In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware.
On Christmas Eve, within just three hours of gaining initial access, the threat actors executed ransomware across the entire network.
The threat actors employed a batch script to exfiltrate data, and dropped a series of other batch scripts that could hinder defensive measures, establish a user account, grant access through the firewall for RDP, and automate other intrusion actions.
Upon gaining access, the threat actor deployed a toolkit onto the beachhead host, which included an assortment of batch scripts, executables, and the SoftPerfect Netscan tool.
As Netscan enumerated the network, the threat actor identified network shares and started exploring them, accessing various documents through a web browser.
Approximately 20 minutes after initial access, the threat actor began lateral movement by establishing an RDP connection to one of the file servers.
The threat actor then copied their toolkit to the file server.
The threat actor then staged a ransomware binary on each of the hosts they had access to.
Our comprehensive All Intel service includes the Threat Feed, Private Threat Briefs, exploit events, long-term infrastructure tracking, clustering, Cobalt Strike configurations, C2 domains, and a curated collection of intelligence, which includes non-public case data.
While it's challenging to pinpoint the actor's initial access method due to limited evidence, the absence of brute force attempts and the use of valid credentials suggest that the threat actor may have obtained the domain Administrator password, potentially through leakage or purchase, particularly considering other external access events in the weeks leading up to the intrusion.
During the intrusion, the threat actor initiated all actions over RDP and executed their actions via that GUI access.
We observed execution of several scripts detailed in the exfiltration section, and highlight others throughout the rest of the report that the threat actor dropped in the network but were not utilized.
Two files were created by threat actors in order to create a new local user and add it to the local administrators group and Remote Desktop Users group.
During the intrusion we did not observe them being executed, but since the threat actor dropped them we can assess that these are often used during their intrusion activity.
Upon initial connection, the threat actor dropped several Windows Batch scripts to disk, including scripts designed to disable security tooling.
The threat actor dropped a script to reverse these changes and re-enable Windows Defender, aptly named: DefenderON.bat.
After these first commands, the threat actor employed Netscan to perform network discovery.
At one point the threat actor even used MS Paint to review image files on a remote system.
Further, the threat actor initially connected via the IP 77.83.36[.]6 and from the remote host named WIN-L1MS2GT1R2G. Around two and a half hours into the intrusion the initial IP address disconnected and a second connection was made to the beachhead from 193.106.31[.]9 and host 6CU548W0BH. From this session, the ransomware files were staged and executed.
The configuration file for Rclone used by the threat actor was encrypted.
This Cyber News was published on thedfirreport.com. Publication date: Mon, 29 Jan 2024 01:13:06 +0000