防范TA505 (CL0P)勒索软件的对策

俄罗斯威胁组织TA505, 是哪家公司运作CL0P勒索软件, 在2014年演变为一个多产的零日漏洞, 勒索软件即服务(老城)组织.¹ TA505主要针对银行、医疗保健和金融组织. 它是最大的网络钓鱼、鱼叉式网络钓鱼和恶意垃圾邮件² 全球经销商. 该威胁组织还操作一个初始访问代理商店(IAB)。, which is used by other threat groups globally that want to purchase and/or access stolen credentials. IABs harvesting stolen credentials that can be reused by other threat actors has been one of the biggest new trends in 2023. According to many estimates, 25% of attacks in 2023 were the result of using stolen credentials,³ meaning that no malware or vulnerabilities were needed for the threat actor to penetrate the enterprise network. 这是一种令人震惊的战术、技术和程序(TTP)新形式。.

TA505 has emerged as one of the most sophisticated and prolific threat groups of 2023. Organizations can protect themselves by implementing countermeasures intended to mitigate risk.

TA505和Cl0p勒索软件简介

TA505的ttp相当简单, but the threat group has collected hundreds of millions of dollars from cryptocurrency payments and services it provides.⁴ In 2023, groups such as TA505 operate similarly to a Fortune 500 enterprise. 这些威胁组织和其他组织一样做决定, and operational changes and tactics are based on what increases profitability. 他们在研究和发展上花了大量的钱, 确保最好的工具和专业知识来完成手头的任务. TA505 has also been known to work with affiliate groups, such as during the 2023 MoveIt breach,⁵ that bring added value to its overall approach and help increase its return on investment (ROI).

TA505网络钓鱼, 鱼叉式网络钓鱼或利用IAB获取被盗凭证, infects a machine using those credentials or by convincing a user to click a phishing link, 释放恶意软件的有效负载(例如.g., 钴罢工, Cl0p), 建立命令和控制, 横向移动, kills security applications and pivots to other machines using an internal remote desktop protocol (RDP). 然后，TA505部署勒索软件和各种web shell(例如.g.Lemurloot). 在这一点上，加密和数据泄露发生得非常快. 该组织历来在亚太地区开展活动, 加拿大, 印度和美国.

TA505 has developed a niche: finding and taking advantage of zero-day exploits. It has victimized more than 3,000 organizations in the United States and 8,000 worldwide.⁶ Millions of users’ confidential data has been exfiltrated by TA505 and offered for sale on the dark web. TA505 also maintains blogs where it provides updates on its victims and their stolen data. 媒体机构经常监控这些博客，以便迅速了解攻击情况.

TA505 also operates a dark web marketplace where it sells confidential data. 该集团所做的一切都是为了经济利益.

[TA505]所做的一切都是为了经济利益.

2023年6月, the US State Department announced a US$10 million reward to anyone with information linking TA505 to a foreign government.⁷ The bounty was a result of various ransomware groups targeting US critical infrastructure.

充分了解TA505的深度和广度及其影响, 它使用的策略值得研究. TA505攻击http包括:

• 基于internet的RDP连接，用于渗透澳门赌场官方下载网络
• Manipulation of known vulnerabilities (wherein patches have not been applied)
• 常用的渗透测试工具如钴罢工
• Malware tools such as Bart, Locky, Scarab, Philadelphia, Globelmposter, Jaff, GandCrab and Clop
• Use of stolen private keys from legitimate software to avoid detection by cybersecurity applications
• 使用被盗凭证(例如从IAB购买的凭证)
• 老城
• 银行木马(例如.g.(Dridex, Amadey, Necurs)曾犯下财务欺诈行为
• Use of Active Directory (AD) misconfigurations and vulnerabilities to move laterally and escalate credentials
• 使用web shell来维持持久性和传播恶意软件
• 禁用安全工具

如何减少来自TA505(和其他威胁组织)的风险

虽然TA505造成的威胁相当大, 破坏性和多产性, there are numerous countermeasures that can be deployed by organizations to mitigate risk posed by TTPs:

• 禁止任何RDP连接到Internet. 关闭内部所有其他不需要的RDP端口. Do not allow the use of other remote tools from the Internet unless they are secure. 定期审计所有远程访问方法和用户. Only allow approved remote access solutions such as virtual private networks (VPNs) and virtual desktop infrastructure (VDI). Block all inbound and outbound connections on the remote access software ports at the network perimeter.
• 密切监视任何所需远程访问软件的日志.
• Implement application controls to manage and control the execution of software that has not been approved.
• 禁用最终用户Windows PowerShell和命令行功能.
• 确保PowerShell是最新的，并删除任何超过5的版本.0.
• 确保所有PowerShell日志记录都是健壮的.
• 进行年度对账. Check all network accounts to ensure that they are still needed and adhere to the principle of least privilege.
• 通过以下方式降低凭证泄露的风险:
  • Protecting the domain administrator (admin) accounts and preventing caching of password hashes
  • 永远不要在脚本中使用明文凭证
• Implement a comprehensive, immutable recovery plan (consider a 3-2-1 strategy⁸). 练习和时间的努力恢复.
• 使用至少8个字符的长密码. 至少需要一个数字和一个特殊字符.
• 使用一个好的密码管理器.
• 不允许密码提示.
• 登录失败3次后锁定帐户.
• 要求每年更改密码.
• 不给终端用户管理员权限. 需要管理员访问安装任何软件.
• 始终使用多因素身份验证(MFA).
• 把所有东西修补好. 尽快打补丁.
• Use network segmentation to prevent the spread or lateral movement of malware.
• 利用下一代反恶意软件工具来保护端点.
• 利用新一代工具(如.g., 管理检测和响应, extended detection and response [XDR]) to ingest all endpoint logs and report events, 事故和异常.
• 禁用不必要的端口.
• 立即调查所有报告的事件.
• 确保已更新并使用防病毒应用程序.
• 禁用电子邮件中的超链接.
• 请确保所有磁盘和备份都已加密.

结论

While there is no way to completely eliminate risk associated with a threat group such as TA505, employing the recommended countermeasures can help any organization substantially reduce risk associated with threat groups, iab和老城组织.

尾注

¹ 加拿大网络安全中心简介:TA505/CL0P勒索软件加拿大政府，2023年7月11日
² Lenaerts-Bergmans B.; “恶意邮件简介(Malspam)2023年7月19日
³ Secureworks, 2023年威胁状况:一年回顾, 2023
⁴ 同前.
⁵ 网络安全和基础设施安全局。”#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability，美国，2023年6月7日
⁶ 同前.
⁷ 艾布拉姆斯,.; “美国政府悬赏1000万美元获取克洛普勒索软件的信息，《澳门赌场官方下载》，2023年6月17日
⁸ Castagna R.; “3-2-1备份策略TechTarget。”

帕特里克·巴内特, CISA, CISM, CEH, CISSP, PCI QSA, PCIP

是Secureworks的事件响应首席顾问吗. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. 在以前的角色中, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, 响应任何大小的安全事件的过程和机制.