A new adversary simulation tool is steadily growing in the ranks of popularity among red teamers and most recently adversaries. Brute Ratel states on its website that it "is the most advanced Red Team & Adversary Simulation Software in the current C2 Market." Many of these products are marketed to assist blue teams in validating detection, prevention, and gaps of coverage.
RedLine is an infostealer malware discovered in 2020. Often sold in underground forums, it is capable of stealing data such as credit card numbers, passwords, VPN and FTP credentials, gaming accounts, and even data from crypto wallets. In May 2022, Netskope Threat Labs analyzed a RedLine stealer campaign that was using YouTube videos to spread, luring victims into downloading a fake bot to automatically buy Binance NFT Mystery Boxes.
National Cybersecurity Awareness Month (NCSAM), held every October, highlights a key theme each year. For 2022, the theme is: “See Yourself in Cyber.” Cybersecurity is more than a set of principles or tools—people are a major component, helping keep businesses safe by complying with multi-factor authentication, using strong passwords, keeping devices updated with the latest software, not installing unapproved software on devices, and reporting phishing.
Mimikatz provides a variety of ways to , but one of the most alarming is the DCSync command. Using this command, an adversary can simulate the behavior of a domain controller and ask other domain controllers to replicate information — including user password data. In fact, attackers can get any account’s NTLM password hash or even its plaintext password, including the password of the KRBTGT account, which enables them to create Golden Tickets.
The CrowdStrike Falcon Complete™ managed detection and response (MDR) team recently uncovered a creative and opportunistic interpretation of a watering hole attack that leverages GitHub to gain access to victim organizations. In the observed cases, there were no phishing emails, no exploitation of public-facing vulnerabilities, no malvertising and no compromised credentials.
Ransomware has traditionally revolved around the encryption of victims’ files. But even if encryption remains ransomware groups’ most common approach, it isn’t really their priority–extortion is. Financially-motivated cybercriminals care more about extracting payment from their victims than they do about the particular methods used to achieve that goal.
Ransomware is the fast-growing category of cybercrime. It’s estimated that over 4,000 ransomware attacks occur daily. Given the sheer volume of these attacks and the deep attack surface connections between organizations and their vendors, there’s a high likelihood that some of your employee credentials have already been compromised in a ransomware attack, which means the keys to your corporate network could currently be published on a ransomware gang’s data leak site.
Security practitioners may know about common command-and-control (C2) frameworks, such as Cobalt Strike and Sliver, but fewer have likely heard of the so-called Chinese sibling framework “Manjusaka” (described by Talos in an excellent writeup). Like other C2 frameworks, we studied the Manjusaka implant/server network communications in our lab environment, and here we document some of the detection methods available. We have also open-sourced the content we describe.
In today’s business environment, the risk of a ransomware attack is high and continues to grow. Threat actors are well financed, motivated, and very organized. While securing your environment and infrastructure is critically important, preparation to respond to an actual ransomware attack is essential. With an incalculable number of potential vulnerabilities and attack vectors, you have to be prepared to effectively respond to and recover from an attack.
