But Illumio Core makes it easy to stop ransomware in its tracks, significantly mitigating the impact of a breach. Protecting your organization against ransomware is difficult. Contain: When the SOC, identifies a workload that may be infected, a response playbook could be executed to implement a quarantine workload on the target, thereby ensuring the only access to it are from authorized investigative machines and forensic tools.
To limit effectiveness of the C2 call-back channel, implement a similar boundary concept to deny access to any public IP or FQDN associated with Hive and keep these updated on a regular basis.Organizations can further enhance this control by leveraging Illumio Core’s Adaptive User Segmentation capability, which ensures that only users associated with an authorized Active Directory group can RDP from the dedicated jumphosts.This should limit how quickly the ransomware can spread. Exception rules can be written to ensure access from administrative hosts and remote access gateways is still permitted. Knowing that ubiquitous RDP is not required, leverage Enforcement Boundaries to block RDP by default between endpoints. Limit exposure: The more open the access between workloads, the faster ransomware can spread.This will provide visibility into all flows to and from endpoints and can be used by the Security Operations Center (SOC) to identify RDP connections outside normal behavior patterns and outgoing connections to known bad actors (e.g., the Hive Command & Control infrastructure). Monitor: Deploy Illumio agents to all endpoints and monitor traffic flows.Given this, there are a few steps organizations can take to improve their defenses against Hive ransomware using Illumio Core: RDP is often left accessible to facilitate both remote access and remote administration - and is a popular initial ransomware attack vector as a result. Hive leverages Remote Desktop Protocol (RDP) to move laterally. Enumeration of all attached storage for files that could be relevantĪfter initial entry into the organization, malware and ransomware commonly use lateral movement to spread within an environment, exploiting access to suitable user credentials.Stopping services that could hinder progress or generate alerts.The payload performs the following actions:
This payload executes the malicious actions that ultimately facilitate the ransom demand.Ħ. Download of the secondary payload is facilitated by instructions sent to the Cobalt Strike beacon after the outbound call-back channel is established. A case in point is the exploit of a ConnectWise Automate endpoint management vulnerability, if that tool was found in the victim network – a further indication of the supply chain risk posed by software providers.ĥ. However, the Hive group has also been known to exploit vulnerabilities as a means of progressing their attack. Lateral movement and wider spread of the malware is facilitated by the use of Microsoft’s Remote Desktop Protocol (RDP). What follows next is credential dumping on the local host and mapping the Active Directory environment.Ĥ. The payload is often a Cobalt Strike (which interestingly started off as a tool used by pen testers when simulating attacks) beacon – these facilitate persistence, call back, lateral movement and delivery of the secondary payload.ģ. The attack begins with a phishing attack against users with access to the victim environment or by targeted emails that have the user unwittingly download the malicious payload.Ģ. Hive uses a variety of tactics and techniques to execute an attack:ġ. This is likely because of the additional time and effort needed to discern what data is valuable enough to warrant exfiltration. Given that the attacker is focused both on disruption to operations and access to valuable data, there is a level of interaction and persistence required that goes beyond the more common disruption-focused ransomware attacks. The Hive ransomware group utilizes a "double extortion" play whereby they exfiltrate a target’s critical data before locking it up, using both as levers to drive up the cost of the ransom - a tactic that’s gaining traction amongst attackers. What differentiates Hive from less sophisticated ransomware attackers who commonly adopt a "spray and pray" approach (i.e., lockout as many systems as possible in the fastest time with little interest in data compromise)? This year alone, it is the third ransomware attack that has directly affected civilians - following those on Colonial Pipeline and JBS Foods. As Hive's most prominent incident to date, the attack shut down Memorial's entire online platform, forcing the organization to redirect emergency care patients to facilities outside its network. The Hive ransomware group has been active since mid-2021, gaining notoriety through the attack on the Memorial Health System.
0 kommentar(er)
