Found 23 bookmarks
Custom sorting
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Hide Your RDP: Password Spray Leads to RansomHub Deployment
  • Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period. Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access. Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan. Rclone was used to exfiltrate data to a remote server using SFTP. The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.
#thedfirreport#EN#2025#incident-response#report#RDP#password-spray#RansomHub
·thedfirreport.com·
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Key Takeaways The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this access, the threat actor executed a consistent sequence of commands (installing AnyDesk, adding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a playbook. Tools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, approximately 62 hours after the initial Confluence exploitation. * While ransomware was deployed and some event logs were deleted, no significant exfiltration of data was observed during the intrusion. This case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was originally published as a Threat Brief to customers in October 2024.
#thedfirreport#EN#2025#Confluence#ELPACO-team#Ransomware#CVE-2023-22527
·thedfirreport.com·
Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
Navigating Through The Fog
Navigating Through The Fog
  • An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement. Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials. Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling. The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.
#thedfirreport#EN#2025#SonicWall#VPN#ransomware#Fog#AnyDesk#PowerShell
·thedfirreport.com·
Navigating Through The Fog
The Curious Case of an Egg-Cellent Resume
The Curious Case of an Egg-Cellent Resume
  • Initial access was via a resume lure as part of a TA4557/FIN6 campaign. The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware. Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity. The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities. The threat actor installed Cloudflared to assist in tunneling RDP traffic. This case was first published as a Private Threat Brief for customers in April of 2024. Eight new rules were created from this report and added to our Private Detection Ruleset.
#thedfirreport#EN#2024#Egg-Cellent#Resume#lure#CV#Cloudflared
·thedfirreport.com·
The Curious Case of an Egg-Cellent Resume
Inside the Open Directory of the “You Dun” Threat Group
Inside the Open Directory of the “You Dun” Threat Group
  • Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
#thedfirreport#EN#2024#Analysis#open-directory#LockBit#operational#You-Dun#group#China#tools#scan
·thedfirreport.com·
Inside the Open Directory of the “You Dun” Threat Group
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts. After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials. The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server. Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. Six rules were added to our Private Ruleset related to this intrusion.
#thedfirreport#EN#2024#BlackCat#ransomware#Advanced-IP-Scanner
·thedfirreport.com·
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
BlackSuit Ransomware
BlackSuit Ransomware
  • In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools. Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server. Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions. Three rules were added to our private ruleset related to this case.
#thedfirreport#EN#2024#BlackSuit#Ransomware
·thedfirreport.com·
BlackSuit Ransomware
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
  • In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts execute various actions, including disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers. This report also highlights scripts responsible for erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools like Atera. Our investigation uncovered the use of additional tools, including Ngrok for proxy services, SystemBC, and two well-known command and control frameworks: Sliver and PoshC2. The observed servers show long term usage by the threat actors, appearing in The DFIR Report Threat Feeds as far back as September 2023. They have been active intermittently since then, with the most recent activity detected in August 2024. Ten new sigma rules were created from this report and added to our private sigma ruleset
#thedfirreport#EN#2024#Toolkit#investigation#open-directory#PoshC2#Batch-Scripts
·thedfirreport.com·
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…
#thedfirreport#EN#2024#analysis#IceID#ScreenConnect#incident#ALPHV#Ransomware
·thedfirreport.com·
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
From IcedID to Dagon Locker Ransomware in 29 Days
  • In late August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion. The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment. Group Policy was used to distribute Cobalt Strike beacons at login to a specific privileged user group. The threat actor utilized a suite of tools to support their activities, deploying Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. * This case had a TTR (time to ransomware) of 29 days.
#thedfirreport#EN#2024#PrometheusTDS#TTR#IcedID#report
·thedfirreport.com·
From IcedID to Dagon Locker Ransomware in 29 Days
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
  • In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. * The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
#thedfirreport#EN#2024#2023#incident#incident-analysis#IcedID#OneNote#FileZilla#Nokoyawa#ransomware
·thedfirreport.com·
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
#thedfirreport#EN#2022#bumblebee#case#analysis
·thedfirreport.com·
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
#thedfirreport#EN#2022#bumblebee#case#analysis
·thedfirreport.com·
BumbleBee Zeros in on Meterpreter