Special Report - Quadrant Security
Quadrant Information Security Introduction
In this Special Report, we’re talking to two folks from Quadrant Information Security: CTO Champ Clark III and Threat Analyst Steven Drenning-Blalock. We feel the research done by Quadrant is important to share as it helps the industry as a whole, and we’re excited to talk about it on the podcast. For additional information regarding Quadrant’s findings, we encourage you to check out their case study.
To begin, Quadrant Information Security as an organization focuses on Managed Detection and Response (MDR), helping monitor clients’ networks, performing mitigation, and Incident Response (IR) and containment.
Champ Clark grew up in the computer industry and has been interested in security for decades. Steven Drenning-Blalock fell in love with security later and actually veered from a psychology path, which you could argue comes in handy when hunting threat actors.
Third Party Compromise by Black Basta
Champ, Steven, and their team at Quadrant recently worked through a client breach that began with a third party compromise via a targeted spear phishing campaign. Quadrant believes this attack was carried out by Black Basta, a relatively new ransomware-as-a-service group suspected to be composed of seasoned ransomware authors such as from the now inactive Conti team. We at DomainTools have been discussing supply chain attacks and the topic was highlighted in the SANS 2022 Top New Attacks and Threat Report, so it’s definitely something to continue to keep an eye on as we head into 2023.
What’s unique about this campaign was the attack started in the middle of an ongoing email chain. The bad actors attached an ISO file that contained QakBot malware, which is a handy tool which creates a backdoor calling to Command and Control (C2) servers. They were later able to download a second state, which was determined to be Brute Ratel with an IP address from Russia. It’s at this point things went sideways.
Time is of the Essence
There was an estimated 30 hour-dwell time for the malicious actors as they got the lay of the land and at this point, they began to exfiltrate (exfil) the data. However, within 2 seconds of the transfer, Quadrant was able to detect an alert and then several minutes after that, they were on the phone with the client.
The interesting part of the story at this point is the alert related to FTP overflow, and the analyst looking at it realized the data in the payload was suspicious and it was going to an IP in Miami. What really helped get mitigation into gear was a bad gut feeling quickly shared with a client that understood the gravity of the situation.
At this point in the story, the bad actors aren’t aware that Quadrant Security is aware of the situation. They are exfiltrating the data, but nothing has been encrypted at this point. Quadrant did see something being transferred which was clientname_s.exe, which was later determined to be the Black Basta ransomware package itself.
Quadrant Security uses clipboard logging, primarily on servers. They saw some traffic going to some strange places and as luck would have it, they saw they used the client’s infrastructure and would then Black Basta would log back into their own infrastructure.
They also began to notice comments written in Russian as well as the _s.exe-bomb which felt like things were beginning to escalate.
What Happened Next?
You might be on the edge of your seat at this point, but Champ and Steven tell the story best, so please tune into the podcast for their full color-commentary on the resolution with Black Basta. What we can share here in our show notes is the importance of those involved being on the same page and understanding of the severity of the situation. From the initial phish to 56 hours later, Quadrant Security and their client operated on very little sleep, but were able to work together to make quick decisions.
Gold, Guidance, and Grievances
We play a few games on Breaking Badness including the perennial favorite, Two Truths and a Lie, but lately we’ve been enjoying going through rounds of Gold, Guidance, and Grievances. A big thank you to Champ and Steven for joining us on the podcast this week – be sure to listen to the full episode to hear what they’re most excited about right now in Infosec, advice they have for practitioners, and their current gripes.
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!