SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

Security recommendations

Security and incident response teams must urgently address SocGholish infections as critical events and invoke incident response procedures to rapidly mitigate the impact of its malicious activity like backdoor deployment, unauthorized access to sensitive data, lateral movement, data exfiltration, and ransomware-driven data destruction. Defenders should also apply the following best practices:

• Deploying extended detection and response (XDR) solutions to rapidly identify, disrupt and correlate malicious activities such as those used in attacks with SocGholish
• Reducing the attack surface for script-based malware like SocGholish by:
  • Hardening endpoints and servers by blocking suspicious Windows Scripting Host (wscript.exe) and PowerShell execution through policy-based controls like group policy objects
  • Trend Vision One customers can apply “Attack Surface Reduction” by ensuring that “Behavior Monitoring and Predictive Machine Learning” are enabled in Endpoint and Server Policies
• Enabling logging of anti-malware scan interface events to support investigations
  • Trend Vision One customers can investigate “TELEMETRY_AMSI_EXECUTE” events to recreate script executions for incident response activities
• Deploying web reputation services (WRS) on endpoints, cloud workloads and proxy servers to detect and block malicious and anomalous traffic
• Using network intrusion detection and prevention solutions, and network detection and response (NDR), to gain visibility into network traffic
• Retiring or significantly hardening, segment or isolate end-of-life operating systems, as these are targeted by adversaries through reconnaissance and lateral movement tactics

For their part, website administrators and owners should be aware that vulnerable content management systems (CMS) and their plugin systems are frequently targeted by threat actors. This is because they enable cybercriminals to abuse websites to hijack visitor traffic, as is the case with SocGholish, and distribute malware.

Compromised websites can have a significant impact on a business’ operations if their websites are being tagged as malicious by security solutions and web browser block lists. Website administrators can mitigate this by:

• Monitoring security announcements for Content Management Systems and applying mitigations and/or patching vulnerabilities
• Monitoring security announcements for content management system plugins and applying mitigations and/or patching vulnerabilities, which are exploited to gain initial access to webservers
• Deploying web application firewall to filter exploit traffic
• Restricting access to administration portals
• Using multi-factor authentication (MFA) and complex passwords for administration panels
• Using SSH keys for administration interfaces and avoiding exposing administration interfaces such as web host management interfaces, control panels, and SSH interfaces to the internet
• Isolating and rebuilding compromised web servers to eradicate threat actors in the aftermath of a compromise

Proactive security with Trend Vision One

Trend Vision One is an enterprise cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a single solution.

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.

Trend Vision One Intelligence Reports App [IOC Sweeping]

• [AIM/MDR/IR][Spot Report] Ghoulish Tactics: Unmasking the SocGholish to Ransomhub Attack Chain

Trend Vision One Threat Insights App

Hunting Queries 

Trend Vision One Search App 

Trend Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

Searching for the initial dropper:

tags: (“XSAE.F11697” OR “XSAE.F11689” OR “XSAE. F8637” OR “XSAE. F8636” OR “XSAE. F7176”) 

More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled. 

Conclusion

SocGholish is a prevalent and evasive threat. The use of heavy obfuscation in the loader poses a challenge for static file detection technologies. The fileless execution of commands may pose a challenge for certain detection technologies.

The sheer volume of compromised websites leading to SocGholish, coupled with the use of a commercial TDS for sandbox and crawler evasion and the use of Anti-Sandbox routines may pose a challenge for certain automated detection solutions like sandboxes, which may enable SocGholish to run in environments, leading to highly impactful attacks.

Its collaboration with prevalent and dangerous RaaS operations like RansomHub means that SocGholish poses a significant threat to enterprises. However, there are several detection opportunities, from suspect execution with suspicious process chains that perform discovery, lateral movement, credential access and data exfiltration, to outbound connections to low reputation infrastructure, and anomalous internal connections from compromised hosts.

Indicators of compromise (IOCs)

Download the list of IOCs here.

Read More HERE