.
Although the high-level intrusion scenarios preceding the
distribution of MAZE ransomware are broadly similar, there have been
notable variations across intrusions that suggest attribution to
distinct teams. Even within these teams, the cyber criminals appear to
be task-oriented meaning that one operator is not responsible for the
full lifecycle. The following sections highlight the TTPs seen in a
subset of incidents and serve to illustrate the divergence that may
occur due to the fact that numerous, disparate actors are involved in
different phases of these operations. Notably, the time between
initial compromise to encryption has also been widely varied, from
weeks to many months.
Initial Compromise
There are few clear patterns for intrusion vector across analyzed
MAZE ransomware incidents. This is consistent with our observations of
multiple actors who use MAZE soliciting partners with network access.
The following are a sample of observations from several Mandiant
incident response engagements:
- A user downloaded a malicious resume-themed Microsoft Word
document that contained macros which launched an IcedID payload,
which was ultimately used to execute an instance of BEACON. - An actor logged into an internet-facing system via RDP. The
account used to grant initial access was a generic support account.
It is unclear how the actor obtained the account’s password. - An actor exploited a misconfiguration on an Internet-facing
system. This access enabled the actor to deploy tools to pivot into
the internal network. - An actor logged into a Citrix web
portal account with a weak password. This authenticated access
enabled the actor to launch a Meterpreter payload on an internal
system.
Establish Foothold & Maintain Presence
The use of legitimate credentials and broad distribution of BEACON
across victim environments appear to be consistent approaches used by
actors to establish their foothold in victim networks and to maintain
presence as they look to meet their ultimate objective of deploying
MAZE ransomware. Despite these commonplace behaviors, we have observed
an actor create their own domain account to enable latter-stage operations.
- Across multiple incidents, threat actors deploying MAZE
established a foothold in victim environments by installing BEACON
payloads on many servers and workstations. - Web shells were
deployed to an internet-facing system. The system level access
granted by these web shells was used to enable initial privilege
escalation and the execution of a backdoor. - Intrusion
operators regularly obtained and maintained access to multiple
domain and local system accounts with varying permissions that were
used throughout their operations. - An actor created a new
domain account and added it to the domain administrators group.
Escalate Privileges
Although Mandiant has observed multiple cases where MAZE intrusion
operators employed Mimikatz to collect credentials to enable privilege
escalation, these efforts have also been bolstered in multiple cases
via use of Bloodhound, and more manual searches for files containing credentials.
- Less than two weeks after initial access, the actor downloaded
and interacted with an archive named mimi.zip, which
contained files corresponding to the credential harvesting tool
Mimikatz. In the following days the same mimi.zip archive was
identified on two domain controllers in the impacted
environment. - The actor attempted to find files with the word
“password” within the environment. Additionally, several archive
files were also created with file names suggestive of credential
harvesting activity. - The actor attempted to identify hosts
running the KeePass password safe software. - Across multiple
incidents, the Bloodhound utility was used, presumably to assess
possible methods of obtaining credentials with domain administrator
privileges. - Actors primarily used Procdump and Mimikatz to
collect credentials used to enable later stages of their intrusion.
Notably, both Bloodhound and PingCastle were also used, presumably
to enable attackers’ efforts to understand the impacted
organization’s Active Directory configuration. In this case the
responsible actors also attempted to exfiltrate collected
credentials to multiple different cloud file storage services.
Reconnaissance
Mandiant has observed a broad range of approaches to network, host,
data, and Active Directory reconnaissance across observed MAZE
incidents. The varied tools and approaches across these incidents
maybe best highlights the divergent ways in which the responsible
actors interact with victim networks.
- In some intrusions, reconnaissance activity occurred within
three days of gaining initial access to the victim network. The
responsible actor executed a large number of reconnaissance scripts
via Cobalt Strike to collect network, host, filesystem, and domain
related information. - Multiple built-in Windows commands
were used to enable network, account, and host reconnaissance of the
impacted environment, though the actors also supplied and used
Advanced IP Scanner and Adfind to support this stage of their
operations. - Preliminary network reconnaissance has been
conducted using a batch script named ‘2.bat’ which contained a
series of nslookup commands. The output of this script was copied
into a file named ‘2.txt’. - The actor exfiltrated
reconnaissance command output data and documents related to the IT
environment to an attacker-controlled FTP server via an encoded
PowerShell script. - Over a period of several days, an actor
conducted reconnaissance activity using Bloodhound,
PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance
script designed to enumerate directories across internal hosts. - An actor employed the adfind tool and a batch script to collect
information about their network, hosts, domain, and users. The
output from this batch script (2adfind.bat) was saved into an
archive named ‘ad.7z’ using an instance of the 7zip archiving
utility named 7.exe. - An actor used the tool
smbtools.exe to assess whether accounts could login to
systems across the environment. - An actor collected
directory listings from file servers across an impacted environment.
Evidence of data exfiltration was observed approximately one month
later, suggesting that the creation of these directory listings may
have been precursor activity, providing the actors with data they
may have used to identify sensitive data for future
exfiltration.
Lateral Movement
Across the majority of MAZE ransomware incidents lateral movement
was accomplished via Cobalt Strike BEACON and using previously
harvested credentials. Despite this uniformity, some alternative tools
and approaches were also observed.
- Attackers relied heavily on Cobalt Strike BEACON to move
laterally across the impacted environment, though they also tunneled
RDP using the ngrok utility, and employed tscon to hijack legitimate
rdp sessions to enable both lateral movement and privilege
escalation. - The actor moved laterally throughout some
networks leveraging compromised service and user accounts obtained
from the system on which they gained their initial foothold. This
allowe
[…]
Read the original article: Navigating the MAZE: Tactics, Techniques and Procedures Associated With
MAZE Ransomware Incidents