Azil Networks
Maze Ransomware

Maze Ransomware

Maze ransomware is a malware targeting organizations worldwide across many industries. It is believed that Maze operates via an affiliated network where Maze developers share their proceeds with various groups that deploy Maze in organizational networks. More concerning than just the penetration in the organization, Maze operators have a reputation for taking advantage of assets in one network to move laterally to other networks. Since the affected company is an IT services provider, it is extremely likely that this breach could be leveraged to attack hundreds of customers that rely on their IT services.

Three years ago, we published a short blog post about NotPetya. The blog discussed some of the techniques employed by the ransomware and how these can be mitigated. Three years later, most networks are still vulnerable to the same type of attacks. As we followed up with this Maze story, we thought it would be a good idea to share insights on why these types of ransomware attacks are prevalent and what actions you can take to mitigate them.

How organizations get infected with Maze

This blog post shares the tactics, techniques, and procedures used by Maze. The research lists which tools and techniques Maze is using in various stages of the attack cycle (initial access, reconnaissance, lateral movement, and privilege escalation). Reading the techniques list, it is clear that Maze does not typically employ 0-days (one exception is trying to use a 1-day: CVE-2018-8174). This is actually expected – attackers typically don’t use 0-day vulnerabilities for two main reasons: They are extremely hard to find and very expensive and, when used in the wild, they get exposed and fixed very quickly.

Let’s review the techniques:

Initial Access

We can see that in most cases the techniques used by Maze operators are valid credentials that log in to the network via internet-facing servers. It can be an open RDP server or a Citrix/VPN server. How the initial credential was compromised is unclear but standard attack methodologies include guessing default/weak passwords or spear-phishing through a targeted mail with a .docx attachment containing a malicious macro.

  • T1193: Spear-phishing Attachment
  • T1133: External Remote Services
  • T1078: Valid Accounts

Reconnaissance

Once an initial machine in the network is compromised, the malware starts scanning the network to find vulnerabilities. The malware scans various facets such as open SMB shares, network configuration, and various Active Directory attributes such as permissions, accounts, and domain trusts. The scans could be performed with known open source tools such as smbtools.exe, Adfind, BloodHound, PingCastle as well as built-in Windows commands.

  • T1087: Account Discovery
  • T1482: Domain Trust Discovery
  • T1083: File and Directory Discovery
  • T1135: Network Share Discovery
  • T1069: Permission Groups Discovery
  • T1018: Remote System Discovery
  • T1016: System Network Configuration Discovery
  • T1033: System Owner/User Discovery

Lateral Movement/Credential Access

After a few days of gaining intelligence on the network, the malware started moving laterally in the network. The easiest option was to find credentials in the compromised machine. These could have been Kerberos tickets or password hashes, Maze also scans compromised machines for files containing plaintext passwords. When these are not found, the malware tries moving laterally in the same network segment using LLMNR/NBT-NS Poisoning to steal network packets for later NTLM cracking and/or NTLM relay attacks. Finally, if none of these techniques work, the malware tries to find weak passwords by brute-forcing user/service accounts. Once a valid credential is found, the malware uses known Windows interfaces such as SMB, WinRM, and RDP to move laterally and execute code on remote machines.

  • T1110: Brute Force
  • T1003: Credential Dumping
  • T1081: Credentials in Files
  • T1171: LLMNR/NBT-NS Poisoning
  • T1076: Remote Desktop Protocol
  • T1028: Windows Remote Management
  • T1097: Pass the Ticket
  • T1105: Remote File Copy
  • T1077: Windows Admin Shares

Privileges Escalation

Privilege escalation is a kind of dance. The attacker moves laterally to new machines. Once they’re on new machines they can again use the same lateral movement techniques and find new credentials to compromise and move to additional machines. This dance is typically over once domain admin credentials are found. At this point, the attacker can easily compromise any machine in the network.

  • T1078: Valid Accounts
  • T1055: Process Injection
  • T1050 New Service

Persistence

As is often the case in these situations. The operator wants to maintain his presence in the network for as long as possible. This means adding various backdoors and ways to retake control over the network. This is done so if malware is detected and removed, the operator can compromise the network a second time. The method discovered in this case is mainly to capture as many user credentials as possible and potentially create new privileged accounts in the network.

  • T1078: Valid Accounts
  • T1050 New Service
  • T1136: Create Account
  • T1031: Modify Existing Service

The Root Cause

The critical point is that throughout the compromise, most of the malicious activity is executed using valid user credentials. The malware is stealing credentials in various ways. It is using tools like Mimikatz to harvest local credentials and later performing Pass-the-Hash attacks. Maze attempts to find passwords that are stored in local drives, sometimes engaging in attacks to compromise accounts with weak passwords using brute force and credential scanning techniques.

I often engage with customers and review the security posture of their network. I’ve never encountered a network where I couldn’t find any software vulnerability. In some cases, I find trivial security configuration issues allowing one-click elevation of privilege to domain admin. You can find another great talk on this subject by the BloodHound team at SpecterOps delivered last year at BlackHat. 

Ransomware operators are using old techniques and open source tools such as BloodHound and Mimikatz to compromise and move laterally in networks. They have been doing so for a while with great success. Enterprise networks are getting hacked mostly by compromised credentials and credentials-based attacks. Simple steps like monitoring for weak passwords, limiting account privileges, detecting stealthy admins, and enforcing adaptive authentication can reduce most of the risk of being the next ransomware victim.

1 Comment

Comments are closed.

Let us tailor a service package that meets your needs.

Tell us a little about your business, and we will get back to you with some ideas as soon as possible.