Full Report
Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.
Analysis Summary
# Incident Report: Identity-Based Attacks and Ransomware Trends (Q3 2024)
## Executive Summary
Threat actors are increasingly leveraging identity-based attacks, with credential theft being the goal in 25% of engagements, often facilitated by Living-Off-The-Land Binaries (LoLBins) and common utilities. Ransomware, data theft extortion, and pre-ransomware activities accounted for nearly 40% of incidents investigated this quarter, sometimes involving zero-day or high-profile vulnerability exploitation. Response efforts focused on containing activity stemming from compromised accounts and eradicating ransomware payloads.
## Incident Details
- Discovery Date: Disclosed throughout Quarterly Review (Q3 2024 reporting period)
- Incident Date: Occurred across Q3 2024
- Affected Organization: Multiple organizations across various sectors (Not named)
- Sector: Various (Note mentions Technology as most targeted sector generally)
- Geography: Global (Implied by IR engagement reports)
## Timeline of Events
### Initial Access
- Date/Time: Observed speed in AitM operations saw first adversary login within 20 minutes of initial phishing email delivery.
- Vector: Password spraying/brute force, Adversary-in-the-Middle (AitM) phishing, and exploitation of known vulnerabilities (e.g., ESXi hypervisor vulnerability CVE-2024-37085).
- Details: Attacks used stolen or sprayed credentials to gain a foothold, often followed immediately by MFA approval in AitM scenarios. In one ransomware case, stolen credentials were used on an accidentally exposed RDP account.
### Lateral Movement
- Details: The report mentions techniques like abusing valid accounts via SMB (T1021.002) for lateral movement. Attackers also performed domain credential dumping (using tools like `fgdump` and `pwdump`) post-initial access.
### Data Exfiltration/Impact
- Details: A significant portion (nearly 40%) involved ransomware deployment, data theft extortion, or pre-ransomware activity. Data staged (T1074) prior to exfiltration, which sometimes utilized unencrypted protocols via tools like WinSCP (T1048.003).
### Detection & Response
- Details: Incidents were discovered through ongoing incident response engagements. Response actions focused on containing compromised accounts, eradicating ransomware, and removing custom/staged tools.
## Attack Methodology
- Initial Access: Password Spraying, Brute Force, AitM Phishing (MFA prompt approval), Exploitation of Public-Facing Applications (e.g., ESXi vulnerability CVE-2024-37085).
- Persistence: Not detailed, but implied through account compromise.
- Privilege Escalation: Gaining access to sensitive information upon account compromise, and evidence points to adding accounts to sensitive groups (e.g., "ESX Admin" group).
- Defense Evasion: Disabling or modifying security tools (T1562.001).
- Credential Access: Credential dumping using public tools (`fgdump`, `pwdump`), and credential harvesting during AitM sessions.
- Discovery: Use of open-source tools like Advanced Port Scanner.
- Lateral Movement: Abuse of valid accounts via SMB (T1021.002).
- Collection: Data Staging (T1074).
- Exfiltration: Use of unencrypted non-C2 protocols (T1048.003) via tools like WinSCP.
- Impact: Data Encryption (T1486) via ransomware (RansomHub, RCRU64, DragonForce, BlackByte, Cerber, BlackSuit) or data theft extortion.
## Impact Assessment
- Financial: Costs are implied by the frequency of ransomware and extortion incidents (nearly 40% of engagements).
- Data Breach: High potential for PII, system configuration, and other sensitive data due to credential dumping and data staging prior to exfiltration.
- Operational: Significant disruption due to ransomware encryption and process termination (SQL servers closure observed in one engagement).
- Reputational: Standard risk associated with ransomware attacks and extortion.
## Indicators of Compromise
- Network indicators: (No specific IPs/Domains defanged provided in the text summary)
- File indicators: `saxcvz.exe`, `close.exe`
- Behavioral indicators: Rapid approval of MFA requests post-phishing click, use of non-standard tools like IObit Unlocker.
## Response Actions
- Containment measures: Limiting the scope of compromised valid accounts, halting ongoing data exfiltration.
- Eradication steps: Removal of deployed ransomware payloads (e.g., RCRU64), custom tools, and open-source tools used for compromise (Mimikatz, etc.).
- Recovery actions: Restoring systems encrypted by ransomware, rebuilding or securing exploited hypervisors.
## Lessons Learned
- Identity is the primary attack surface: Credential theft via password spraying and AitM remains highly effective, emphasizing the success of identity-based operations.
- Legacy credential protection is failing: Reliance on passwords is insufficient, as evidenced by the success of spray/brute force attacks.
- Speed of compromise: AitM attacks are very fast, allowing actors to gain initial access within minutes of a user interacting with a malicious link.
- Tool proliferation: Attackers continue to leverage common LoLBins and openly available tools, complicating forensic analysis and detection.
## Recommendations
- Mandate and strictly enforce Multi-Factor Authentication (MFA) across all services, focusing on phishing-resistant MFA methods that block AitM prompt relaying.
- Implement stricter policies on password complexity and block common passwords to mitigate password spraying/brute force success rates.
- Apply timely patches for known, high-risk vulnerabilities exploited by ransomware operators (e.g., ESXi hypervisor vulnerabilities).
- Deploy robust EDR solutions capable of detecting the execution of common credential dumping tools (`fgdump`, `Mimikatz`) and defense evasion techniques.
- Monitor network traffic for anomalous use of tools like WinSCP that might indicate T1048.003 exfiltration patterns.