A U.S. county government announced on September 11 that a recent cyber incident strongly resembling a ransomware attack had disrupted its online services.
- SecurityScorecard researchers identified evidence suggesting two possible (and not mutually exclusive) paths by which the threat actors may have accessed county systems:
Two files linked to the Cryxos trojan may have enabled social engineering attacks against county employees.
Our network flow (netflow) and Attack Surface Intelligence (ASI) data revealed communication between vulnerable county IP addresses and IP addresses linked to malicious activity targeting vulnerable services.
The suspicious traffic may indicate activity similar to that identified in a previous ransomware investigation, suggesting a possible overlap in the tactics, techniques, and procedures (TTPs) of the threat actors responsible for these two incidents.
The government of a U.S. county announced on September 11 that a recent cyber incident had disrupted its online services. Subsequent coverage of the event has noted that it strongly resembles a ransomware attack. The disruption comes against a backdrop of frequent ransomware activity targeting state and local governments and the education sector. SecurityScorecard’s additional findings about recent ransomware incidents affecting local governments and educational institutions has led researchers to hypothesize that in recent incidents, attackers may have employed two newer variations on the by-now familiar TTPs discussed in a joint CISA and FBI alert. In one incident, social engineering may have taken the form of tech support fraud or voice phishing (“vishing”) rather than the more familiar email-based phishing. In another, attackers may have compromised exposed SSH services before encrypting victim systems. Upon learning of the incident, SecurityScorecard researchers consulted both in-house and strategic partnership data sources to investigate it further and, in investigating this newer incident, SecurityScorecard researchers encountered evidence that attackers may have employed both of these approaches.
Possible Initial Compromise: Cryxos Trojan
While consulting external threat intelligence data sources, SecurityScorecard encountered two malicious files from Spring and Summer of 2022 that may have facilitated social engineering attacks against the county government. Both files mention county emergency services, and other vendors have linked them to the Cryxos trojan.
In light of these detections, it may bear noting that SecurityScorecard’s investigation into another ransomware attack against a school district uncovered evidence suggesting that attackers also employed Cryxos in their initial targeting. Against this background, it appears possible that in the case of this county government, attackers were able to obtain remote access to county systems when a county employee fell victim to social engineering. They may, for example, have called the number displayed in a warning that appeared when they visited a webpage purporting to offer information about local fire codes or emergency services and installed remote-access software when directed to by attackers masquerading as support personnel.
Security Scorecard Platform Findings
Among the other issues affecting the county, SecurityScorecard’s ratings platform detected an open Telnet port at one of its IP addresses. The availability of these ports allows attackers to engage in authentication bypass attacks (such as brute-forcing attempts, remote buffer overflows, and blank passwords). An attacker can leverage this access to pivot into further enterprise resources. Researchers also pivoted off of this finding when analyzing the available netflow data.
Using SecurityScorecard’s access to exclusive network flow (i.e., netflow) data, researchers identified suspicious traffic that may reflect activity targeting the county in the months leading up to the disruption announced on September 11. This traffic involved IP addresses that SecurityScorecard’s Attack Surface Intelligence (ASI) tool and other vendors have linked to malicious activity communicating with county assets with open ports and vulnerable software and, in some cases, additionally featured anomalously large (one GB or more) data transfers, which may represent data exfiltration. Without internal visibility into the county’s network, SecurityScorecard cannot confirm that these flows indicate malicious activity, but SIEM logs would likely offer the necessary information to make a more thorough assessment.
Netflow Data: Port 23
Based on the above-mentioned platform finding, researchers first searched our netflow data for traffic involving port 23 (the port where Telnet normally runs) of the affected IP address, identifying sixteen flows. Thirteen of these flows transferred relatively small amounts of data, but three may merit closer attention due to having transferred slightly larger amounts of data and their detections by other vendors. Given these three IP addresses’ possible links to malicious activity, traffic to it from county IP addresses may indicate C2 communications or data exfiltration.
Netflow Data: Large Data Transfers
Between July 12 and September 9, 935 flows transferred notably large amounts of data (a gigabyte or more) to or from county IP addresses. It does bear noting, though, that some of this traffic could be benign. For example, many of the IP addresses discussed below belong to DigitalOcean. Because DigitalOcean provides various services, many of which are legitimate, it is possible that the transfers discussed below do not represent malicious activity. For example, the many large transfers from DigitalOcean IP addresses to district IP addresses discussed below could indicate data transfers to county systems from backups. However, considering that the county suffered an attack, this traffic (especially traffic involving the IP addresses that other vendors have already deemed malicious) merits additional scrutiny.
Of the IP addresses involved in these large transfers, other vendors have linked 30 to malicious or suspicious activity. Discussions of individual IP addresses are available from SecurityScorecard upon request. Broadly speaking, they fall into two categories: IP addresses linked to malware and likely involved in command-and-control (C2) communications and IP addresses linked to phishing. IP addresses in the first category often appear most frequently because malicious executable (.exe) files, many of which VirusTotal links to the delivery of second-stage payloads, communicate with them. In contrast, vendors have often linked the IP addresses in the second group specifically to phishing. While these latter addresses usually appear in a smaller number of files, the files containing them are almost always emails, which may lend further credence to their involvement in phishing.
Netflow Data: Transfers Involving Vulnerable County IP Addresses
Researchers were additionally able to identify evidence suggesting a wider pattern of targeting vulnerable open ports by focusing on two county IP addresses that not only figure particularly prominently in the sample of traffic involving large data transfers, but also, upon further inspection, appear to suffer from other issues threat actors may have attempted to exploit prior to the county’s announcement.
SecurityScorecard first noted that a considerable portion (244 of 935) of the flows that transferred one GB or more used port 25, a port normally used for SMTP (an email relay protocol) that malware also frequently uses, of two particular county IP addresses. Researchers then consulted SecurityScorecard’s new Attack Surface Intelligence (ASI) solution to determine what other issues may face these IP addresses. ASI offers users direct access to SecurityScorecard’s deep threat intelligence data by analyzing billions of sources to provide visibility into any IP, network, or domain from a single pane of glass.
ASI indicates that other ports open at these addresses may suffer from vulnerabilities under exploitation by at least seven different threat actor groups. It is possible then, that attackers compromised these servers and used them to target other county assets. The large flows involving them may therefore suggest the distribution of malware, C2 communications, or data exfiltration. When considered in light of the frequent appearance of the above IP addresses in emails submitted to VirusTotal, the appearance of port 25 in these flows may indicate phishing or malware distribution over email.
ASI also found ports 22, 443, and 161 to be open and revealed SSH software running at port 22 of both addresses (OpenSSH 7.4) that might suffer from vulnerabilities by established threat actor groups. It is thus possible that a threat actor compromised these addresses by accessing them through port 22 and exploiting the SSH vulnerabilities detected there. Traffic to port 22 may be of particular concern in light of SecurityScorecard’s previous research, which suggests that threat actors targeted it in the lead-up to another ransomware attack.
Based on this ASI data, SecurityScorecard researchers consulted their netflow dataset to identify traffic to and from port 22 at these two IP addresses. In the case of both county IP addresses, given the flows’ frequency, relatively small byte counts, near-exclusive focus on port 22 at county IP addresses where the port was exposed, and many of the other IP addresses’ previous links to SSH brute force attacks, some of this traffic may represent attacker targeting of vulnerable county SSH services or subsequent exploitation of compromised assets.
While investigating the above IP addresses, researchers also observed frequent communication with additional county IP addresses over port 22, and ASI has also found SSH vulnerabilities to affect software in use at those addresses. A broader view of traffic to port 22 at all IP addresses attributed to the county government may indicate additional targeting; over one thousand flows involving port 22 occurred between July 12 and September 12.
The data collected and analyzed thus far has led researchers to hypothesize that the incident may have begun with social engineering or targeting of vulnerable SSH services. Aside from the general observation that social engineering remains a common approach for ransomware groups, the appearance of the county government domains in files linked to the Cryxos trojan, which enables such activity, may support the hypothesis that county personnel fell victim to social engineering in the early stages of the attack. These stages may also have included SSH brute force attacks or exploitation of OpenSSH vulnerabilities, which the traffic between suspicious IP addresses and port 22 at vulnerable county IP addresses may suggest. However, given that SSH can facilitate file transfers, depending on its timing, frequency, and byte count, some of this traffic may additionally reflect exfiltration, C2 communication, or malware distribution after initial compromise rather than brute force attempts.
This information was gathered and analyzed to provide a brief preview of some of SecurityScorecard’s threat intelligence and investigation capabilities. SecurityScorecard was only able to query and contextualize some of its data and thus it should be noted that this is not an exhaustive list of issues related to the county’s overall cyber risk exposure and this particular incident. This investigation should therefore be considered trustworthy but preliminary, and our team can continue diving into these details, especially with the ability to support further by working with on-site staff.