A Sentinel One particular investigation revealed danger actors (TA) have been abusing the Windows Defender command line software to decrypt and load Cobalt Strike payloads.
The cybersecurity professionals detailed their conclusions in an advisory past week, in which they explained the TA managed to have out the attacks just after obtaining initial entry through the Log4Shell vulnerability versus an unpatched VMware Horizon Server.
The attackers reportedly modified the Blast Secure Gateway part of the software by installing a web shell making use of PowerShell code.
“Once preliminary accessibility had been realized, the threat actors performed a collection of enumeration commands and attempted to run many write-up-exploitation resources,” the Sentinel One team wrote.
These reportedly involved Meterpreter, PowerShell Empire and a new way to aspect-load Cobalt Strike. According to the security scientists, the menace actors downloaded a malicious DLL, the encrypted payload and the authentic tool all from their controlled C2.
“Defenders require to be alert to the fact that LockBit ransomware operators and affiliate marketers are discovering and exploiting novel ‘living off the land’ tools to help them in loading Cobalt Strike beacons and evading some common EDR and conventional AV detection applications,” Sentinel 1 wrote.
Consequently, the security researchers warned that companies need to give cautious scrutiny to any equipment the firm or the organization’s security application has built exceptions for.
“Products like VMware and Windows Defender have a substantial prevalence in the business and a superior utility to menace actors if they are allowed to work outside of the put in security controls,” Sentinel 1 wrote.
For context, LockBit 3. is the newest iteration of the prolific LockBit Ransomware as a Company (RaaS) loved ones, which recently ramped up attacks on two public sector entities.
Far more usually, RaaS has grown noticeably considering that the beginning of the COVID-19 pandemic, generally thanks to the change to distant do the job and the consequent lack of security of home networks and misconfigured VPNs.
Some areas of this posting are sourced from: