In a recent wave of cyberattacks, threat actors have been leveraging compromised credentials from third-party managed service providers (MSPs) to infiltrate corporate networks and deploy the Sinobi ransomware. This method underscores the evolving tactics of cybercriminals who exploit trusted third-party relationships to bypass traditional security measures.
Initial Access Through Compromised Credentials
The attackers gained entry by exploiting SonicWall SSL VPN credentials associated with over-privileged Active Directory accounts possessing domain administrator rights. This approach allowed them to establish a foothold within the network, circumventing standard perimeter defenses.
Establishing Persistence and Lateral Movement
Once inside, the threat actors created new administrator accounts to maintain persistent access. They then moved laterally across the network, identifying and compromising additional systems to maximize the impact of their attack.
Deployment of Sinobi Ransomware
The culmination of these efforts was the deployment of the Sinobi ransomware across local and shared network drives. This malware encrypts files, rendering them inaccessible and disrupting business operations.
Connection to Lynx Ransomware
Analysts have observed significant code similarities between Sinobi and the previously identified Lynx ransomware. This suggests that Sinobi may be a rebranded version of Lynx, indicating a continuation or evolution of the earlier ransomware-as-a-service (RaaS) operation.
Technical Sophistication of the Attack
The attackers demonstrated advanced capabilities by disabling security controls, such as uninstalling endpoint detection and response (EDR) tools like Carbon Black. They utilized tools like Revo Uninstaller and command-line operations to achieve this, eventually succeeding after locating deregistration codes stored on mapped network drives.
Advanced Encryption and Data Exfiltration Mechanisms
Sinobi employs robust cryptographic techniques, combining Curve-25519 Donna with AES-128-CTR encryption. This ensures that file recovery is impossible without the attackers’ private key. Each file is encrypted with a unique key generated through the CryptGenRandom function, enhancing the security of the encryption process.
Before initiating encryption, the ransomware deletes volume shadow copies using the DeviceIOControl function with the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE control code. This prevents victims from restoring files from backups.
Data exfiltration is conducted using RClone, a legitimate cloud transfer utility, directing stolen information to servers operated by Global Connectivity Solutions LLP, a hosting provider frequently observed in cyberattacks.
Ransom Note and Communication
After encryption, files are appended with the .SINOBI extension. The ransomware deploys a README.txt ransom note containing Tor-based communication channels and payment instructions, demanding that victims negotiate within seven days to prevent data publication on dark web leak sites.
Implications and Recommendations
This attack highlights the critical importance of implementing strict privilege management for remote access accounts and avoiding the storage of security tool deregistration codes in accessible network locations. Organizations are advised to:
– Enforce Least Privilege Access: Ensure that accounts, especially those used by third-party providers, have the minimum necessary permissions.
– Implement Multi-Factor Authentication (MFA): Require MFA for all remote access accounts to add an additional layer of security.
– Regularly Update and Patch Systems: Keep all software, especially security tools and VPNs, up to date to protect against known vulnerabilities.
– Monitor for Unusual Activity: Establish continuous monitoring to detect and respond to suspicious activities promptly.
– Secure Backup Solutions: Maintain regular, secure backups of critical data to facilitate recovery in the event of an attack.
By adopting these measures, organizations can enhance their resilience against sophisticated ransomware attacks that exploit third-party relationships and remote access vulnerabilities.
