The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. The advisory contains indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21, 2022.
Zeppelin, aka Buran, is a ransomware-as-a-service (RaaS) written in Delphi and built upon the foundation of VegaLocker. Due to the RaaS model there are several methods in use to gain initial access. The CSA mentions RDP exploitation, SonicWall firewall exploits, and phishing campaigns. In earlier days, Malwarebytes’ researchers found a malvertising campaign that dropped Zeppelin ransomware as one of the possible payloads.
Zeppelin uses the double extortion where they threaten to sell or publish exfiltrated data in case the victim refuses to pay the ransom.
While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.
Besides IOCs, attack techniques, and a Yara signature, the CSA provides a lot of mitigation advice. Since the techniques used by the Zeppelin gang are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.
But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.
Require all accounts with password logins to meet the required standards for developing and managing password policies.
- Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Implement time-based access for accounts set at the admin level and higher.
- Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers.
- Store passwords using industry best practice password hashing functions.
- Implement password rate limits and lockouts.
- Avoid frequent password resets (once a year is fine).
- Avoid reusing passwords.
- Disable password “hints”.
- Require administrator credentials to install software.
Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)
Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Stay safe, everyone!