Lastly, RDP tunneling is done using Ngrok to IP 16. Sysinternals and SSH tools are downloaded by the backdoor account using a web browser on compromised systems. The malware written to c:\programdata\SoftwareDistribution\SessionService.exe communicates with activate-microsoftcf and GitHub. Malware is written to C:\Users\DomainAdmin\Desktop\Drokbk.exe which creates service name, “SessionManagerService”. Credentials are then harvested using Procdump. The adversary then performs lateral movement using PSexec and RDP. A backdoor account “DomainAdmin” is created on secondary systems using net command and then added to local administrators' group. The initial pivot from compromised Horizon server occurred using NTLM authentication for a generic administrator account. The summary of intrusion activity for TunnelVision is as follows:. TTPs (summarized below) observed in this case align with known TunnelVision behavior. Observed C2 domain activate-microsoftcf utilizes a similar naming convention to known TunnelVision server microsoft-updateservercf and shares similar registration characteristics. Attribution to the TunnelVision activity cluster is supported by the following artifacts and observed Tactics, Techniques and Procedures (TTPs):. Analysis by our Threat Intelligence team indicates a strong link to TunnelVision, an activity cluster operated by an Iranian-aligned threat actor(s). The server itself was not publicly accessible but believed to be exposed to untrusted input routed from an Internet-facing system. This server was operating an out-of-date version known to be vulnerable to Log4Shell (CVE-2021-44228). The activity was escalated and traced to a VMware Horizon server. 
In early February 2022, we identified suspicious account creation and credential harvesting attempts on a customer’s endpoint. Here’s the latest from our TRU Team… What did we find? We outline how we responded to the confirmed threat and what recommendations we have going forward. In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. 
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
Adversaries don’t work 9-5 and neither do we.
0 kommentar(er)
