The intrusion began with the exploitation of an internet-facing instance of ManageEngine SupportCenter Plus via the CVE-2021-44077 vulnerability.
The threat actor successfully exploited the RCE vulnerability in SupportCenter Plus, which allowed them to drop a web shell in an internet accessible directory.
The exploit that was witnessed looks very similar to a publicly available POC exploit on GitHub.
The threat actor then performed some generic enumeration of the system and enabled WDigest authentication on the server using the web shell.
Enumeration on the system included querying network configuration, a list of domain joined computers, user and OS information, and current user sessions on the beachhead.
Periodically over several days, the threat actor returned and checked what users were logged into the beachhead server using the webshell.
Finally, on the seventh day, the threat actors performed an LSASS dump on the system, which captured the credentials of an administrative user that had recently logged into the system.
In this case, the threat actor had access to the user’s plaintext credentials as a result of WDigest authentication being previously enabled.
The following day the threat actor downloaded ekern.exe, which was a renamed version of Plink, and deployed a script to establish a reverse SSH connection to the RDP port of the beachhead server.
An interactive RDP session was successfully established to the beachhead server by the threat actor where they began enumerating other computers on the network.
From the beachhead, lateral movement was conducted to three other servers via RDP, including a domain controller, a file server, and another server.
Confidential files were exfiltrated from the network throughout this intrusion using a mixture of web shell access and hands-on keyboard access via RDP.
These files, were critical to the business and it’s partner.
The documents were selectively chosen as if the attackers were looking for specific material.
When it came time to exfiltrate certain files or folders, one folder of the utmost importance was exfiltrated while passing on other partner folders and files.
Besides the files and folders mentioned, internal machine certs were reviewed and later exfiltrated.
The exfiltrated information has not been found in any public dumps or sales to date.
The threat actors were evicted from the network soon after stealing this information.
Sign Up For Threat Alerts
Mar 21, 2023
Dotrunpex – Demystifying new virtualized .net injector...
DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...
Mar 21, 2023
GlobeImposter Ransomware With MedusaLocker Spreading Via RDP
A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...
Mar 20, 2023
Common credential stealers
FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...
Mar 20, 2023
Sirattacker And ALC Ransomware Analysis
The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....
Mar 19, 2023
Google Advertising Used To Distribute RedLine Stealer
A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...
Mar 16, 2023
Microsoft Outlook Elevation of Privilege Vulnerability Exploit
Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...
Mar 16, 2023
ImBetter Information Stealer Targets Cryptocurrency Users
Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...
Mar 16, 2023
ImBetter Information Stealer Targets Cryptocurrency Users
Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...
Mar 15, 2023
US Cert Alert – Threat Actors Exploit...
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully...
Mar 15, 2023
Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...
Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...
Mar 13, 2023
Exposing The Lazarus Arsenal WinorDLL64 Backdoor
In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...
Mar 12, 2023
Clasiopa New Group Targets Materials Research
A campaign targeting the materials research sector with custom and commodity utilities and malware is...
Mar 09, 2023
New Emotet campaign
Emotet is a type of malware that is designed to steal sensitive information from infected...
Mar 09, 2023
How sys01 stealer will get your sensitive...
Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...
Mar 09, 2023
How sys01 stealer will get your sensitive...
Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...