Ransomware Spotlight: Play – Security News | #ransomware | #cybercrime

T1190 – Exploit Public-Facing Application
Has been observed to be using several exploits as part of its entry vector:
• FortiOS SSL VPN Exploits (CVE-2018-13379 and CVE-2020-12812)
• ProxyNotShell (CVE-2022-41040)
• OWASSRF (CVE-2022-41080)
• MS Exchange Server Remote Code Execution (CVE-2022-41082)

Some reports also mention arriving via spam mail

T1059 – Command and Scripting Interpreter
Uses several scripts like PowerShell and batch files as part of its execution and other functionalities

T1203 – Exploitation for Client Execution
Combined with some of the exploits used as initial access, another exploit is used to download and execute other components:
• MS Exchange Server Remote Code Execution (CVE-2022-41082)

T1562 – Impair Defenses
Makes use of third-party tools like GMER, Process Hacker, PowerTool, and so on, to try and disable antivirus-related services and processes like Microsoft Defender

T1140 – Deobfuscate/Decode Files or Information
Makes use of obfuscated codes and/or files to try and avoid detection or make it harder for analysis

T1070 – Indicator Removal
May sometimes delete itself or components to avoid leaving indication of compromise

T1003 – OS Credential Dumping
T1552 – Unsecured Credentials
Makes use of Mimikatz to dump credentials

T1033 – System Owner/User Discovery
T1082 – System Information Discovery
T1083 – File and Directory Discovery
T1135 – Network Share Discovery
T1057 – Process Discovery
T1007 – System Service Discovery
Using its remote access tools (RATs) and/or the ransomware binary itself, Play can discover several system information such as:
• Users
• OS information
• Files and directory
• Accessible system within the compromised network
• Running processes
• Running services

It also uses the Grixba infostealer as a tool for discovery.

T1021 – Remote Services: SMB/Windows Admin Shares
Upon discovery of available network shares, it can use this to traverse the network via SMB

T1071 – Application Layer Protocol
Connects to its C&C server via typical protocols, such as HTTP and HTTPS

T1002 – Data Compressed
Uses archiving tools like WinRar to compress stolen data or files to prepare these for exfiltration

T1048 – Exfiltration Over Alternative Protocol
Can either exfiltrate via its own C&C server or makes use of file transfer tools like WinSCP

T1486 – Data Encrypted for Impact
Play ransomware uses intermittent encryption and the hybrid AES-RSA encryption method

T1489 – Service Stop
Can disable antivirus-related services

T1490 – Inhibit System Recovery
Uses AlphaVSS to inhibit system recovery

Source link


National Cyber Security