Mon, Dec 5, 2022
Tactic | Technique | Procedure |
---|---|---|
TA0001 | T1190 | AvosLocker threat actors exploited ManageEngine ADSelfService |
T1021 | AvosLocker utilized RDP to move laterally | |
T1486 | AvosLocker encrypted data | |
T1490 | AvosLocker deleted backups | |
TA0007 | T1049 | AvosLocker threat actors used whoami and net user to conduct initial internal scouting |
TA0005 | T1135 | AvosLocker attempted to enumerate network shares |
TA0011 | T1211 | AvosLocker attempted to hide activity by exploiting vulnerabilities within Veeam |
TA0010 | T1090.002 | AvosLocker used the Chisel Proxy to tunnel traffic |
TA0011 | T1048 | |
TA0004 | T1219 | Avoslocker used AnyDesk to maintain persistence and command and control |
TA0008 | T1068 | AvosLocker utilized the created webshell to create a local administrator account |
TA0040 | T1078 | AvosLocker identified valid domain administrator accounts and were able to switch accounts |
Recommendation | Observation |
---|---|
Patch and update ManageEngine ADSelfService
devices and Veeam backup & replication services | The ManageEngine service was compromised and allowed remote code execution. The threat actor attempted to hide activity by utilising the Veeam Backup and Replication service. |
Disable plaintext passwords | The threat actor was able to access credentials that were stored in plaintext |
Monitor PowerShell execution Ensure PowerShell is logged and create detections for encoded script execution | The threat actor utilised PowerShell execution |
Audit user, administrator and service accounts Ensure accounts have the correct access and privileges. Implement the principle of least privilege. | The exploitation allowed the threat actor to operate with a highly privileged account which could add extra administrator accounts. |
Implement multifactor authentication Multifactor authentication can restrict access to sensitive areas and can prevent lateral movement. | The threat actor was able to access all areas of the network. Implementing multifactor authentication would assist with limiting lateral movement and access to sensitive areas |
Review backup strategies Ensure multiple backups are taken and at least one backup is isolated from the network. | The threat actor deleted backups that were attached to the network |
The following files and hashes have been identified for the incident.
File Name | Comment | MD5 Hash Value |
---|---|---|
scanner.exe | Netscan | e0e0e26fb4a78c1d2e0479d073a7cc13 |
veeamcp.exe | Veeam Copy Tool | 6a93af683d14d726c7b4f2e80601f711 |
veeamdl.exe | Veeam Download | 5dc568b8e4f111b84baaf9018a82c56d |
chisel.dll | Chisel Proxy | 9f07042085f8e127dab3d003fe04d002b8ad8340 |
Stop.jar | Java Archive to create webshells | CE442BBADE3A3C482C2D288D177B6589 |
help.jsp | webshell | 775DC9F35BF5057904FB7D6F58795946 |
3.txt | AvosLocker Binary | 7a15c01fa77f79120e2918618fcba5b3 |
AVO.ps1 | AvosLocker binary encoder script | 022532c575fa9f8157e920bd2d34f2ec |
IP Address | Comment |
---|---|
178.17.170[.]23 | Tor Node |
188.166.119[.]212:80/byebye | Cobalt Strike |
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.