Executive Summary The contemporary cybersecurity landscape is defined by a persistent and escalating challenge: the sophisticated adversary. Advanced Persistent Threats (APTs) and organized cybercriminal syndicates now routinely employ adaptive tactics, techniques, and procedures (TTPs) that […]
Tag: Engage
Sea Turtle – Engagement
The Sea Turtle threat actor compromised legitimate cPanel accounts, potentially through brute force attacks or credential stuffing, to gain initial access to target systems. This allowed them to establish a foothold and conduct further malicious activities within the victim’s IT infrastructure.
Deceptive SMB Share with False Credentials
What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).
Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.
Description of Element:
This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.
Honeyfile with Canary Token
What is the goal of this operation: To detect and track unauthorized access attempts, gather intelligence on attacker behavior, and potentially disrupt their operations.
Whats the approach of this operation or element? This element aims to deceive and lure attackers, providing an opportunity to observe their actions and collect valuable intelligence.
Description of Element: This active defense element involves creating a decoy file (honeyfile) embedded with a canary token. This token acts as a tripwire, alerting defenders when the file is accessed or interacted with. The honeyfile is strategically placed within the network or system, disguised to appear as legitimate and valuable data.
Harnessing Chisel for Covert Operations
The attacker utilizes Chisel, a tunneling tool, to establish a covert communication channel with the C2 server over HTTP. This allows them to bypass firewalls and security measures that might detect traditional C2 traffic.
It’s Not Safe To Pay SafePay
The threat actor initiated the attack by disabling Windows Defender’s real-time protection and automatic file submission. They then proceeded to discover network shares using a PowerShell script. Sensitive data was collected and archived using WinRAR. Subsequently, they employed a UAC bypass technique involving COM objects to gain elevated privileges. Finally, the SafePay ransomware was deployed to encrypt files on the target system.
DONOT APT’s Attack on Maritime & Defense Manufacturing
- Technique: Spearphishing Attachment (T1566.001)
- Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
- Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
- Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
- Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
- Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via
rundll32.exeevery 5 minutes. This ensures the malware’s persistence on the compromised system.
- Technique: Application Layer Protocol: HTTP (T1071.001)
- Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
- Technique: Exfiltration Over C2 Channel (T1041)
- Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.