on our radar
This section considers threats that weren’t widespread enough to make our top 10 but deserve attention because of their potential impact, rising prevalence, or other factors.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2021.
We are pleased that no ransomware family made it into our top 10 (or even our top 20) this year. The fact that ransomware precursors like Qbot, Emotet, and TrickBot made our list—while no actual ransomware families did—suggests that we, our customers, and the community are having some success at responding before these threats fully materialize. Red Canary did observe quite a bit of ransomware in 2020, but these cases mainly came in through our incident response partners, who bring us in to help victims who have already been compromised. While there are detection opportunities for ransomware such as looking for volume shadow copy deletion (for example,
vssadmin.exe Delete Shadows /All /Quiet), we strongly recommend focusing on detecting ransomware precursors rather than worrying about detecting ransomware activity itself.
Among environments affected with ransomware, the top five families we observed were:
Out of that list, the presence of WannaCry might surprise you, considering it did most of its damage in 2017. Its continued prevalence is due to its pervasive nature as a worm as well as persistence that has lingered on networks years after the original outbreak.
A ransomware precursor family that caused us quite a headache but didn’t make it into the top 10 was Bazar. Despite being less prevalent than some other threats, Bazar is especially noteworthy due to how quickly it progresses to follow-on activity leading up to ransomware. While we only observed Bazar in a few environments early on, we saw a significant surge in September and October 2020. For more details on this threat, check out our blog post A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak.
As our Intelligence Team grew and matured in 2020, we began to identify novel activity clusters that we were unable to associate with a known threat. Naturally, as Red Canary, we decided we should name our clusters with a color and a bird. One of our first named activity clusters was Blue Mockingbird.
While we didn’t see Blue Mockingbird in very many environments, when we did encounter it, we saw a lot of activity. Blue Mockingbird employs quick lateral movement to install its cryptomining payload to as many hosts as possible. In fact, this initial spread and establishment of persistence almost single-handedly propelled T1543: Windows Service into the #3 spot in our rankings.
Blue Mockingbird mines cryptocurrency, a fairly common objective across threats in 2020. In many cases, while we were able to detect suspicious mining activity, we couldn’t always associate it to a named threat. Monero (XMR) was the primary cryptocurrency of choice for miners, and many threats leveraged code from XMRig. If mining cryptocurrency is not part of normal business operations in your organization, consider building detection logic around network connections to domains associated with mining pools to help you detect Blue Mockingbird and a range of other cryptomining threats.
Yellow Cockatoo was another activity cluster we first encountered in 2020, beginning early in the summer. By fall Yellow Cockatoo had burst onto the scene, placing in our top five most prevalent threats in October, November, and December. We weren’t the only ones to notice this new threat on the rise—Morphisec published a great profile of this malware in November, giving it the moniker “Jupyter Infostealer.” As that name suggests, Yellow Cockatoo falls into the category of stealers—its objectives appear to be data exfiltration and providing the adversary with remote access to victims. That said, it appears to be a rather indiscriminate threat, gaining access to a wide array of organizations through its search result sleight-of-hand that tricks users into downloading and executing malicious code. For more details and detection opportunities, check out our blog post from December: How to detect Yellow Cockatoo remote access trojan.
Solorigate and beyond
A major incident that closed out 2020 was the supply chain compromise of SolarWinds along with other related activity tracked under the names “Solorigate,” “UNC2452,” “Dark Halo,” and multiple malware families. The SolarWinds compromise will almost certainly continue to be a challenge for defenders to respond to throughout 2021, due to its complexity and downstream effects on other organizations. It’s important to remember that this is now a series of incidents and TTPs that reaches far beyond just SolarWinds. Each organization should evaluate how they can best protect themselves based on the TTPs that are likely to affect them. For example, a company that makes software should be concerned about monitoring the integrity of their build processes, which may not be a concern for other organizations.
For organizations that have endpoint visibility, here is one detection opportunity (beyond searching for atomic indicators like hashes) for follow-on exploitation to the SolarWinds compromise. There are plenty of other opportunities for both endpoint and network detection, many of which have been helpfully compiled by MITRE.
Renamed AdFind execution
ATT&CK technique(s): T1036.003 Masquerading: Rename System Utilities, T1036.005 Masquerading: Match Legitimate Name or Location, T1069.002 Permission Groups Discovery: Domain Groups, T1482 Domain Trust Discovery
ATT&CK tactic(s): Execution, Defense Evasion
Details: Microsoft reported that the adversaries behind Solorigate used a renamed version of AdFind for domain enumeration. The following example provided by Microsoft shows AdFind renamed as
csrss.exe in an apparent attempt to masquerade as the Client Server Runtime Subsystem process, as this command identifies domain administrators.
C:\Windows\system32\cmd.exe /C csrss.exe -h breached.contoso[.]com -f (name=”Domain Admins”) member -list | csrss.exe -h breached.contoso[.]com -f objectcategory=* > .\Mod\mod1.log
Volexity reported the same TTP of renaming AdFind used by the group they identify as Dark Halo. In Volexity’s example, Dark Halo used a renamed version of AdFind to query Active Directory data. In this example, AdFind was renamed
sqlceip.exe in an apparent attempt to masquerade as the SQL Server Telemetry Client.
C:\Windows\system32\cmd.exe /C sqlceip.exe -default -f (name=”Organization Management”) member -list | sqlceip.exe -f objectcategory=* > .\SettingSync\log2.txt
Because the AdFind file is renamed differently in the two examples above, we recommend creating an analytic looking for any renamed instance of AdFind. Evaluating process hashes and/or internal binary metadata is a must when masquerading is in play. When a legitimate file has been renamed, identifying a mismatch between the expected filename and the observed filename often leads to high-fidelity detection.