The Equinix Attack: Understanding Ransomware Behaviour

According to the United State’s Cybersecurity and Infrastructure Security Agency (CISA), the number of ransomware attacks around the world has increased, and the Computer Emergency Response Team (US-CERT) states that this sort of breach hits a target every 14 seconds.

As stated in the above September 9, 2020 status report, Equinix was internally compromised with ransomware. To provide some context, we’re talking about an American multinational company that holds multiple data centers in the Americas, Europe and Asia, with an increasing-over-the-years NASDAQ stock value.

And to show you just how big this company’s digital fingerprint is, we sought an overview of their assets by entering the domain name equinix.com into SurfaceBrowser™. The output looked like this:

But as you may know, they’re not the only large business being targeted. There’s a huge economy behind ransomware that makes these activities very profitable for criminals. Usually, everything starts with an in-depth malicious asset discovery.

The Equinix attack

According to an unknown source that reported to BleepingComputer, this attack was perpetrated by the infamous Netwalker ransomware.

Despite this claim, we haven’t found any official statements about it. The source also shared that there was a message sent to Equinix with the usual ransom note as well as a screenshot listing the stolen assets.

Source: BleepingComputer.com

The more sound theory regarding the possible entry point of this attack states that there were multiple remote desktop protocol (RDP) instances running at the time. There’s even a test in the previously mentioned blog post that shows multiple listening RDP servers within Equinix’s different public IP spaces.

While we’ll confirm this in a few moments, it’s still hard to say that this was the actual attack vector used by the ransomware creators. We’ll show you why, by giving you some information to analyze so you can draw your own conclusions.

To analyze Equinix’s digital assets, we can extract the whole set of autonomous systems (ASN) by doing an ASN lookup filtered by the company’s name. Below you’ll see the list of all registered ASN at the different regional internet registries (RIR’s).

Taking for granted that the actual description is correct (as this could be forged in case they’re trying to obscure something), the amount of ASNs and total number of IP range sizes they advertised makes the quest for internal-only IP ranges quite difficult when the actual customer space is so large.

For this you’ll need to rely on certain additional characteristics such as reverse DNS (rDNS) records, DNS records holding names that give clues about internal border-ish infrastructure, and the like; the vector we found is, at the very least, tricky.

Despite all this, we’re linking related information from a past blog, in case you want to know more about how to find IP addresses owned by a company.

Now we’re using SurfaceBrowser™ again—to find not only the company’s IP space but also those addresses that have actually been seen with the TCP/3389 port open (which corresponds to the standard Microsoft RDP port).

In this SQL Explorer query, we’re doing the following:

Getting all IP addresses, hostnames pointing to those IP addresses, reverse pointer records that these IP addresses point to plus the correspondent ASN that’s announcing them

Getting all IP addresses that match “Equinix, Inc.” as the nominated ASN Owner

Getting all IP addresses with a history of opened TCP ports number 3389 (RDP default port)

Results as follows:

As you can see, multiple results match the mentioned criteria. Yet it’s quite probable that this is the way they were entered (although a piece of this puzzle remains unseen).

To help us dig a little deeper, let’s cover a few basics on what ransomware is, how it operates and how to deal with such attacks if you ever find yourself compromised.

The ransomware ecosystem

While ransomware attacks are nothing new, their increasing number of high-level targets being compromised is startling. Ransomware-as-a-service (RaaS) has become something of a buzzword. Additionally, the use of cryptocurrencies like Bitcoin (BTC), Monero (XMR), and others to demand ransom payment makes it even easier for deceivers to collect their bounty anonymously.

This image shows different BTC wallets belonging to deceived users who pay the ransom as well as the temporary wallets that are used to join their balance into one or several BTC deposits, labeled as ransom wallets.

Those ransom wallets are the last store place for the bitcoins before being transferred to the cash-out wallets owned by somebody acting as a money exchange, who in turn gives the criminals the actual paper money using a traditional method (such as a hand-over).

Common ransomware attack vectors

Ransomware doesn’t enter the target’s infrastructure by itself. Attackers use different techniques to put the necessary payloads in place that will encrypt all files and maintain control of the different operating systems and assets needed. Usually, they’re carried out by other kinds of malware that exploit the host system in different ways.

Here is a summary of the most commonly found attack vectors used by ransomware creators and users.

How targets get attacked

Despite the malware variant, it seems that three major attack vectors are entry points for malware to start building the ransomware needed-for-work environment:

Computers with remote desktop services enabled, directly connected to the internet. While this could be considered a bad practice from a security standpoint, it’s not, in itself, a reason for compromise. RDP services like MS-Remote-Desktop, VNC, and others are known to have had remotely exploitable vulnerabilities, but the main reason behind these attacks is the use of weak username and password combinations.

E-mail phishing campaigns. This technique is widespread, and with the use of tools such as the Gophish phishing framework, it’s easier than ever to send fake emails with all sorts of different malicious payloads that infect users and allow remote connections to their systems.

Software vulnerabilities. While seemingly obvious, this is a common entry point attack technique and provides a post-compromise lateral-movement platform. Despite its being such a well-known offensive activity, it’s rather hard to protect—especially when hacker teams behaving as advanced persistent threats (APT) are constantly looking for vulnerabilities in the infrastructure’s running software.

These perpetrators often conduct an unauthorized attack surface analysis to determine the weakest service to exploit. If no such service has a known vulnerability that can be abused, then it’s common practice to conduct research and find a new one. Once that’s found, and nobody knows about it, the attackers have in their hands what is commonly known as a 0-day vulnerability or exploit.

We have backups and antivirus, we’re good

Despite this common belief, ransomware malware goes after backups to compromise them as well. It does so by encrypting them, or by deleting all historical registries so you’re unable to recover easily.

An example of this is the case of the Ryuk ransomware, within the running binary (once disassembled) is a set of commands that specifically targets Windows shadow copies.

Other types of mitigation capabilities that these kinds of malware and their variations have built-in are:

Rate-limiting of activities (CPU and network usage) to appear as stealth as possible to the user

Changing the executable name to avoid being discovered by users, in case they or an application are looking into the process manager

Automatic removal from the operating system to delete all traces of the encryption process from memory (files, used keys, etc)

Stopping of different processes that could be associated with antivirus or antimalware software deployed on the system

Installing of specially crafted software to maintain remote control over the OS

As you can see, there are multiple layers of tasks that these programs run to avoid being detected, allowing them to stay in control of systems once their deployment is complete.

Netwalker inner workings

Netwalker, like other ransomware of similar behavior and complexity, take advantage of different entry points to conquer the victim’s infrastructure. The image below explains in greater detail three different ways to get inside a network that we’ve previously mentioned:

Source: McAfee

Of course, it’s hard to tell how the Equinix attack happened without a lot of information. Maybe the attackers found an actual RDP instance of the company’s internal equipment, or maybe they exploited a service such, as a vulnerable VPN gateway, and then took over RDP.

Spear-phishing (especially since the Twitter attack) is one strong candidate, at least as the first initial contact used to uncover the company’s internal IP space and its corresponding public gateway’s IP addresses.

Once that IP range is discovered, further exploration for critical ports and assets seems likely.

Okay, “We’re compromised.” What do we do now? Is it all lost?

Decrypting ransomware

Let’s assume a scenario where you’ve been compromised by a ransomware malware. What do you do next? Here are some generally recommended steps:

Disconnect the system from the network - If possible, unplug the system from the network (without shutting down the operating system). This could be helpful, as these types of attacks commonly have some persistence mechanism in place that not only allows for reinfection of the OS but also serves as a lateral-movement platform to compromise neighboring systems through a covert channel.

Clean your system first - Getting rid of all malware before attempting any kind of data recovery is paramount. Otherwise, you risk being compromised again with the same ransomware that got you compromised in the first place.

Check the state of your backups - There’s no point in trying to get your information decrypted if your backup sets are in good shape and recoverable in an acceptable time frame.

Identify which malware variant encrypted your files - There are multiple versions of ransomware out there, and depending on which one you’re facing you may be able to decrypt your files after the system has been cleaned (preferably in a different box).

Considering the type of ransomware that infected you, there are a few malware variants that hold encryption keys within the memory. This is why avoiding to shutdown your system and conducting a memory dump may actually shed some light into the process. This is particularly true if the executable didn’t delete all of its memory traces and files.

Below are some resources that may provide help with the aforementioned tasks.

Identifying the ransomware

There are several resources that can help identify the kind of malware that encrypted your data, and not all websites have the same amount of tools for the same ransomware. Getting the right software for the job is what these sites are all about:

ID Ransomware No More Ransom - Crypto Sheriff

These services allow you to search using different methods, such as the note the ransomware left behind in your system, the extension name of the encrypted files, the BTC or XMR wallet address, or even the actual encrypted file itself where there could be any identifiable header.

Once the malware has been identified, we can check to see if we’re lucky enough to find a decryption tool that helps us.

Getting the specific decryption software

Not all ransomware variants have a companion decryption tool. This depends entirely on the companies and individuals who create them and publish them online. Some available resources are:

No More Ransom - Decryption Tools Kaspersky - No Ransom EMSISOFT Decryptor

In most cases, you’ll need your ransomware ID name. A link to download the tool will then be provided as shown:

It’s highly important to follow every step recommended by the software creators to achieve success and avoid creating further issues.

How could Equinix have prevented this issue from happening?

As you’ve seen, it’s difficult to tell how the attack actually happened without an official statement, but we can recommend you do the following:

Deploy network isolation policies - Micro-segmentation for services, zero-trust networking, use of VLAN’s or VXLAN’s, you name it. Whatever the desired source of network security, the best practices for the job always maintain a least-privilege approach.

Remove internal public-facing services - In case you need to use services for remotely controlled operating systems, it’s a good idea to connect to them only by using a secure connection. Encrypted tunnels such as SSH-VPNs, SSL-VPN, or other options such as IPSEC are a good option to securely access internal devices.

Implement extrusion controls - For cases like the “phishing followed by public IP leaking” theory we discussed, detecting unsolicited network extrusions is a way to discover possible breaches in the infrastructure. Whether it’s by an already exploited system doing a reverse connection to spawn a shell or a covert channel trying to establish a C&C to execute commands locally, detecting this sort of traffic early is of great help.

Train employees to reduce the “human error” factor - Education is of great importance to avoid being compromised. Cover topics including the use of hard and secure passwords, early fake-message detection, infrastructure patching, and secure-by-design service engineering.

Unfortunately, despite all of these recommendations, we know that being safe isn’t always easy. Security events will happen—even when you’re constantly hunting for your own bugs.

Are these attacks over?

That’s hard to tell. While not ransomware related, by using SurfaceBrowser™ we found that there are multiple IP’s with several peculiarities such as BGP (TCP/179) among other open ports. This could be from several different services such as organization routers, customer’s routers, honeypots, etc.

By changing the port in our last SQL query, we find several targets within their IP space that apparently don’t belong to Equinix itself.

Our findings show several IPs that are active listening to TCP/179. Other checks may include VNC ports, or any other service port that may lead to the compromise of an internal (or customer’s) device.

Some other targets get really interesting with over 200 open ports behind the IP address. Probably a honeypot?

These, among other possible attack vectors, can be discovered by looking at the digital space in an effort to conduct attack surface reduction, whether for your customers or for yourself.

Summary

Ransomware attacks are globally spread, having begun as a maneuver to compromise users and steal money from them but then evolved into an entire economic ecosystem—one that has empowered cybercriminals to seek bigger and more powerful targets.

As we’ve seen, the most common attack vectors for this kind of malware are once again the ones that involve the human element, such as phishing, weak password usage, stolen credentials, and the like.

Now more than ever, business continuity depends not only on having all your services up and running properly but also on implementing multiple layers of protection along with the constant analysis of possible attack surfaces that the live infrastructure leaves open.