Adversary Emulation PublishedJuly 3, 2024 AttackIQ has released two new attack graphs that emulate the behaviors exhibited by the highly sophisticated Russian adversary Sandworm during various destructive activities against targets in Ukraine and other countries in the region shortly before the launch of the Russian invasion on February 24, 2022.
Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia's Main Intelligence Directorate for Special Technologies military Unit 74455.
Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System and Supervisory Control and Data Acquisition systems found in entities located in the Energy, Government, and Media sectors.
Sandworm has been previously emulated by AttackIQ in March 2024 through the publication of an Assessment Template that compiles all the Tactics, Techniques, and Procedures recently exhibited by it.
AttackIQ has released two new attack graphs that emulates the post-compromise Tactics, Techniques, and Procedures exhibited by Sandworm during its destructive activities to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.
Validating your security program performance against these behaviors is vital in reducing risk.
In February 2022, Sandworm was observed deploying destructive malware against targets in Ukraine and other countries in the region shortly before the launch of the Russian invasion on February 24, 2022.
This stage begins with the deployment of HermeticWizard, a spreader used by Sandworm to deploy tools across a local network via Windows Management Instrumentation and Server Message Block.
System Binary Proxy Execution: Regsvr32: RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process.
System Network Connections Discovery: This scenario performs network resource discovery by calling the WNetOpenEnumW and WNetEnumResourceW Windows API call to enumerate network resources from the local computer.
Windows Management Instrumentation: This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.
Indicator Removal: Clear Windows Event Logs: The scenario will use the wevtutil.
In a similar incident, Sandworm seems to have used a known vulnerability in Microsoft SQL Server to compromise at least one of the targeted organizations.
Once the execution is successful, it continues with the verification of connectivity through the certutil utility and culminates with the dumping of the Local Security Authority Subsystem Service through comsvcs.
Adversaries may use DLL files for many of their malware payloads and use native Windows utilities to execute them.
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
There are multiple ways to access the Task Scheduler in Windows.
Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service process.
With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.
AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jul 2024 22:43:05 +0000