Breach

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/

Who are Babuk

According to McAfee and other sources Babuk are a Russian speaking ransomware syndicate:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/

The Attack Chain

Initial Access

Their initial access methods appear to be based on phishing, exploiting public facing services and using valid accounts. Not a shocker but they are known to attack exposed remote desktop services (oh what a shock they aren’t gaining a foothold using weak TLS! That’s in a joke about snake oil pushers crying about TLS weaknesses and linking that to ransomware, it’s FUD anyway…).

So key points here:

  • Phishing
  • Speak Phishing
  • Exposed Services such as RDP
  • Leveraging Valid Accounts

Defending Against Initial Access Vectors used by Babuk

Ok let’s not waste time, let’s look at some high level defensive controls we can put in place:

Vector Control Suggestions
Phishing & Spear Phishing
  • Mail Hygiene Services
  • User Awareness Training
  • Blocking or restricting common vectors such as macros and scripts (e.g. .js or .vbs)
  • Ensure you have good communications with your userbase and let them know about common threat actors and their tactics, ensure they know who to report something if they are suspicious!
  • Deploy Multi-Factor Authentication
  • Monitor for risky activity
Exploit Public-Facing Application
  • If you must expose RDP consider deploying tis behind a VPN
  • Consider deploying Multi-factor authentication
  • Review if geo blocking can support your attack surface reduction strategy
  • Harden your RDP servers, make sure they aren’t vulnerable to brute force and dictionary attacks
  • Enable NLA (seriously never disable this, there’s no reason to have this disabled)
  • Monitor your logs
  • Deploy secure configurations
  • Use least privilege access
  • Deploy application allow lists
  • Audit Active Directory for known lateral movement and privilege escalation paths
Valid Accounts
  • If possible deploy multi-factor authentication
  • Conduct regular password audits
  • Check for known breaches e.g. use HaveIBeenPwned

As you can see this should be fairly foundational security capability. The challenge is, what the marketing world says, what people believe and the reality in peoples networks and systems are often world apart.

Privesc and Lateral Movement

Now this should go without saying but let’s cover off some basic hygiene and security harding:

  • Ensure your systems are up to date with the latest OS, application and firmware
  • Ensure you have deployed hardened configurations
  • Restrict unrequired services
  • Use administrator jump boxes and harden the host based firewalls and network based controls to restrict remote administration
  • Segment your networks
  • Ensure you have visibility, monitoring and alerting
  • Harden active directory, honestly we see so many AD’s where they are running configurations left over from Windows Server 2003 and criminals can get DA in minutes let alone hours
  • Endpoint Detection and Response investments are going to pay dividends here
  • Deploy Sysmon, even if you have an EDR solution the extra telemetry never hurt anyone

Common lateral movement protocols

Ok so toolset they are known to use include:

  • PSexec
  • ADFind
  • Powershell

Remember a threat actor is going to follow the principal of “become the admin”. They will use the same tools you use to manage your network against you. They will attempt to disable security controls and will attempt to spread into your network.

Ransomware gangs such as Babuck also appear to be leveraging extortion so ideally you don’t want them or anyone like them in your nets to start with. You do however need to consider this: If your backups are secure then the ransomware component will be a failure for the criminals, so make sure you have non production domain joined backups, ensure they are on immutable storage (this maybe offside, cloud based or locally on hardened environments). So key here is to make their life harder not easier.

It’s not too late

Remember if you know of weaknesses it doesn’t mean that have to stay that way. This post is a really light view on how you can take steps to defend your networks from common ransomware kill chains.

This isn’t the first time we’ve talked about defending against ransomware so here’s some links to both our content and other content to help you defend:

Things to do before you conduct a ‘red team’ assessment

Ransomware from an RDP Vector

 

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

The NCSC, NIST and whole range of organisations have got treat tools, tips and guiance to help you defend. The key part of the journey is taking the first step! It’s better to invest now than regret it later, a few GPOs here, a few ACLs there and you can greatly improve your security posture.

Helping defend against cybercrime, from your friendly hacker team

Hopefully this blog helps inspire you to review and harden your security posture, we love helping people both with our content and our community CTF games but If you are struggling with getting ahead of the game don’t fret, we’ve got your back. We both pwn and defend networks to help you improve your postures, so if you need some help we aren’t far away:

[contact-form-7 id=”95″ title=”Contact Us”]

Leave a Reply