C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.
Tag: T1003
China attacks U.S. Companies
The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
Clearing Fog of War
A malicious actor might be leveraging MSHTA for defense evasion and utilizing various techniques for OS credential dumping within the environment.
To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB
- Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
- Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.