Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Logs. Show all posts

JPCERT Explains How to Identify Ransomware Attacks from Windows Event Logs

 




Japan Computer Emergency Response Team (JPCERT/CC) has published guidance on early identification of ransomware attacks in the system using Windows Event Logs. Probably by reviewing these logs, firms would identify some signs or clues of an existing ransomware attack and find themselves in a position to forestall this threat from spreading across the network.

JPCERT/CC stresses that the discovery of ransomware as early in the attack as possible is extremely important. Many ransomware variants leave apparent traces in Windows Event Logs, and that particular knowledge might be useful for cybersecurity teams to discover and finally stop attacks before they spread further. It's a strategy especially valuable in identifying the type of attack and tracing how ransomware might have entered the system.


Types of Event Logs to Monitor

The agency recommends checking four main types of Windows Event Logs, namely: Application, Security, System, and Setup logs. These types can carry some very important clues left by ransomware along with how it came into the environment and what systems are under attack.


Identifiable Ransomware Signatures in Event Logs

This JPCERT/CC report includes several specific log entries associated with certain ransomware families, which indicate that this was an active attack.

  • Conti Ransomware: This malware typically generates a broad set of logs associated with the Windows Restart Manager, observable through their event IDs 10000 and 10001. The variants such as Akira, Lockbit3.0, HelloKitty, and Bablock all generate almost identical logs because they share code from Lockbit and Conti.

Others, such as 8base and Elbie, also create similar patterns along with traces related to this malware.

  • Midas: This malware changes network configurations to spread across machines. It creates logs having an event ID of 7040.

  • BadRabbit- BadRabbit mostly creates logs with an event ID of 7045 when it instals the encryption modules, further suggesting an attack in progress.

  • Bisamware  Generates entries at both ends of Windows Installer transactions. The event IDs are 1040 and 1042.

Other older ransomware families, like Shade, GandCrab, and Vice Society, similarly display the same event patterns. They especially generate errors with event IDs 13 and 10016, linked to the failed access attempts to COM applications. The reason behind it is ransomware tries to remove Volume Shadow Copies so the victims won't be able to recover encrypted files.


Event Log Monitoring: Not a Silver Bullet But a Mighty Defence

Monitoring these specific Windows Event Logs can certainly prove extremely useful in identifying ransomware, though JPCERT/CC believes such should only be part of the total security strategy. This would truly be transformational were early detection to be combined with other control measures against spreading the attack.

Surprisingly, this method is much more potent for newer ransomware variants rather than those already in the wild, like WannaCry and Petya, which left very minor traces in Windows logs. As ransomware continues to progress, the patterns they leave behind in logs are becoming very obvious, and log monitoring will be more of a good ear for today's cybersecurity infrastructure.

In 2022, another well-known cybersecurity group also published a SANS ransomware detection guide from Windows Event Logs. Both sources point out how ransomware detection has evolved with time, helping organisations better prepare for such threats.


JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.

Must Follow Guidelines for API Security

An online store can collect payments via the PayPal API, for instance, rather than developing their own payment gateway. APIs serve the required function while sparing business time and effort, which is why it is evident they are useful. 

Protecting these APIs from security risks and breaches entails securing them together with all linked apps and users. 

APIs are used by businesses to link services and move data. Major data breaches are caused by compromised, broken, or exposed APIs. They make private and delicate financial, medical, and personal information available to the public. However, not all data is created equal, and not all data should be safeguarded in the same way. The type of data being exchanged will determine how you should approach API security. 

In the last 12 months, 95% of firms encountered an API security issue, according to the most recent Salt Labs State of API Security report. Additionally, during the past year, a variety of businesses—including Facebook, Experian, Starbucks, and Peloton—have experienced public API problems. Clearly, APIs need more protection against intrusions than the present crop of application security approaches can provide.

Security leaders need to carefully examine the way they are currently approaching API security to fix the issue. Understanding how a third-party application is sending data back to the internet is important if user API connects to one. 

Strategies for API Security

  1.  Put a secure authentication and authorization protocol into action: The first stage in an API security approach is authenticating and authorizing the appropriate users.
  2. Implement the "Least Privilege" Principle: The attack surface is decreased by restricting access to only essential tasks, which helps reduce the exposure to security breaches.
  3.  Constrain Data Sharing: To find weak spots, keep track of the data shared between apps, APIs, and users, and then secure them by restricting the shared data.
  4. Not utilize HTTPS: In order to communicate data securely, APIs employ HTTP connections and require Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
  5.  Implement a policy of zero trust: We can leave out the zero-trust policy when discussing API security advice. It operates under the premise that no user, device, or server should be trusted until proven otherwise.
  6. Implement data logging: Logs provide admins with a wealth of information that can be utilized to enhance API security and assist with manual inspection and monitoring.
Security requires ongoing work in the age of technology and the internet. Unfortunately, security problems would not disappear, and as IoT technology grows more widespread, the dangers and vulnerabilities will only become worse. Beware of such ineffective strategies for API security. The security strategy must broaden to keep up with attackers' growing skill sets. 

Being proactive is vital, which means keeping an eye on current technology, patching up any flaws, and implementing cutting-edge cybersecurity measures.

Reddit Enabled Attackers to Perform Mod Actions due to IDOR Flaw

 

Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization.  Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief. 

According to a recent HackerOne report, a bug researcher with the handle 'high ping ninja' discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit. 

“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained. 

On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data. 

The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access restrictions being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur with vertical privilege escalation. 

“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes. The researcher received a $5,000 bug reward for his discovery.

Identifying Ransomware’s Stealthy Boot Configuration Edits

 

The research by Binary Defense entails the various threat hunting techniques and detections for a regularly reported Ransomware-as-a-Service (RaaS) methodology. Using the built-in Windows programme bcdedit.exe (Boot Configuration Data Edit),  threat actors have been spotted changing boot loader configurations to: 
  • Modify Boot Status Policies 
  • Disable Recovery Mode 
  • Enable Safe Mode 
Threat actors (such as Snatch and REvil) may not need to utilise bcdedit to adjust boot loader configurations if they implement code that directly modifies the Windows registry keys that define such configurations, according to the hypothesis employed by Binary Defense to construct the hunting queries. Last year, the researcher am0nsec published a proof-of-concept code that showed how to do exactly this on Windows 10 PCs. Binary Defense wanted to make sure that they could detect such behaviour not only on Windows 7, 8.1, and 11 computers but also on systems where the necessary registry key is stored under a different Globally Unique Identifier (GUID). 

The research builds on the work of Specter Ops researcher Michael Barclay, who published an in-depth blog about hunting for such activities on Windows 10 earlier this year. Below are the bcdedit.exe commands that attackers employ to change boot configuration. Other tools, such as the Windows System Configuration Utility (msconfig.exe), can be used to change the boot configuration data as well. Alternatives, on the other hand, are not described in the study because they are not command-line apps and hence cannot be utilised without a user interface.

Boot Status Policy: The usual way to edit the boot status policy is to use bcdedit with these command line arguments:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
If there is a failed shutdown, boot, or other error during the startup process, this will change the "boot status policy" settings and compel the system to boot normally rather than entering Windows Recovery Environment (Windows RE). Threat actors deactivate this to prevent system administrators from using the Windows RE's System Image Recovery tool.

Recovery Mode: The usual method for disabling recovery mode with bcdedit is like this:
bcdedit.exe /set {default} recoveryenabled no
This command completely eliminates the Windows RE. Using the prior command to change the boot status policy will prevent the boot loader from loading the recovery environment when there are starting difficulties, but it will also prohibit system administrators from manually loading it.

Safeboot: To change the Safeboot options, bcdedit is used with these command line arguments:
bcdedit.exe /set {default} safeboot minimal

This command modifies the configuration that decides whether or not the system will restart in Safe Mode the next time it is powered on. Since not all Endpoint Detection and Response (EDR) solutions and Anti-Virus (AV) software will be running in Safe Mode, this is being changed to prevent identification rather than recovery. Windows Defender, for example, does not work in Safe Mode. As a result, any activities taken by a threat actor (for example, file encryption) will not be tracked, and thus will not be prevented.

Prior study into similar approaches revealed that the registry keys storing these boot loader configuration items were Windows version-specific, with only Windows 10 detections. Binary Defense simply set up VMs running Windows 7, 8.1, and 11 and ran the three aforementioned bcdedit.exe commands while doing a capture with the Windows SysInternals tool Procmon to figure out what those registry keys were for other Windows versions. The logs created by this tool are notoriously noisy, but by adding two filters, one excluding any process not named bcdedit.exe and the other excluding any operation not named RegSetValue, it was simple to filter down to the necessary logs.

In a 60-day period, the following queries were evaluated across different enterprise environments with zero false positives. Because changes to these parameters are uncommon, all of these inquiries can be surfaced to a SOC as detections.

Detections
  • Carbon Black
Windows 7:

regmod_name:(*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*)

Windows 8.1:

regmod_name:(*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*)

Windows 10:

regmod_name:(*BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\16000009*)

Windows 11:

regmod_name:(*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*)

  • CrowdStrike
Windows 7:

(event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*”)

Windows 8.1:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*”)

Windows 10:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\25000080*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\250000E0*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\16000009*”)

Windows 11:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*”)

  • Microsoft Sentinel and Defender for Endpoint
Windows 7:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080″)

Windows 8.1:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080″)

Windows 10:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009″)

Windows 11:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080″)

  • SentinelOne
Windows 7:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080”)

Windows 8.1: {303a1187-f04f-11e7-ae97-d7affdbdc5e9}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080”)

Windows 10:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009”)

Windows 11: {ea075dc0-83af-11ec-9994-82f1525d1096}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080”)