The threat group tracked as DEV-0832 by Microsoft’s security threat intelligence analysts, also known as Vice Society, are a group of cyber criminals that are thought to have been active since at least June 2021. They have been credited for ransomware and extortion campaigns across the world but have mainly focused on US-based targets. The most recent attacks have been against the education sector, including schools, but previous attacks have also been found where their victims were universities, local governments, and retail organisations. It is thought that their attacks against these various sectors were opportunistic, the group target organisations with weak security controls in financially motivated data encryption and exfiltration attacks with the end goal of a ransom pay-out.
Vice Society use a range of ransomware payloads in their attacks, and are known for switching between them, in some cases even delivering two different payloads in one attack. This was observer in July 2022, where the group initially delivered QuantumLocker binaries, a known form of ransomware as a service (RaaS), but then 5 hours later deployed Zeppelin binaries as well. More recently in September 2022 they have been seen to use their own variant of the Zeppelin ransomware, which is tagged with the file extension .v-s0ciety, or .v-society, or a RedAlert variant with the file extension .locked.
However, Microsoft have observed that in some cases this threat group did not deliver any ransomware payloads, and instead solely exfiltrated data, with no encryption or denial of service on the victim’s device. This attack was based on extorting a ransom due to the victims not wanting the stolen data to be published online, which appears to be a growing successful attack platform for ransomware gangs. One of the concerns that security professionals have about this group is their cross-platform capabilities. Despite most of their attacks being observed in Windows environments, they also have Linux Encryptor capabilities for deployment on Linux ESXi servers.
The Cybersecurity and Infrastructure Security Agency (CISA) released a joint security advisory with the FBI and MS-ISAC (Multi-State Information Sharing and Analysis Center) in September as a part of their #StopRansomware campaign, focusing on the activity of the Vice Society group. Their advice was targeted towards schools and educational institutions in the US based on the pattern of previous attacks by this threat group. In this it was revealed that the group tend to gain initial access to devices and networks through compromised credentials and known exploited vulnerabilities in internet-facing applications. Before deploying a ransomware payload, the attackers will explore the network environment, attempt escalation of privileges, and exfiltrate data.
Most Vice Society attacks use a PowerShell script to perform activities, such as system discovery, system changes, defence evasion, persistence, data exfiltration, and delivering ransomware payloads. These scripts are staged on a domain controller giving them the authenticated access needed to deliver commands. Stolen credentials for valid accounts also provide this authentication for the attack. Credentials were often harvested through memory dumps, such as through access to the Local Security Authority Server Service (LSASS) dumps. These threat actors used comsvcs.dll to dump the LSASS process memory for access to credentials, and if domain admin level credentials were obtained, they then exfiltrated Active Directory data from a NTDS.dit file for later cracking. Escalation of privileges were also found by the attackers abusing security vulnerabilities such as CVE-2022-24521. This Windows Common Log File System vulnerability was seen abused by attackers in August, despite patches being available since April.
After the attackers had suitable credentials, they perform lateral movement within the network using Remote Desktop Protocol (RDP), and interact with remote parts of the network using Server Message Block (SMB). This was where they would then stage the PowerShell scripts and payloads. Ransomware payloads were also sometimes delivered by legitimate tools, such as Power Admin, which also required the attackers to obtain credentials to make authorised changes. Advanced Port Scanner, Advanced IP Scanner, Windows Management Instrumentation (WMI), vssadmin, and PsExec are other legitimate tools this group are known to have abused in their attack process. On one occasion, Vice Society attempted to disable Antivirus on Microsoft Defender by using registry commands.
Two main tools were used for backdoor access in post-compromised networks: SystemBC and PortStarter. When conducting an attack utilising SystemBC, they used credentials for a domain admin account and a contractor account, which they used to launch their PowerShell script. This triggered to launch of the remote access trojan (RAT), SystemBC, in a session value named “socks”. The other tool, PortStarter, is written in Go, and allows the attackers to modify the firewall settings, including opening ports, and connecting to their C2 (command and control) servers. These backdoors allowed the attackers to use “living off the land” techniques, abusing legitimate tools such as WMI in the process. SystemBC was also used for lateral movement within the network.
Data exfiltration, mostly performed by PowerShell scripts, was executed through searches for target keywords. As the words were often non-specific such as targeting both financial and medical information, it is believed that each attack is not crafted for each victim, but instead one general script exists for targeting all potential victims. The script also contained hardcoded IP addresses that belong to Vice Society. File compression tools were also used in the data exfiltration process, as well as tools such as Rclone and MegaSync that allowed the attackers to upload the data to cloud storage locations.
Steps should be taken by all organisations to mitigate ransomware attacks, as they can be damaging to reputation as well as having the possibility to cause financial and data loss. Keeping all systems and software up to date can protect your data, as attackers will often abuse unpatched systems, especially if details of the vulnerability are released at the time of the patch. Confirming that security configurations are tamper-proof is also a necessary defence to this form of attack. In the case of the attackers attempting to disable the Windows Defender Antivirus, enabling tamper protection would cause their commands to be unsuccessful. The range of targets globally by Vice Society emphasises a need to put cybersecurity first, especially in cases like this where the threat actors target organisations weak security controls for financial gain.