We highlight some exciting news from the past week as global law enforcement entities announced the take down of dark web sites connected to the NetWalker ransomware and the major disruption of the Emotet crimeware-as-a-service network. We also feature proof-of-concept research on a NAT slipstreaming attack, a spear-phishing campaign targeted at corporate executives and look back at our own DFIR team’s discovery of an Accellion-specific web shell.

Take downs: Law enforcement brings down two major malware sources

This past week’s news included something positive for the good guys to cheer about. Law enforcement authorities succeeded in halting activity on two of the world’s major and most malicious sources of malware: the dark web site that hosted the NetWalker ransomware cybercrime group and the Emotet “crimeware-as-a-service” botnet. 

The criminals behind NetWalker were responsible for financial losses exceeding $46 million since August 2019. The Emotet botnet cybercriminal gang had infiltrated 1.6 million computers worldwide and cost victims hundreds of millions in damages. 

The Dismantling of NetWalker Ransomware

Last week in a combined effort, the FBI and Bulgarian authorities succeeded in taking control of multiple dark web components associated with NetWalker ransomware. Their actions involved the site used by the criminals to publish data stolen from its victims and the site used for victim communications and to distribute ransomware payment instructions. The takedown included the arrest of a Canadian national—Sebastien Vachon-Desjardins—who was charged in Florida with extorting $27.6 million in cryptocurrency ransom payments. (Vachon-Desjardins also appeared to have actively used other ransomware strains in addition to NetWalker.) 

Over the last few months, cybersecurity professionals had observed criminals selecting NetWalker as one of their popular ransomware strains-of-choice (in addition to Ryuk, Maze, Doppelpaymer, and Sodinokibi). Corporations, school districts, health care facilities, universities and municipalities have all been victims of NetWalker.

According to US authorities, while NetWalker victimized organizations and businesses in 27 countries, the majority of victims—almost 70%—were located in the United States.

Notably, the NetWalker administrator (known as “Bugatti” on dark web forums) had recently been transitioning NetWalker to a ransomware-as-a-service (RaaS) model and had posted advertisements on darknet forums seeking Russian-speaking affiliates. The criminals behind NetWalker had also used the increasingly popular double-extortion method (holding the data hostage and threatening to publish it) to collect the ransom demand.

Currently there is no information on whether law enforcement officials had retrieved the decryption keys as part of the operation.

You can read more about the NetWalker take down activities here, here and here.

Notorious Emotet Brought Down

It appears that cybersecurity professionals enjoyed the rare opportunity to ‘have their cake and eat it too” as a coalition of international law enforcement organizations, including the FBI, Europol and the United Kingdom’s National Crime Agency announced the takedown of the infamous Emotet “crimeware-as-a-service” network on the very same day as the NetWalker disruption.

Emotet is nasty, dangerous and used by multiple cybercrime gangs to deploy malware such as Ryuk and Trickbot. The ongoing impact of Emotet over the last few years can’t be exaggerated. (In fact, we’ve written about it four times in just the last 5 months. You can read those articles here, here, here and here.) 

Emotet first appeared in 2014 as a banking trojan and evolved to become a botnet used by the TA542 criminal gang to deploy second-stage malware payloads. Over the years, the crimeware-as-a-service tool became notorious for major breaches and service disruptions, including the distribution of ransomware and banking trojans. The malware was also responsible for this massive attack that brought down an entire enterprise network last April. Globally, Emotet has affected 1.6 million computers and cost victims hundreds of millions of dollars. 

A Europol press release dated 27 January stated “The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.”

According to reports, the takedown of Emotet was a massive feat, involving hundreds of servers located around the world, each of which had different functions. The network also existed in multiple versions and used a modular design, historically making it difficult for cybersecurity professionals to identify and block. It appears that the takedown was orchestrated from the inside, with law enforcement and judicial authorities gaining control of the infrastructure. The infected computers around the world that were part of the Emotet network are now redirected to the infrastructure controlled by law enforcement.

It appears that squelching Emotet also included the arrests of several suspects located in Europe. The core criminal gang behind Emotet is thought to operate out of Russia.

Given the extent of the actions taken by law enforcement against Emotet, many cybersecurity researchers are cautiously optimistic that the crimeware-as-a-service network won’t resurface anytime soon. Although most caution that the long-term effects of the takedown remain to be seen.You can read more about the Emotet takedown here, here and here.

Proof-of-concept: Remote attacks can reach protected devices via NAT slipstreaming

New proof-of-concept research has demonstrated that devices that aren’t connected to the internet can still be subject to remote attack.

In this type of attack (CVE-2020-16043 and CVE-2021-23961), known as a network address translation (NAT) slipstreaming attack, perpetrators infiltrate multiple devices by convincing a target that has network internet access to click on a malicious link. The criminals can then gain access to other endpoints, including unmanaged devices.

NAT is a process that connects internal devices to the outside internet by allowing a router to securely map multiple devices to one public IP address. In a NAT slipstreaming attack, a victim is socially engineered into clicking on a link that takes the victim to a malicious website. The website then tricks the victim’s NAT into creating incoming paths to any internal network device. This means attackers could remotely access any TCP/UDP service connected to the victim’s device. Researchers offer an example of cybercriminals accessing an office printer through an internal web server or default printing protocol. With a NAT slipstreaming attack, depending on the printer’s features, stored documents could be retrieved.

Researchers point out that embedded and unmanaged devices are at equal or greater risk due to the fact that attackers can expose these devices on internal networks directly to the internet. The attack types could range from denial-of-service (DoS) to ransomware.

In order for this type of attack to take place, the interface between the threat actor and the device would need to be insecure. Unfortunately, unmanaged devices not connected to the internet are often not password protected and frequently unpatched.

This type of attack was first presented in October 2020, resulting in partial mitigations on Chrome 87, Firefox 84, and Safari to prevent connections to ports 5060 or 5061. On Friday of last week, in response to this latest proof-of-concept analysis, Google announced it was blocking eight additional Chrome web browser ports (69, 137, 161, 1719, 1720, 1723, 6566, and 10080) to prevent this new variation of a NAT Slipstreaming attack.

More on this proof-of-concept research can be found here and here.

Warning! Spear-phishing campaign targeting executives

High-ranking executives in the manufacturing, real estate, government, technology and finance industries are the target of an evolving spear-phishing campaign, security researchers announced last week. The organizations and victims targeted are located primarily in the United States, the United Kingdom, Japan, Canada, Australia and Europe.

Spear-phishing is a type of targeted phishing attack that focuses on a specific person or group of people, often executives and other ‘C-suite’ staff. In this particular attack, criminals are using socially engineered emails to target potential victims with fake Office 365 password expiration notifications. If the recipient clicks on the link, they’re redirected to a phishing page where they are asked to enter their Office 365 login credentials. All the target individuals are high-profile executives—many of whom may not be particularly knowledgeable when it comes to technology or cybersecurity.

Researchers point out that C-suite employees are rich targets, due to the authority they hold and the fact that they often have a high-level of access to networks and data sources within the organization. Obtaining the credentials of a C-level employee could lead to expanded access to other sensitive systems as well as future attacks.

The criminals involved in this campaign are using the fourth iteration of an Office 365 phishing kit originally released in July 2019. Version 4 of this kit includes features to detect bot scanning or crawling attempts and provide alternative content when bots are detected. Researchers also found that the criminals behind this activity have been selling stolen C-suite account passwords for $250 to $500.

More on this phishing attack can be found here and here.

An Accellion-specific web shell used on an FTA server

During a joint investigation with deepwatch, GuidePoint Security researchers discovered a malicious file inside the web services root directory on an Accellion FTA server. Upon additional review, the file, about.html, was determined to be a web shell that leverages a SQL injection vulnerability to install itself into the impacted FTA server and provides threat actors with the ability to download files stored on the Accellion FTA server.  

While reviewing the web shell, it became apparent that it was designed specifically to be uploaded to an Accellion FTA server based on multiple references to Accellion database schema, file system structure, and other product specific information relating to application identifiers. At a quick glance, it was obvious that the functionality included in the web shell was to locate files uploaded to FTA, obtain file metadata, and provide a means of downloading file contents via the web shell. Lastly, the web shell provided a way for the threat actor to clean up after themselves using a routine called Cleanup Shell.

More on this Accellion-specific web shell can be found here.

Final Words

It was through the unified efforts of law enforcement, judicial entities and private cybersecurity researchers worldwide that the activities of NetWalker and Emotet were brought to a standstill (hopefully permanently). While security researchers are quick to remind us that criminals are eventually going to find another way to distribute malware and ransomware, this doesn’t detract from the herculean effort put forth by this dedicated group of professionals.

Cybercrime is sometimes considered an ‘invisible’ crime, involving money, intellectual property or sensitive personal information that is stolen from behind closed doors by criminals too foolish to come up with anything other than absurdly crafted pseudonyms. The job of protecting an organization and even the general public is something that is often left in the hands of corporate professionals, many of whom are understaffed due to the widening cybersecurity skills gap.

Businesses, governments, school districts and the general public owe a major thanks to the men and women involved in the NetWalker and Emotet take downs. This collective effort likely involved thousands of hours of work. And, at least for a few brief moments, the world is a little bit safer.