 Time here from Orange Systems and we're going to talk about Ryuk in five hours and what that means is ransomware attacks from the phishing email to full exploit lateral movement the entire process in Five hours or less. This sounds like a pizza delivery commercial We guarantee fast delivery of this ransomware, which I know I shouldn't be laughing This is a pretty tragic event here that happened to this company and I wanted to talk about what happened what got missed and specifically talk around the firewalls and Cisco and the fact that your snort rules failed you badly and too many people think the firewall is the Solution to so many of these things. I've even had companies contact me for consulting like bought my time to try to pitch Me on their magic boxes that could filter all of this and I'm like no You need to focus on endpoint security and that's what a lot of this is going to talk about as a way to defend against this Endpoint security would solve it. I don't care how expensive of a Cisco firewall or insert name of your favorite product and hate all the Products I've ever recommended all you want. They actually would have failed both equally I can't recommend a firewall that would solve this. I can't recommend a System that would solve this other than patching and proper endpoint detection before we dive into that. Let's first If you'd like to learn more about me or my company head over to Lawrence systems calm If you'd like to hire short project There's a hires button right at the top if you'd like to help keep this channel sponsor-free and thank you to everyone who Already has there is a join button here for YouTube and a patreon page. Your support is greatly appreciated If you're looking for deals or discounts on products and services We offer on this channel check out the affiliate links down below They're in the description of all of our videos Including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently And finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics You've seen on this channel now back to our content now. We're over here at the differ report I think that's how they say it either way pretty cool site They'd break down attacks and a lot of good reading here now because of the YouTube algorithm Not liking me to show certain things, especially when it comes to code Yes, YouTube will flag me for that so I'm not gonna scroll the way down, but I'll leave links so you can read about this anyways This is the Ryuk thread actors went from a phishing email To a domain wide ransomware in five hours the escalator privileges with zero login So if you haven't patched this stop watching my video and go patch your login That's been out for a little while and of course that is a major factor in this particular ransomware How they were able to escalate things so quickly they read through the case summary But this is some of the part I wanted to talk about specifically about endpoint protection and firewalls Ryuk in five hours 1701 UTC bizarre malware executed and the C2 servers, which are the command and control servers This was a cobalt strike server And I bring this up because this is exactly what we had covered in the hack it MSP event with Huntress We talked about this on the tradecraft Tuesday the C2 servers the command and control that is the cobalt system is really extensive and Related to that. I want to look at something here. So this is being published here on October 18th, and then today is October 19th This is the problem with firewalls and you're going well my XYZ Firewall that I paid tons of money for from some big company should have stopped this right well No that here's the problem the debrief being on the 18th here and the Entirety of this being written up on the 19th probably tells me it may have happened a little while ago But of course that's what this is right here over at alien vault I use as an example first time. This is seen is 10 8 my guess is this was reported after Based on this to Ryuk in five hours. This was all reported based on the Event happening not it stopping the event and what I mean by that is a lot of these when security researchers start finding problems They go back and start reporting the feeds, but someone had to get hit for them to find the problem There's just a lot of IP addresses out there companies get takeover They basically sit there with these C2 command and control servers, and you can't block them all It's a cat and mouse game trying to block IP addresses and locking down the entire internet is just well Impractical from a daily usage standpoint where you block everything the more important things that would have stopped this are Solid endpoint detection and of course having everything in a patched And I bring this up as well because Cisco has an entire Cisco tells his recent new research paper with the art and science of detecting Cobalt strike Let me just save you the trouble of reading this document that I did take the time to read I think there's so good things in there if you want to read this 29 page report But this is the important part that I highlighted right here The payload makes an outpun call to HTTP configured to the C2 server This is really important because a lot of this research here It's kind of predicated that they were able to see things that way the snort rules could see what was going on in a traffic And let's roll all the way back over to here and look at the IP address And then we looked at the IP address here and scroll down Port 443. Yep. That's how they got around Cisco. No problem So they use 443 end of story This is the problem I have with firewall vendors and it's almost like they're trying to prove their worth Please buy my expensive product because it will save you from the bad people when reality is I don't think that there's anything wrong And they probably do block the amateurs all day long, which is great So they have some value they're providing But they aren't the end-all solution because you have a good firewall and this is what people will keep getting in her head They're thinking the firewall is going to stop this. Let's walk back through a little bit of this and break things down a little further So essentially they start executing it and have another command-to-control server So don't worry if you blocked one They have a list generally speaking and when they can they take over popular domains or squat on different domains that are probably valid So firewalls just kind of don't get to block all this starts hitting all these command-to-control servers And then they start going along. I'm gonna blur some of this because this is where They have problems sometimes with YouTube so things that are blurry is because the YouTube doesn't like when I show that type of stuff. Anyways Then once they get in there, they execute the zero login which allows them to create an account Then from there, they just keep moving right along lateral movement because once you have domain admin credentials You can just keep moving through the system pretty straightforward Get your command-to-control start loading everything on there Hey, look report print and then start using all the cobalt strict commands to start sending things Wherever they need to be done then they execute the Ryuk because now they've got all the reconnaissance. They need they understand the company They probably found all their backups Starting about four and a half hours in the initial bizarre malware was executed the Ryuk threat actors acted their final objective and Initiated RDP connections from the domain controller previously exploited to the environment This time they initiated a ransomware first on the secondary domain controller their first pivot and transferred the Ryuk executable over the RDP connection. This is something really interesting and we've highlighted this again on their in that talk We did over at at tradecraft Tuesday with Huntress and you don't need to go watch that talk yet other than it dives deeper into that I think it'll be up on YouTube or if you registered for the event I'm hoping they'll gonna get it published soon, but essentially and in short Yes, we talked about how the fact that right now they're just going through and once they realize they might get caught The threat actors go in there and they start turning on RDP setting up all the settings start using it start opening up rules And yeah, I don't blame them because they're worried that someone would notice it But well if they turn it all on themselves are going on RDP is closed on my network and then when you find RDP open It's actually the threat actors that opened up RDP sessions because well, that's an easy convenient built-in system Why why try to load some third-party tool that might be you know flagged by your AV vendor? So back to the debrief. How could this have been prevented one zero login just made this really easy for them Also endpoint production if you have everything locked down and you're using something that looks for anything that gets spawned Now granted they spawn this as an explorer process But this is where some of the tools that you have, you know, and we're currently using Sentinel one and Huntress I've mentioned this before on a channel They look for weird things like that and we do see them occasionally and this was what you have to stop They have to look at that type of file execution going that's unusual That is not predicted behavior and it's detected at the endpoint through a phishing email And if you stop it there before they can escalate up now we have patch for zero login and all of our managed clients So even if those other tools were to fail it would not make it easy for them to laterally move but zero login Obviously the ransomware companies the threat actors they adapt quickly They realize people don't patch so from the time you see any type of high level Vulnerability even if you're going well, I'm behind a firewall Don't worry if you're not behind a firewall or even if you are those phishing emails They're looking for that internally on their network those they need is a small in now The last thing I'm going to add to this is a lot of small business owners are probably going great Not me. I see all these big companies the reality is you're just not big enough to make the news small business owner I see this happen constantly. We deal with small companies that get hacked It never makes the news and you make the local newspaper because one they usually don't tell anyone I don't blame them and to it's not newsworthy. What small five-person office got ransomware who reads those stories It's extremely devastating to a small five person ten person or even these large companies But until it hits a big enough company where it affects the general public it ever really makes it in the news So for your information, this is happening at every level, but I thought this was interesting That's I'll leave links to this if you want to do some further reading and read about how Telos thinks snort will fix it I'm skeptical on it and I'm not seeing it's all bad Like I said a good firewall can protect you from some of the amateur things that are all pasting clear and Overport 80 but it's really arbitrary for these threat actors to use encryption Not hard at all from the do that's why there wasn't any visibility into the Commands used over it as much as there was visibility into what happened once they got on the network All right, and thanks and thank you for making it to the end of the video If you liked this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems comm fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums dot Lawrence systems comm where we can carry on the discussion about this video Other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time