Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component. This week, we will walk through the variety of CTI analysis which has been conducted on MAZE in addition to creating and sharing an Adversary Emulation Plan. We hope you enjoy it.
Cyber Threat Intelligence
When looking at the variety of cyber threat intelligence available for the MAZE threat, we are given a crystallene example of the ways that CTI can be incredibly specific regarding some details, while simultaneously being sparse with other details. For example this report gives very explicit details regarding the phishing attacks conducted to compromise systems with MAZE. Another report goes into amazing detail about the processes and memory games which the MAZE binaries are observed to play. And yet another report gives us details regarding the authors, and their ransom management software. However, even with the excellent information provided in these reports and others, there are some details which still elude us when attempting to replicate the explicit behaviors of the MAZE threat.
For an explicit example of the discrepancy between CTI analysis, and explicit behaviors we can take the following sentence as an example:
“Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment …”
The above is certainly useful in regards to gaining insight into a threat actor’s general behaviors and goals; but leaves us wanting when attempting to re-create the explicit behavior utilized by the threat actor.
There are some very practical and interesting artifacts which CTI provides us, and which allow us to leave some interesting IOC’s on endpoints when emulating the MAZE Threat. For example: we have through these reports a litany of example PDB paths which we can use when generating custom binaries, and we also have explicit details about the content of the ransom notes left by MAZE. These details are critical for IR and Purple team events, and provide even more realism to our Adversary Emulation Plan.
Adversary Emulation Plan
Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for MAZE:
Lost in the MAZE?
For the sake of our Adversary Emulation of MAZE, we focused more heavily on what could be executed on a specific endpoint, in that specific user’s space of privilege; rather than focusing on initial access method, various privilege escalation techniques, and propagation. The rationale for this was to have the ability to quickly and easily conduct an execution event on a single endpoint, to see which (if any) of our defensive triggers might be lit up by MAZE’s variety of Discovery and Impact operations.
The hope is that some combination of the actions on objective we are conducting, ranging from compressing of files to the use of encryption, would trigger some combination of alarms for a AV, EDR, or Log Monitoring perspective.
With those goals in mind, we created the following SCYTHE Threat template, available in our Community Threats repository: https://github.com/scythe-io/community-threats/tree/master/MAZE
MAZE is a fascinating threat from both an analysis and emulation perspective as it, once again, forces the collective information security community into simultaneously knowing a great deal about a threat actor, while also having minimal details regarding the way it explicitly performs its behaviors. However the variety of discovery techniques, blended with the exfiltration and ransomware behaviors, makes for what can be seens as a bit of a “kitchen sink” from a malware perspective. The realities of the information contrast between CTI sources, and the reliance on signituring of payloads and IP/Domains, gives defenders a wide range of IOC’s to act on, while still left feeling lacking from a threat emulation perspective.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.