-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
UNC2910 BEACON Detection
UNC2910, also known as Arcane and Sabbath, is threat group identified by Mandiant (https://www.mandiant.com/resources/sabbath-ransomware-affiliate) that provides Ransomware-as-a-Service (RaaS) and has previously targeted critical infrastructure, education, health, and natural resources in the United States and Canada since June 2021. The latest activity of UNC2910 has been under the name 54BB47h, or Sabbath. Sabbath began advertising for new affiliates for their RaaS program on popular Russian cybercrime forum Exploit beginning September of this year. As is common with RaaS groups these days, they are following a double extortion model of deploying ransomware as well as stealing massive amounts of data and threatening to release it to the public. They have also been observed attempting to actively destroy backups. In an October 2021 attack against a US school district, they took things to the next level by emailing staff, parents, and students to apply public pressure on school officials (https://www.nbcdfw.com/news/local/howdy-hackers-email-parents-and-students-after-allen-isd-refuses-to-pay-ransom/2758256/).
One unique aspect of the Sabbath RaaS program is that they have been providing their affiliates with a pre-configured Cobalt Strike BEACON. The use of BEACON is a common tactic of many ransomware operators, a RaaS affiliate program operator provided BEACON is unusual. For the purposes of threat intelligence, this makes attributing an attack to a specific ransomware operator more difficult. Keep in mind, that Sabbath is a RaaS provider, which means they provide software, tools, and the infrastructure needed for ransomware operators but may not necessarily be directly involved in any specific attack, that is left up to the affiliates. While this makes attributing any given attack to a specific group, it does simplify detection. The CRU released three new IDS signatures this week, already deployed to all Perch IDS customers, that should detect the use of the BEACON Sabbath is providing to be used by all its affiliates:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Potential UNC2190 BEACON GET HTTP Request"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"kitten.gif"; endswith; tag:session,5,packets; reference:url, www.mandiant.com/resources/sabbath-ransomware-affiliate; classtype:trojan-activity; sid:900526; rev:1; metadata: created_at 2021_12_08, updated_at 2021_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Potential UNC2190 BEACON POST HTTP Request"; flow:established, to_server; http.method; content:"POST"; http.uri; content:".jpg"; endswith; http.request_body; content:"image_url"; endswith; tag:session,5,packets; reference:url, www.mandiant.com/resources/sabbath-ransomware-affiliate; classtype:trojan-activity; sid:900527; rev:1; metadata: created_at 2021_12_08, updated_at 2021_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential UNC2190 BEACON Self-signed TLS Certificate Common Name"; tls.cert_subject; content:"CN=Microsoft IT TLS CA 5"; reference:url, www.mandiant.com/resources/sabbath-ransomware-affiliate; classtype:bad-unknown; sid:900528; rev:1; metadata: created_at 2021_12_08, updated_at 2021_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)References
https://www.mandiant.com/resources/sabbath-ransomware-affiliate