Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TA505: A Study of High End Big Game Hunting in 2020

From MITRE ATT&CKcon Power Hour October 2020

By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain

Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

  • Be the first to comment

  • Be the first to like this

TA505: A Study of High End Big Game Hunting in 2020

  1. 1. TA505 A Study of High End Big Game Hunting in 2020 Brandon Levene ATT&CKCON October 9th, 2020
  2. 2. Proprietary + Confidential Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises.
  3. 3. Agenda Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  4. 4. Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  5. 5. Who is TA505? Customer of Dridex banking Trojan as well as Locky and Jaff Ransomware families from 2014-2017 NOT the developers of the tools above (that would be EvilCorp Shift to backdoors in 2018 which coincides with a decrease in bespoke banking trojans and non-targeted ransomware Rapidly shifted through initial loaders and secondary payloads throughout 2018 and 2019, slowly shifted towards Users* of CLOP ransomware (first seen in Feb 2019) as primary monetization mechanism There do not appear to be any other users, so this is likely another in- house tool Context and background
  6. 6. Proprietary + Confidential Context and background
  7. 7. NETZSCH GROUP BASED IN GERMANY ALLEGEDLY BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal data after ransomware attack Largest Privately-Owned Logistics Company--EV Cargo Logistics Ransomware Hits maastricht University, all Systems Taken Down Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
  8. 8. Context and background Threat actor process02 01 Lessons learned Operational details03 04
  9. 9. Source: ANSSI https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf Threat actor process Overview TA505 Legitimate compromised domain Malicious domain Malicious email HTML + Javascript Redirecting URL Phishing page Malicious office document Victim Malware 1 SENDS CONTAINS HOSTS HOSTSHOSTS 6 DROPS AND EXECUTES 2 3 4 5OPENS REDIRECTION DOWNLOADS AND ACTIVATES THE MACROS REDIRECTION
  10. 10. Context and background Threat actor process Operational details 02 01 03 Lessons learned04
  11. 11. Operational details Spear Phishing - T1192 + Spear Phishing Attachment - T1193 Initial Access
  12. 12. Operational details User Execution + T1204 [.002] Execution
  13. 13. Operational details Ingress Tool Transfer - T1055 Command and control
  14. 14. Operational details Process Injection - T1055 Defense Evasion and Priv Esc Application Layer Protocol - T1071 Command and control
  15. 15. Operational details Event Triggered Execution - T1546 (image file execution injections, sub .012) Persistence
  16. 16. Operational details Permission Groups Discovery - T1069 Discovery Subvert Trust Controls - T1553 Defense Evasion
  17. 17. Operational details Data Encrypted for Impact - T1486 Impact
  18. 18. Operational details Data Leak - Unmapped Impact
  19. 19. Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  20. 20. Compliment defense in depth with detection in depth Study TTPs to seize interdiction opportunities Detecting the ransomware itself is too late amateur Visibility is key

×