CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Active Directory Domain Compromised in Under 24 Hours

admin by admin
January 12, 2023
in Information Security


Jan 12, 2023Ravie LakshmananActive Directory / Malware

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.

“Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers said in a report published this week.

IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin.

Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft’s decision to block macros from Office files downloaded from the web.

The intrusion detailed by Cybereason is no different in that the infection chain begins with an ISO image file contained within a ZIP archive that culminates in the execution of the IcedID payload.

The malware then establishes persistence on the host via a scheduled task and communicates with a remote server to download additional payloads, including Cobalt Strike Beacon for follow-on reconnaissance activity.

It also carries out lateral movement across the network and executes the same Cobalt Strike Beacon in all those workstations, and then proceeds to install Atera agent, a legitimate remote administration tool, as a redundant remote access mechanism.

“Utilizing IT tools like this allows attackers to create an additional ‘backdoor’ for themselves in the event their initial persistence mechanisms are discovered and remediated,” the researchers said. “These tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false positives.”

The Cobalt Strike Beacon is further used as a conduit to download a C# tool dubbed Rubeus for credential theft, ultimately permitting the threat actor to move laterally to a Windows Server with domain admin privileges.

The elevated permissions are then weaponized to stage a DCSync attack, allowing the adversary to simulate the behavior of a domain controller (DC) and retrieve credentials from other domain controllers.

Other tools used as part of the attack include a legitimate utility named netscan.exe to scan the network for lateral movement as well as the rclone file syncing software to exfiltrate directories of interest to the MEGA cloud storage service.

The findings come as researchers from Team Cymru shed more light on the BackConnect (BC) protocol used by IcedID to deliver additional functionality post compromise, including a VNC module that provides a remote-access channel.

“In the case of BC, there appears to be two operators managing the overall process within distinct roles,” the researchers noted last month, adding “much of the activity […] occurs during the typical working week.”

The development also follows a report from Proofpoint in November 2022 that a resurgence in Emotet activity has been linked to the distribution of a new version of IcedID.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Think twice before making them

Next Post

Initiateleadershipasbridge ~ Future of CIO

Related Posts

Information Security

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

by admin
February 2, 2023
Information Security

AWS achieves ISO 20000-1:2018 certification for 109 services

by admin
February 2, 2023
Information Security

Everything you need to know

by admin
February 2, 2023
Information Security

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

by admin
February 1, 2023
Information Security

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

by admin
February 1, 2023
Next Post

Initiateleadershipasbridge ~ Future of CIO

Recommended

Initiatetogoapproach

February 2, 2023

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

February 2, 2023

AWS achieves ISO 20000-1:2018 certification for 109 services

February 2, 2023

Everything you need to know

February 2, 2023

Influentialleadership ~ Future of CIO

February 1, 2023

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

February 1, 2023

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.