How Threat Actors Exploit Legitimate Services

Snowflake, CrowdStrike, and Mandiant (part of Google Cloud) just published a statement on our preliminary findings associated with a threat campaign impacting Snowflake customers.   Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication.    Any SaaS solution that is configured without multifactor authentication is susceptible to be mass exploited by threat actors. We anticipate threat actors will replicate this campaign across other SaaS solutions that contain sensitive enterprise data.   Here are some of Mandiant’s observations related to infostealers from the past few years: ☣️ Since the beginning of 2020, employees and contractors working from home increasingly use their personal computers to access corporate systems.  ☣️ People often synchronize their web browsers on their work computers and personal computers. ☣️ People (or their children) sometimes inadvertently install software laced with infostealing malware on their personal computers. The malware can capture credentials from their web browsers. ☣️ Threat actors opportunistically search for corporate credentials stolen by infostealing malware and use them to compromise enterprises, steal data, and conduct extortion. 

🚨🔒 Security Alert: Living off the Land Threats Hello and welcome to this helpful PDF file on common living off the land (LOTL) techniques and cyber defense capabilities! 📅 Publication Date: February 7, 2024 🌐 Authoring Agencies: 🔹U.S. Cybersecurity and Infrastructure Security Agency (CISA) 🔹U.S. National Security Agency (NSA) 🔹U.S. Federal Bureau of Investigation (FBI) 🔹U.S. Department of Energy (DOE) 🔹U.S. Environmental Protection Agency (EPA) 🔹U.S. Transportation Security Administration (TSA) 🔹Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) 🔹Canadian Centre for Cyber Security (Cyber Centre) 🔹United Kingdom National Cyber Security Centre (NCSC-UK) 🔹New Zealand National Cyber Security Centre (NCSC-NZ) 📝 Summary: This joint guide by leading cybersecurity agencies sheds light on common living off the land (LOTL) techniques and vulnerabilities in cyber defense systems. Cyber actors, including state-sponsored ones like the People’s Republic of China and Russian Federation, exploit LOTL to infiltrate and persist within critical infrastructure. The guide offers insights derived from joint advisories, incident responses, red team assessments, and collaborative efforts with industry. 🛡️ Why LOTL is a Threat: LOTL involves leveraging native tools and processes, camouflaging malicious activity within normal system behavior. This makes detection challenging, especially in environments lacking robust security practices. Cyber actors abuse LOTL across various IT landscapes, from on-premises to cloud environments, exploiting common operating systems like Windows, Linux, and macOS. 🔍 Detection and Mitigation Strategies: To combat LOTL threats, the guide advocates for: 1. Detailed logging and centralized log aggregation. 2. Baseline establishment and continuous monitoring. 3. Automation for anomaly detection. 4. Fine-tuning alerts and leveraging user behavior analytics. 5. Implementing security hardening measures and network segmentation. 6. Prioritizing authentication and authorization controls. 🔒 Secure by Design Recommendations: Software manufacturers are urged to enhance security by: 🔹Disabling unnecessary protocols. 🔹Restricting network reachability. 🔹Limiting processes with elevated privileges. 🔹Enabling phishing-resistant multi-factor authentication. 🔹Providing robust logging and eliminating default passwords. For comprehensive insights and recommendations, refer to the complete guide. ⬇️ Download the PDF from the post or the CISA website. 📲 Mobile device: - Tap the book image - Tap the download icon on the upper right 💻 Desktop: - Mouse over the book icon - Click in the box on the lower right - Click the download icon on the upper right 💡Educate yourself, stay vigilant, and share to strengthen our collective defense! 🌐🔒 #cybersecurity #threatdetection #cybermandan

FBI Cyber Division and our partners, including Japan NISC, are warning multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential PRC-linked BlackTech compromise. BlackTech actors TTPs include developing customized malware and tailored persistent mechanisms for compromising routers. These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters’ networks. Custom BlackTech malware families include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear. BlackTech actors continuously update these tools to evade detection by security software. The actors also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect. BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by EDR products. Common methods of persistence on a host include NetCat shells, modifying the victim registry to enable the RDP and SSH. The actors have also used SNScan for enumeration and a local file transfer protocol (FTP) server to move data through the victim network. After gaining access to international subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network. BlackTech has targeted and exploited various brands and versions of router devices, including Cisco. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. For additional TTPs, IOCs, and detailed detection and mitigation measures, see the attached CSA. #cyberintelligence #cyberthreatintelligence #cyberthreatintel #CybersecurityAdvisory #FBI

We just published a great detailed analysis piece derived from Microsoft IR engagements and Microsoft TI actor hunting capturing Octo Tempest's (overlap 0ktapus, Scattered Spider, UNC3944) evolving financial extortion campaigns using AiTM, social engineering, SIM swaps and more. We have invested significantly in product detection coverage across Microsoft Defender and provided detailed analysis in Defender Threat Intel & M365D Threat Analytics too! Initial Access - Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. Has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes. Recon & Discovery - Octo Tempest modifies the security staff mailbox rules to automatically delete emails from vendors that may raise the target’s suspicion of their activities. Octo Tempest performs various enumeration and information gathering actions to pursue advanced access in targeted environments and abuses legitimate channels for follow-on actions later in the attack sequence. Uses their access to carry out broad searches across knowledge repositories to identify documents of interest. Following, they perform exploration through multi-cloud environments enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure, and others. The whole goal here is achieving highest/broadest-possible access so Octo Tempest This actor uses a well-established and extensive catalog of open-source tooling to execute each of their campaigns. Defense Evasion - Octo Tempest compromises security personnel accounts within victim organizations to turn off security products and features and attempt to evade detection throughout their compromise. Using compromised accounts, the threat actor leverages EDR and device management technologies to allow malicious tooling, deploy RMM software, remove or impair security products, data theft of sensitive files (e.g. files with credentials, signal messaging databases, etc.), and deploy malicious payloads. Persistence - Octo Tempest leverages publicly available security tools to establish persistence within victim organizations, largely using account manipulation techniques and implants on hosts. So much more in the blog and in our products. https://lnkd.in/gjjxQVtk

The U.S. Department of Health and Human Services (HHS) reported that threat actors are carrying out attacks against IT help desks across the Healthcare and Public Health (HPH) sector. The Health Sector Cybersecurity Coordination Center (HC3) recently observed threat actors using sophisticated social engineering tactics to target IT help desks in the health sector. The attackers aim at gaining initial access to target organizations. The attacker contacts the target organization’s IT help desk via phone calls from an area code local and claims to be an employee in a financial role. To demonstrate its identity, the threat actor provides the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. The attackers likely obtained these details from professional networking sites and via OSINT activities. The threat actor claimed that could not log in or receive MFA tokens because their phone was broken.Then the attacker tricks the IT help desk into enrolling a new device in multi-factor authentication (MFA) to gain access to corporate resources. Upon gaining initial access to the target organization, the threat actor focuses on obtaining login credentials for payer websites, allowing them to alter ACH details for paying accounts. Then they used compromised employee email accounts to hijack payments. “After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.” reads the HC3 sector alert. “The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).” According to the alert, in some cases, threat actors attempted to leverage AI voice impersonation techniques as part of their social engineering tactics.

The threat actor behind the MGM Resorts attack had something to say yesterday...and they weren't short on their words. In a 1,100 word statement, the threat actor gave their…unique…perspective on the situation. I parsed through it all to pull out a possible timeline of activity. 🕜 Friday 9/8 - Saturday 9/9 🕜  - The threat actor gained initial access to MGM resorts by socially engineering the IT help desk into resetting a user account. - The threat actor gained privileges to access domain controllers and dumped credentials, which they then cracked. They also claim to have intercepted passwords syncing between Okta and presumably Active Directory - The threat actor also obtained Okta super user access and Azure Global Admin access. This would have given near complete control of the environment. - The threat actor stole data at some point, though it’s unclear the extent of that data theft. - MGM Resorts appears to have taken initial containment steps, though they were not effective. 🕜 Sunday 9/10 🕜 - MGM Resorts implemented additional containment measures and attempted to kick the attacker out of the environment. This unfortunately was unsuccessful. 🕜 Monday 9/11 🕜 - The threat actor purportedly encrypted over 100 ESXi hypervisors (these run virtual machines, so the impacted number of servers is much higher). - The threat actor provided a link to download (presumably) a sample of stolen data. 🕜 Tuesday 9/12 - Wednesday 9/13 🕜 - MGM continued their incident response and recovery efforts with the help of outside experts. - The threat actor monitored user(s) lurking in their negotiation portal and presumably were upset that no one wanted to chit chat. 🕜 Thursday 9/14 🕜 - The threat actor posted a 1,101 word statement to “set the record straight” on the attack. - The threat actor claims to still have access to the environment and is threatening to carry out additional attacks if MGM does not make contact with them. /end timeline Continued #hugops to the MGM team. Navigating an active attacker situation is never a straightforward affair, regardless of what people may say. And given the sophistication of this threat actor compared to your typical ransomware group, well their job is such that much harder. For the rest of us, as we watch and learn more about what happened, it's important to remember why this information is helpful. Understanding the techniques these groups use helps you update your security program to defend against them. A perfect security program only exists in rhetoric. A motivated attacker will find a way regardless of your defenses. Stay knowledgeable, stay kind. ------------------------------ 🤓 Hi, I’m Jason, the “TeachMeCyber” guy 💡I simplify cyber security to help you learn faster 🔔 Follow me for daily cyber security posts #teachmecyber #cybersecurity #ransomware #mgm

The Conti Ransomware group advisory from CISA combined with NodeZero is a great example of how to use the attacker's perspective to verify your security posture... From the CISA Advisory on Conti (https://lnkd.in/gpMfxBne). From the advisory: Initial Access: "Conti actors often gain initial access to networks through: ... Stolen or weak Remote Desktop Protocol (RDP) credentials" Execution Phase: "According to a recently leaked threat actor “playbook,” [6] Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges [TA0004] and move laterally [TA0008] across a victim’s network: - 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities; - "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service; and - "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems. Here's a real-world example of this attack using NodeZero: 1. NodeZero compromises Host 1 via CVE-2017-0144 (EternalBlue), dumps SAM, and discovers a local admin credential that is reused as a domain admin cred. Note: sadly EternalBlue is still commonly exploited in the wild despite it being 6 years old. PrintNightmare, ZeroLogon, and the recent Veeam RCE (CVE-2023-27532) are alternatives that achieve a similar outcome 2. NodeZero then reuses those compromised credentials to maneuver to Host2, drops a Remote Access Tool (RAT) on Host 2, successfully dumps SAM on Host2, and discovers additional local admin credentials that are reused elsewhere 3. In parallel, NodeZero harvests NTLM hashes by poisoning LLMNR, successfully using those captured NTLM hashes to gain access to Host3 4. NodeZero then successfully dumps SAM on Host3, discovering additional credentials, and is able to capture a clear text password by cracking the NTLM hash of an admin credential 5. NodeZero discovers that the admin credential and its clear text pair are reused elsewhere, and is successfully able to access a file share on Host 4. 6. NodeZero gains access to the C drive on host4 and has read/write access to 300,000+ files. NodeZero is now in a position to encrypt, exfil, manipulate, or destroy these files. Even if EternalBlue was patched, NodeZero would have successfully gained access to those 300k files via the LLMNR path (steps 3-5), so it's is not just about patching, it's about understanding how an attacker can chain together multiple issues across multiple machines to achieve their objective. #infosec #cybersecurity #ransomware Horizon3.ai

Threat actors aren’t stupid. They know companies have invested heavily in email security solutions, MDM, web proxies, on demand VPNs within MDM to force content through the corporate proxy, etc, etc. The solution? Avoid all of it by sending phishing links via text message. When the target clicks on the link, it’ll open in the phone’s default browser and not the company-managed browser (where all the fancy and expensive security stuff kicks in).

Scattered Spider just evolved their playbook, and it’s getting scarier. See ⬇️ . . . . Microsoft’s latest research on Octo Tempest (aka Scattered Spider) reveals a disturbing shift in their attack methodology: https://lnkd.in/eXnyABNR ; These financially motivated threat actors are no longer just cloud-first attackers but are mastering hybrid environments with devastating precision. What’s changed? Instead of their usual cloud-to-on-premises pivot, they’re flipping the script: compromising on-premises infrastructure first, then escalating to cloud resources. This hybrid approach makes detection exponentially harder. Their new arsenal includes: - Advanced social engineering targeting helpdesks with impersonation tactics - SMS-based phishing using adversary-in-the-middle domains - DragonForce ransomware specifically targets VMware ESX hypervisors Recommendations: - Test your org’s hybrid defenses. Are your MFA implementations bulletproof against sophisticated social engineering? - Do password reset protocols require thorough verification beyond easily OSINTable information like birthdays or addresses? Consider decoupling verification and authentication requests entirely from your helpdesk and routing them to a dedicated security team for thorough vetting. Implement hardened PIM/PAM with just-in-time protocols, segment Authentication Administrator roles across specific administrative units, and place high-risk users in separate administrative units with even more stringent verification requirements. This friction can differ between a quick win for attackers and a failed intrusion attempt. Beyond #OSCP — #OffensiveSecurity #InitialAccess #RedTeam Hacker Hermanos

UNC3944, also known as Scattered Spider, is a sophisticated cyber threat group that has pivoted its tactics to target SaaS (Software as a Service) applications. This adversary employs advanced social engineering techniques and leverages virtual machines (VMs) for persistence in its attacks. Sophisticated Social Engineering Tactics Scattered Spider excels in social engineering, using carefully crafted phishing emails and other deceptive methods to trick victims into revealing login credentials or installing malware. Their tactics often involve impersonating trusted entities or exploiting current events to increase the perceived legitimacy of their lures.[1] Leveraging VMs for Persistence Once initial access is gained, the group deploys virtual machines within the compromised environment to maintain a persistent foothold. These VMs act as staging points for further lateral movement and data exfiltration activities, making it challenging to detect and remove the adversary from the network.[1] Targeting SaaS Applications Scattered Spider has recently shifted its focus to target SaaS applications, which are widely used by organizations for various business functions. By compromising SaaS accounts, the group can gain access to sensitive data, disrupt operations, or use the compromised accounts as entry points into the victim's network.[1] This shift highlights the growing importance of securing SaaS applications and implementing robust access controls, multi-factor authentication, and continuous monitoring to detect and respond to potential threats. Organizations must remain vigilant and prioritize security awareness training to educate employees on recognizing and mitigating social engineering attacks, as these tactics are a key component of Scattered Spider's operations.[1] Citations: [1] https://lnkd.in/g6TcWitU [2] https://lnkd.in/g8qiVdhw [3] https://lnkd.in/gTSeWs5Y [4] https://lnkd.in/gMKs2mZV [5] https://lnkd.in/gzkxa9iN [6] https://lnkd.in/gDty7uVm