SQL Brute Force Leads to BlueSky Ransomware
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More
NetSupport Intrusion Results in Domain Compromise
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More
From ScreenConnect to Hive Ransomware in 61 hours
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More
HTML Smuggling Leads to Domain Wide Ransomware
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More
A Truly Graceful Wipe Out
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment … Read More
IcedID Macro Ends in Nokoyawa Ransomware
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More
Malicious ISO File Leads to Domain Wide Ransomware
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and … Read More
2022 Year in Review
As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More
Collect, Exfiltrate, Sleep, Repeat
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … Read More
ShareFinder: How Threat Actors Discover File Shares
Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all … Read More
Unwrapping Ursnifs Gifts
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More
Follina Exploit Leads to Domain Compromise
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More
BumbleBee: Round Two
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More
Dead or Alive? An Emotet Story
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More
BumbleBee Roasts Its Way to Domain Admin
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More
SELECT XMRig FROM SQLServer
In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More
SANS Ransomware Summit 2022, Can You Detect This?
This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation today 6/16/22 @ 14:40 UTC (10:40 AM ET). Slides: SANS Ransomware Summit 2022 – … Read More
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More
SEO Poisoning – A Gootloader Story
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More