• Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period.
• Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access.
• Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan.
• Rclone was used to exfiltrate data to a remote server using SFTP.
• The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.

Key Takeaways

• The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution.
• Using this access, the threat actor executed a consistent sequence of commands (installing AnyDesk, adding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a playbook.
• Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials.
• The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, approximately 62 hours after the initial Confluence exploitation.
• While ransomware was deployed and some event logs were deleted, no significant exfiltration of data was observed during the intrusion.
  This case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was originally published as a Threat Brief to customers in October 2024.

• An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence.
• Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement.
• Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials.
• Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling.
• The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.

Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …

Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…

Key Takeaways This intrusion began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media Configuration Utility. The threat actor used Rclone to exfiltrate data…

• Initial access was via a resume lure as part of a TA4557/FIN6 campaign.
• The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware.
• Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity.
• The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities.
• The threat actor installed Cloudflared to assist in tunneling RDP traffic.
• This case was first published as a Private Threat Brief for customers in April of 2024.
• Eight new rules were created from this report and added to our Private Detection Ruleset.

• Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity.
• The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran.
• The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions.
• The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.

In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner.
Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts.
After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials.
The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server.
Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script.
Six rules were added to our Private Ruleset related to this intrusion.

• In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware.
• The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools.
• Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server.
• Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions.
• Three rules were added to our private ruleset related to this case.

• In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts execute various actions, including disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers.
• This report also highlights scripts responsible for erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools like Atera.
• Our investigation uncovered the use of additional tools, including Ngrok for proxy services, SystemBC, and two well-known command and control frameworks: Sliver and PoshC2.
• The observed servers show long term usage by the threat actors, appearing in The DFIR Report Threat Feeds as far back as September 2023. They have been active intermittently since then, with the most recent activity detected in August 2024.
• Ten new sigma rules were created from this report and added to our private sigma ruleset

Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…

• In late August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID.
• IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion.
• The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment.
• Group Policy was used to distribute Cobalt Strike beacons at login to a specific privileged user group.
• The threat actor utilized a suite of tools to support their activities, deploying Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind.
• This case had a TTR (time to ransomware) of 29 days.

• In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
• After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days.
• The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
• The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.

Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More

In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.

The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. …

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started ver…