Real Tradecraft, Real Results

Women employee typing on the laptop - GDAP Webinar

Recent Response to Incidents

Oh No Cleo! Malichus Implant Malware Analysis

Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. Read the story for a technical breakdown of a new family of malware we’ve named Malichus.

Read Story

Phishing Scams

Happy holidays! Here’s a (malicious) RMM

‘Tis the season for holiday phishing: threat actors are using Thanksgiving, Black Friday, and Christmas in their phishing attack lures this year.

On November 2, a user was tricked into executing a malicious process (Thanksgiving-iv.exe) from the directory C:\Users\REDACTED\Downloads\ on the impacted host. Further inspection revealed that this file is a rogue installer for GoTo Resolve RMM. The victim’s Firefox browser artifacts revealed that this installer was downloaded from the URL https[:]//pub-0e9274b4f4a74997bcafd5c5c778bf91[.]r2[.]dev/Thanksgiving-iv.exe. The malicious RMM then deployed a rogue ScreenConnect installer into the directory C:\Program Files (x86)\ScreenConnect Client (3bf4055180e70e5b), which was configured for the domain wilkensealsivc[.]shop.

During a retrospective threat hunt, our tactical response team found an incident on November 5 in which a user executed a malicious MSI file ([REDACTED]_Christmas_Punchbowl_invite.msi) from the directory C:\Users\REDACTED\Downloads\ on the impacted host. This resulted in the deployment of a ScreenConnect RMM, which was configured to the domain vhagov[.]org for command and control.

Special thanks to Austin Worline and Jai Minton for flagging the incidents using the Thanksgiving and Christmas lures!

Read the latest on Phishing Statistics

Lateral Movement

A threat actor broke into a non-profit, moved laterally and tried to leverage AI for some quick wins. AI slop, however, is no match for the Huntress SOC - here's what went down

The SOC was alerted to some enumeration occurring from a host - the standard suite of commands: net user, tasklist, quser
Upon completing their enumeration, the threat actor began moving laterally using WinRM while attempting to facilitate Remote Desktop access
After this, they began deploying PowerShell scripts to steal Veeam credentials - this is where the fun started.

Upon review of the PowerShell script, something felt off. The script:

Contained strange code snippets
Had odd and out of place comments in it
Generally did not resemble previously observed Veeam credential theft PowerShell scripts

After running the script through some AI-verification tooling, it was evident that the script was not hand-written by the threat actor, but rather AI generatedFurther review of the available telemetry suggested that the script failed to execute on the host

What can we take away from this case?

Just because threat actors are leveraging AI, does not mean that they are doing so successfully
Basic network hygiene is still the best bang-for-your-buck approach

Huntress SOC, Protecting our Most Vulnerable

Here's what happened:

Huntress SOC received an alert that indicated a threat actor had infiltrated the network for a children's charity
Within 20 minutes of gaining initial access, the Huntress SOC contained the threat and informed the partner of the next steps needed to secure their environment

Key takeaways:

Like we always say, threat actors work fast, Huntress works faster
Even without the extra leverage implementing Huntress SIEM would have granted the partner, Huntress EDR was able to detect the threat early on
Huntress are passionate about protecting all of our partners, big or small

Ransomware

Windows Defender alerts are fantastic, but only if they are actioned appropriately.

At one manufacturing facility, the combination of Defender and the Huntress SOC worked together to stop a ransomware intrusion - here's the details:

A generic Windows Defender alert for ransomware detections triggered
Subsequent Defender alerts were more specific, honing in on Akira ransomware
Further activity triggered a correlation rule, which serves to amplify the severity of multiple lower-priority alerts

At this point, the Huntress SOC isolated the entire network to deny the threat actor further access to the environment.

In addition, logs were pulled to identify the source of the intrusion as well as additional compromised accounts and hosts. Defender alone is a great tool, but what if no one is around to see its alerts or perform a deeper investigation?

This is the value of the Huntress Managed Platform - the AI assisted, human-lead SOC has your back 24/7. Critical alerts are actioned immediately, networks are isolated to prevent damage, and investigations are performed that contextualize atomic alerts into actionable information!

Learn more about Huntress Managed Microsoft Defender

Lateral Movement

Huntress SIEM gives the upper hand..... when it's installed

In a recent incident, SIEM was NOT installed

as a result, threat actors were able to run a muck in a partner's environment. With SIEM installed, the SOC would have had a 24 hour advantage.

In those 24 hours, the threat actor was able to:

Compromise an admin account and move laterally throughout the environment
Execute data exfiltration tools on multiple endpoints

In addition, ingesting their VPN logs into SIEM would have saved the partner a whole lot of headaches and prevented their logs from being overwritten before we could get to the bottom of the intrusion