The CyberCX DFIR team has been engaged to assist in multiple investigations related to the Akira ransomware group, which has been seen affecting victims since April 2023.
This article provides an overview of the logging and activities related to virtual machines in both Microsoft Hyper-V and VMware ESXi/vSphere environments. It explains how to review audit activity in the “hostd.log” file in ESXi, and provides an example of a log entry for the creation of a new virtual machine. It also explains how to review Windows authentication logs for standard or default Windows workstation names, which can be used to identify unmanaged devices connected to the network.
The CyberCX DFIR team has been engaged to investigate multiple cases of Akira ransomware attacks since April 2023. The threat actor has been observed using a novel technique of deploying ransomware onto Windows Hyper-V hypervisor systems, which can cause major damage to attached virtual machines (VMs). Even when Windows-based hypervisor and target virtual machines are running prominent Endpoint Detection & Response (EDR) tooling, the threat actor has been observed circumventing this by creating new, unmonitored, VMs on the hypervisor, from which they can navigate directories on the hypervisor and execute their ransomware.
Initial access is typically obtained through info stealers and credential marketplaces. Intrusion activities include scanning the network, enumeration of data available in the Active Directory, identifying sensitive information on file shares and servers to exfiltrate, and installing SystemBC and creating a scheduled task to remain persistent. To evade detection, the threat actor has been observed attempting to disable EDR using a Bring Your Own Vulnerable Driver (BYOVD) attack.
In early June, a GitHub user ZeroMemoryEx created a tool also named Terminator with the same functionality and published their source code on GitHub. Within 3-5 days of the open-source release of Terminator, the threat actor attempted to use this tool to evade detection. Exploiting a vulnerability in the Akira ransomware implementation allows for the possibility of decryption without paying the ransom, however there are a few limitations. CyberCX confirmed the vulnerability and developed a working capability to decrypt encrypted data under certain circumstances shortly before the public release of the flaw by Avast. By 7 July 2023, Akira had patched the vulnerability and newer samples did not have the vulnerable code.
In vSphere/ESXi environments, the threat actor may apply different approaches to different ESXi hosts, including encryption through ransomware, changing the root password, or in some cases doing nothing to the hypervisor. In cases where the threat actor did not (or perhaps could not)
📓 Weaponising VMs to bypass EDR – Akira ransomware
👉🏽 The CyberCX DFIR team has been engaged to assist in multiple investigations related to the Akira ransomware group, which has been seen affecting victims since April 2023. 👉🏽 Overview of logging and activities related to virtual machines in Hyper-V and vSphere environments. 👉🏽 Reviewing audit activity in the "hostd.log" file in ESXi and its importance. 👉🏽 Example log entry for the creation of a new virtual machine. 👉🏽 Reviewing Windows authentication logs to identify unmanaged devices connected to the network. 👉🏽 Investigation of Akira ransomware attacks by the CyberCX DFIR team. 👉🏽 Novel technique of deploying ransomware onto Windows Hyper-V hypervisor systems. 👉🏽 Circumventing Endpoint Detection & Response (EDR) tooling by creating unmonitored VMs. 👉🏽 Initial access through info stealers and credential marketplaces. 👉🏽 Intrusion activities including scanning the network, enumeration, and exfiltration. 👉🏽 Attempts to disable EDR using a Bring Your Own Vulnerable Driver (BYOVD) attack.
🔗 source link: https://cybercx.co.nz/blog/akira-ransomware/
#Logging #VirtualMachines #Ransomware #ThreatActor #Vulnerability