Fake Industrial Control System (ICS) Honeypot

What is the goal of this operation: To attract and trap adversaries targeting ICS systems, exposing their presence, understanding their TTPs, and gathering intelligence on their tools and motives.

Whats the approach of this operation or element? This element focuses on collecting adversary activity data within the honeypot environment, detecting their interactions with the ICS components, and analyzing the information to understand their capabilities and intentions.

This active defense element involves deploying a realistic, yet fake, ICS environment within a segregated network segment. This honeypot mimics real-world ICS components, such as programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and human-machine interfaces

 

1 (HMIs). The environment is designed to lure attackers interested in disrupting or sabotaging critical infrastructure.

Read more...

Deceptive SMB Share with False Credentials

What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).

Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.

Description of Element:

This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.

 

Read more...

Honeyfile with Canary Token

What is the goal of this operation: To detect and track unauthorized access attempts, gather intelligence on attacker behavior, and potentially disrupt their operations.

Whats the approach of this operation or element? This element aims to deceive and lure attackers, providing an opportunity to observe their actions and collect valuable intelligence.

Description of Element: This active defense element involves creating a decoy file (honeyfile) embedded with a canary token. This token acts as a tripwire, alerting defenders when the file is accessed or interacted with. The honeyfile is strategically placed within the network or system, disguised to appear as legitimate and valuable data.

 

Read more...

To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB

  • Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
  • Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.
Read more...

Phishing by Design – Two-Step Attacks Using Microsoft Visio Files

  • Initial Access: Attackers compromise a legitimate email account and send phishing emails containing a malicious URL, either directly in the email body or within an attached .eml file. The email often impersonates a trusted entity and may include branding to appear legitimate. The URL leads to a compromised SharePoint page hosting a weaponized Visio (.vsdx) file.
  • Execution: The Visio file contains a malicious URL hidden behind a clickable element, such as a “View Document” button. Victims are instructed to hold down the Ctrl key while clicking the element to access the URL, a technique designed to evade automated security scanners. This URL redirects the victim to a fake Microsoft login page designed to steal credentials.
  • Persistence (Implied): Although not explicitly mentioned in the document, attackers likely leverage the stolen credentials for persistent access to the victim’s environment. This may involve establishing backdoors, creating new accounts, or modifying existing ones.
  • Command and Control: After gaining access, attackers likely establish a command-and-control (C2) channel using application layer protocols like HTTP to communicate with the compromised system, issue commands, and manage the attack. 
  • Exfiltration: Attackers exfiltrate sensitive data from the victim’s environment over the established C2 channel.
Read more...

Harnessing Chisel for Covert Operations

The attacker utilizes Chisel, a tunneling tool, to establish a covert communication channel with the C2 server over HTTP. This allows them to bypass firewalls and security measures that might detect traditional C2 traffic.

Read more...

It’s Not Safe To Pay SafePay

The threat actor initiated the attack by disabling Windows Defender’s real-time protection and automatic file submission. They then proceeded to discover network shares using a PowerShell script. Sensitive data was collected and archived using WinRAR. Subsequently, they employed a UAC bypass technique involving COM objects to gain elevated privileges. Finally, the SafePay ransomware was deployed to encrypt files on the target system.

Read more...

DONOT APT’s Attack on Maritime & Defense Manufacturing

  • Technique: Spearphishing Attachment (T1566.001)
  • Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
  • Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
  • Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
  • Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
  • Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via rundll32.exe every 5 minutes. This ensures the malware’s persistence on the compromised system.
  • Technique: Application Layer Protocol: HTTP (T1071.001)
  • Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
  • Technique: Exfiltration Over C2 Channel (T1041)
  • Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.
Read more...

Tropic Trooper – Campaign

Tropic Trooper employs a multi-stage attack flow:

  1. Initial Access: Exploiting vulnerabilities in public-facing applications (like Microsoft Exchange Server) or through spearphishing emails with malicious attachments.
  2. Persistence: Establishing persistent access using web shells (like “ByPassGodzilla”) and malware (like “Yahoyah” and “ChinaChopper”).
  3. Privilege Escalation: Utilizing DLL side-loading and exploiting system services to gain higher privileges.
  4. Lateral Movement: Moving laterally within the network using SMB shares and remote services.
  5. Data Exfiltration: Exfiltrating data to cloud storage or using other automated methods.
Read more...