Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2020
12:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Shares PonyFinal Threat Data, Warns of Delivery Tactics

PonyFinal is deployed in human-operated ransomware attacks, in which adversaries tailor their techniques based on knowledge of a target system.

Microsoft today shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization's environment.

Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims. Other known human-operated ransomware campaigns include Bitpaymer, Ryuk, REvil, and Samas. Microsoft started to see PonyFinal at the beginning of April, says Phillip Misner, research director with Microsoft Threat Protection. 

"These are all variations of the same sort of serious threat that customers are facing right now," he explains. Attackers employ credential theft and lateral movement to learn more about the business. "Ultimately, after they've gone through and understood the environment, they'll deploy ransomware of the attackers' choice that matches up most closely with the environment that they have observed over time."

PonyFinal attacks usually start in one of two ways. Attackers have been seen gaining access through brute-force attacks against a target's systems management server, Microsoft Security Intelligence wrote in a series of tweets. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services.

In some cases, attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run. However, experts say, evidence indicates the attackers use data stolen from the systems management server to target endpoints that have JRE installed. These types of attackers are careful in their operations, Misner says, and they try to avoid detection where possible. If JRE is already on a machine, they can operate without raising any alerts.

"Often the folks that are seeing the PonyFinal ransomware, they already had Java in their environments, and so attackers are using that to remain as stealth as possible," he explains. 

The ransomware is delivered via an MSI file that contains two batch files and the ransomware payload. Microsoft's investigations show PonyFinal encrypts files at a specific date and time. Encrypted files have an .enc file extension and the ransom note is a simple text file, they say.

PonyFinal is deployed at the tail end of protracted human-operated campaigns, in which the attackers typically lay dormant and wait for the most opportune time to strike. In the April PonyFinal campaigns, the period between initial compromise and ransom ranged from multiple months to the span of a week, Misner notes.   

The operators behind PonyFinal are not new, he continues. This just happens to be the newest payload that researchers have seen in these kinds of ransomware campaigns. Human-operated ransomware is often tied to multiple criminal groups and is rarely exclusive to a single group of attackers. There may be several attack groups using this same form of ransomware, Misner adds. 

That said, this is likely the work of an advanced group. "Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization," Misner says. These are attackers with the ability to choose multiple payloads and who spend their time doing researcher to see how they can extract the most money from the compromises they do.

These ransomware operators don't discriminate when deciding who to hit. "These attackers are looking for targets of opportunity," he explains. While there is no COVID-19 lure in these campaigns, researchers have noticed PonyFinal operators going where they might be most effective in extracting ransom amid the chaos of the coronavirus pandemic. 

A Threat to Watch
Human-operated ransomware isn't like your typical automated malware, in which the attacker tries to get someone to click an executable. These campaigns use active means to find their initial entry vector, whether that's around remote desktop connections or insecure Internet-facing services. This human component demands potential victims take immediate action. 

"There is a human on the other side of that … going through and directing what ransomware actually gets deployed onto the network," Misner explains. "The immediacy of having an adversary that is basically one-on-one attacking a customer is what should drive the concern and the risk here." He believes we're going to see an uptick in these types of attacks.

To defend against human-operated ransomware, Microsoft advises hardening Internet-facing assets and ensuring they have the latest security updates. Threat and vulnerability management should be used to audit assets for vulnerabilities and misconfigurations. Experts recommend adopting the principle of least privilege and avoiding the use of domainwide, admin-level service accounts.

Businesses should monitor for brute-force attempts and check for excessive failed authentication attempts. They should also watch for the clearing of Event Logs, especially the Security Event Log and PowerShell Operational logs.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...