The worst of all deceptions is self-deception
Goal: Redirect attacker traffic to a controlled environment by providing deceptive DNS responses.
Approach: Manipulating DNS resolution to redirect traffic.
This element intercepts DNS requests for known malicious domains and returns a deceptive IP address, leading attackers to a honeypot or sinkhole.
Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.
The threat actor has gained initial access and is utilizing various defense evasion techniques to avoid detection while establishing persistence and maintaining control.
Bootkitty is a UEFI bootkit that is executed early in the boot process, before the operating system is loaded. It installs hooks to intercept and modify the normal boot process, allowing it to persist even if the operating system is reinstalled or updated. The bootkit specifically targets the GRUB bootloader and the Linux kernel, patching them in memory to disable security checks and load malicious code.
The threat actor will use brute force and password spraying to target multiple accounts until one is successfully compromised. Once in, the threat actor will attempt to gather credentials and other information about the network to sell.
The threat actors obtain valid user and group email accounts, often through brute force methods like password spraying [T1110.003], to gain initial access to the target’s network.
The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.
Goal: Disrupt attacker activity by generating deceptive WMI events.
Approach: Generating fake WMI events to confuse attackers.
This element generates deceptive WMI events that mimic legitimate system activity but contain false information. This can confuse attackers and disrupt their reconnaissance or lateral movement efforts.
Goal: Detect attempts to steal credentials by hooking API calls related to credential management.
Approach: Monitoring API calls for suspicious activity.
This element hooks API calls related to credential management, such as CredEnumerate or LogonUser. When a suspicious call is detected, the element can log the event, alert security personnel, or even inject a deceptive credential.
Goal: Detect attempts to communicate with known malicious named pipes.
Approach: Monitoring for connections to deceptive named pipes.
This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.