Ransomware Attack on Vendor Managing U.S. Government Records

Executive Summary

• On January 3, CyberScoop reported a cyberattack resulting from an earlier service interruption affecting a vendor that manages records for U.S. county governments.

• As of January 10, some counties’ records remain inaccessible due to the incident.

• The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted internal and external data sources to investigate the incident and identified a possible method of initial access and traffic that may reflect data exfiltration.

• In light of the possible methods of initial access and exfiltration observed, STRIKE assesses with moderate confidence that an attack (or attack attempt) by the BlackCat ransomware group was responsible for the reported disruption.

Background

On December 26, a vendor that provides digital record management services to local governments across the U.S. reported that it had temporarily taken its servers offline after detecting unusual activity on them. One week later, on January 3, news outlets reported that the disruption resulted from an unspecified attack. One week after that, local news reported that some customers’ records were still inaccessible, likely as a result of the attack.

Findings

The STRIKE Team consulted both internal and external data sources to assess the security of the affected vendor and uncovered evidence of remote access software an attacker could have used to compromise the vendor’s systems, a large amount of anomalous traffic that may reflect data exfiltration, and communication between the vendor’s network and IP addresses with which previous ransomware victims communicated in the lead-up to their own attacks.

Findings: Remote Access Software

A file containing one of the vendor’s subdomains (connect.[vendordomain].com) first appeared on VirusTotal on January 6. The file’s name, ConnectWiseControl.Client.exe, suggests that it installs a client for the remote desktop software ConnectWise. This indicates that the vendor subdomain appearing in the file facilitates remote access to vendor systems using ConnectWise. As of January 17, a login page was publicly accessible at that subdomain, suggesting that it led to the organization’s remote desktop service. This suggests that attackers could have leveraged exposed credentials to access the organization’s systems remotely using ConnectWise.

Image 1: A ConnectWise login page was publicly available at the subdomain contained in the file submitted to VirusTotal

A variety of ransomware groups have exploited exposed remote desktop services to access victim systems in the past. Previous research into the BlackCat ransomware group has identified exploitation of ConnectWise (known by its previous name, ScreenConnect) as a method of initial access its affiliates have employed. This, combined with the timing of the file’s appearance on VirusTotal (approximately ten days after the first reports of an incident), suggests that attackers used ConnectWise when accessing the victim organization’s systems.

This could also reflect a wider, more recently reported trend. On January 25, CISA issued a warning that malicious actors’ exploitation of legitimate remote management software for initial access to target organizations had increased and specifically highlighted recent attacks that used ConnectWise.

STRIKE next consulted the organization’s scorecard in SecurityScorecard’s ratings platform and identified the IP address hosting that subdomain in the vendor’s digital footprint. Researchers then referred to the traffic sample collected in the months preceding the disruption and identified twenty-nine unique IP addresses that communicated with that particular vendor IP address in the monitoring period. Of these, other vendors have linked twenty to previous malicious activity. Most of the traffic data suggested that the communication was fairly low-level scanning or probing, as it involved brief, one-off communications and small data transfers.. A strategic partner has identified many of the IP addresses involved as scanners.

One, however, received a larger-than-usual data transfer (12.28 MB) from the IP address hosting the vendor subdomain contained in the file on December 5. While this may reflect a threat actor’s exfiltration of data from the target network, it is, if nothing else, notable because it is so much larger than all of the other transfers involving this vendor IP address (the next-largest transfer was only 843 KB).

Additionally, three vendors have linked the non-vendor IP address involved in this transfer, 159.65.203[.]252, to malicious activity. A file downloaded from it on August 13, 2022, identifies it as a VPN server. While there are many legitimate uses of VPNs, threat actors also use them to obscure their actual IP address, concealing the source of their activity. This may indicate that attackers using a VPN routed their traffic through this IP address.

Cybersecurity vendors have also linked twelve other IP addresses with which the vendor IP address communicated before December 5 to malicious activity. Traffic to and from these IP addresses may therefore reflect earlier stages of the compromise, culminating in the large data transfer discussed above.

Findings: Other Traffic Data

STRIKE leveraged SecurityScorecard’s exclusive access to network flow (netflow) data to collect a sample of traffic involving IP addresses attributed to the vendor. Between November 3 and December 26, 673,977 flows took place. Of those, a large majority (462,552/673,977) occurred from December 15 onward and involved only two IP addresses, one attributed to the vendor and a DigitalOcean IP address, 174.138.64[.]88.

These transfers may represent the attackers’ data exfiltration from the vendor’s network. All of these flows used port 22 of 174.138.64[.]88. The BlackCat ransomware group’s exfiltration tool, ExMatter, connects to port 22 of remote servers from victim networks, so this traffic may reflect the use of ExMatter on the target network.

Furthermore, SecurityScorecard’s Attack Surface Intelligence tool indicates that port 22 of that IP address is open and running a vulnerable version of OpenSSH.

Image 2: Attack Surface Intelligence revealed five SSH vulnerabilities affecting the version of OpenSSH in use at port 22 of the IP address with which the vendor communicated most regularly

While other cybersecurity vendors have not yet linked 174.138.64[.]88 to malicious activity, and it has not appeared in other STRIKE ransomware investigations, ExMatter has communicated with DigitalOcean IP addresses in a majority of previous publicly discussed cases involving it. That being said, the large number of data transfers involved could, conversely, indicate that this behavior is routine–they could, for example, represent transfers to back-ups. Those transfers would, however, be less likely to use port 22.

Aside from the traffic involving 174.138.64[.]88, which attracted researchers’ attention due to its sheer quantity, researchers also consulted SecurityScorecard’s internal threat intelligence platform to identify traffic involving IP addresses with which previous ransomware victims also communicated. 100 IP addresses appearing in the traffic samples from previous ransomware investigations also appeared in this one. Of those, cybersecurity vendors have previously linked thirteen IP addresses to malicious activity, one of which may offer additional insight into the early stages of the attack. These IP addresses are available below in Appendix A: IP Addresses Communicating with Previous Ransomware Targets and Appendix B: IP Addresses From Previous Investigations Detected in VirusTotal.

168.167.72[.]179 communicated eighty-five times with port 22 of a vendor IP address between November 8 and November 30. This led STRIKE to consult Attack Surface Intelligence, which revealed that port 22 was open at the vendor IP, running FortiSSH and a Wing FTP Server , and would accept a password as an authentication method. An attacker could therefore have used previously exposed vendor credentials to access this server.

FTP services are attractive targets to attackers due to the data they may contain. An attacker that gains access to the files on an FTP server may sell the files within, use them for blackmail, or employ the information when launching further attacks.

Images 3-4: Attack Surface Intelligence revealed port 22 of a target vendor IP address to be running an FTP server accessible via password.

The Attack Surface Intelligence data indicated that port 22 of this IP address could attract a threat actor’s attention, so STRIKE studied the traffic between it and IP addresses other than 168.167.72[.]179, noting that it communicated with ten other IP addresses between November 3 and December 16. Other cybersecurity vendors have detected malicious activity at all ten of these IP addresses. Members of the VirusTotal community and/or Attack Surface Intelligence have linked ten of them, including 168.167.72[.]179, to attacks against SSH services.

Images 5-7: Attack Surface Intelligence’s Malicious Reputation data links many of the IP addresses that communicated with port 22 of a vendor IP address to SSH attacks

SecurityScorecard’s research into a series of previousransomwareattacks revealed that threat actors may have targeted SSH services on victim networks in the early stages of those attacks as well. Prior to these incidents, research into 2016 and 2019 ransomware operations also noted that some groups had targeted SSH services for initial access.

While the volume of traffic involved in a brute force attempt is normally higher than that observed in this particular instance, it may nonetheless represent malicious activity, given the previous research linking the IP addresses involved in it to attacks. It is additionally possible that the number of flows involved in this case was lower than usual because an early login attempt was successful, eliminating the need for the many repeated attempts characteristic of a brute force attack.

Conclusion

Without internal visibility into the vendor’s network, the above findings cannot conclusively prove that the target organization suffered a ransomware attack. However, they do at least suggest possible initial access which points to such an attack and offer some indication that attackers exfiltrated data. The target organization and previous ransomware victims communicated with 100 of the same IP addresses, a notable overlap in network activity and a possible indication that attackers have routed their traffic through the same IP addresses in different attacks.

A remote desktop service targeted by BlackCat affiliates in previous attacks appeared to be fairly easily accessible. The IP addresses where that service was in use experienced traffic from IP addresses previously linked to malicious activity. Moreover, the large number of data transfers to port 22 of an external IP address may indicate exfiltration. If anything, it reflects traffic resembling that of the BlackCat group’s exfiltration tool, which also transfers stolen data to port 22 of an external IP address, usually one belonging to DigitalOcean (as this one does). Given these findings, and in light of the disruption resulting from the attack, STRIKE assesses with moderate confidence that a ransomware attack (or attack attempt) was responsible for the reported disruption.