Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

PICUS LABS MONTHLY #May 2021

PicusLabsMonthly_May2021

MAY'S THREAT: DARKSIDE RANSOMWARE GROUP

A Rising Ransomware Threat Group: DarkSide 

The Darkside ransomware group established several high-profile breaches, including the US-based Colonial Pipeline Company incident in May 2021. They have established the Ransomware as a Service (RaaS) model and expanded their operations with the participation of other threat actors. In addition to encrypting files and demanding ransom, the Darkside threat actors exfiltrate data and threaten the victim by releasing the exfiltrated data, known as the double-extortion tactic.

 

You can test the effectiveness of your security controls against the Darkside ransomware campaigns with the "655212 Darkside Ransomware Attack Scenario" in Picus Threat Library. You can also validate your defenses against Darkside malware samples with threats 312355, 424348, 727882, 551628, 269817, 588030, 507789, 230239, 675517, 247255, 429456, 591155, 304959, 204994, 506926, and 166962 in Picus Threat Library.

 

MAY'S THREAT ACTORS

UNC2447

  • Picus Threat ID: 730014,782601,383259,794709,607648,781917,499270,277155,840145
  • Target Regions: North America, Europe 
  • Malware: Sombrat,Fivehands,Hellokitty,Deathransom,Warprism,Baecon,Foxgrabber

APT29

  • Picus Threat ID: 433911
  • Aliases: Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke
  • Target Regions: North America, Europe, Asia, Middle East
  • Target Industries: Government, Consulting, Technology, Telecommunication Malware: Cobaltstrike, EnvyScout, BoomBox, NativeZone, VaporRage

ATTACK SCENARIOS

APT / Malware Scenarios

DarkSide Ransomware Scenario

Picus Threat ID: 655212

 

ACTIONS:

 

1. Gather System Language via Powershell
ATT&CK Technique: T1082 System Information Discovery
ATT&CK Tactic: Discovery

2. Gather System Language from Register Hive
ATT&CK Technique: T1082 Input Capture
ATT&CK Tactics: Discovery

3.Capture Geoip Location Info using PowerShell
ATT&CK Technique: T1005 Data from Local System
ATT&CK Tactic: Collection
...
15. Gather Information about Target Domain using ADRecon
ATT&CK Technique: T1018 Remote System Discovery
ATT&CK Tactic: Discover

 

PortDoor Backdoor Scenario

Picus Threat ID: 571886

 

ACTIONS:

 

1. Copy a File "winlog.wll" in MS Word Startup Folder for Persistence

ATT&CK Technique: T1547 Boot or Logon Autostart Execution

ATT&CK Tactic: Persistence, Privilege Escalation

 

2. Execute Backdoored WLL using rundll32.exe

ATT&CK Technique: T1218 Signed Binary Proxy Execution

ATT&CK Tactics: Defense Evasion

 

3.Displays the current date and time variables using "net time"

 ATT&CK Technique: T1124 System Time Discovery

 ATT&CK Tactic: Discovery

 ...

 

9. Encrypt a file "253774.csv" using AES

 ATT&CK Technique: T1560 Archive Collected Data

 ATT&CK Tactic: Collection

  

Atomic Attacks

Credential Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege

  • Picus Threat ID: 225673
  • ATT&CK Technique: T1003 OS Credential Dumping
  • ATT&CK Tactics: Credential Access

Credential Dumping from Protected Processes via PPLDump

  • Picus Threat ID: 787684
  • ATT&CK Technique: T1003 OS Credential Dumping
  • ATT&CK Tactics: Credential Access

Process Injection by using DoppelGate Technique

  • Picus Threat ID: 826695
  • ATT&CK Technique: T1055 Process Injection
  • ATT&CK Tactics: Defense Evasion

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

MALICIOUS CODE

 

DarkSide Ransomware

  • Picus Threat ID: 868324,871662,517987,812418,734114,655212,374655,774481,743576,464272,792638,830614,496797,843957,
    401207,639011
  • Signature ATT&CK Technique: T1566,T1190,T1133,T1090.003,T1486 Target Regions: All
  • Target Industries: Government, Medicine, Education

UNC2447 - Sombrat, Fivehands, Hellokitty, Deathransom, Warprism, Beacon, Foxgrabber

  • Picus Threat ID: 456779, 546269, 776580, 573385
  • Signature ATT&CK Techniques: T1547.006, T1012
  • Target Regions: Switzerland, Great Britain, Belgium, United States, The Netherlands, Croatia, Porto Rico, Germany, Turkey, Russia, Denmark, Mexico, Canada, Dominican Republic
  • Target Industries: ALL

APT29 - CobaltStrike Beacon

  • Picus Threat ID: 433911
  • Signature ATT&CK Technique: T1085,T1179,T1055,T1112,T1055,T1497,T1179,T1497,T1043

WEB APPLICATION ATTACKS

 

HTTP Protocol Stack Remote Code Execution Vulnerability Variant-1

  • Picus Threat ID: 804289
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-31166
  • Affected Product: IIS

Microsoft Exchange Server Remote Code Execution Vulnerability

  • Picus Threat ID: 328019
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 8.8 Critical
  • CVE: CVE-2021-28482
  • Affected Product: Microsoft Exchange Server

Apache OfBiz Deserialization to RCE Vulnerability

  • Picus Threat ID: 804289
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-30128
  • Affected Product: Apache OFBiz

VULNERABILITY EXPLOITATIONS

Ubuntu OverlayFS Privilege Escalation .ELF File Download Variant-1

  • Picus Threat ID: 365626
  • CVE: CVE-2021-3493
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Ubuntu OverlayFS

ExifTool ANT Perl Injection Vulnerability Variant-1

  • Picus Threat ID: 366433
  • CVE: CVE-2021-22204
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: ExifTooly

GitLab Remote Code Execution .RMD File Download Variant-1

  • Picus Threat ID: 313770
  • CVE: CVE-2021-22192
  • CVSS 3 Base Score: 8.8 High
  • Affected Product: GitLab
10 Critical MITRE ATT&CK Techniques

SIGMA RULES

 

Suspicious XSL Script Processing via WMI Execution

  • Picus Sigma ID: 3213
  • Technique: XSL Script Processing
  • Tactic: Defense Evasion 

Computer Information Discovery via WMIC Tool

  • Picus Sigma ID: 4923
  • Technique: System Information Discovery
  • Tactic: Discovery

Sophos Antivirus Service Stop via Taskkill Tool

  • Picus Sigma ID: 8702
  • Technique: Impair Defenses: Disable or Modify Tools
  • Tactic: Defense Evasion
Emerging Threat Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn More
Emerging Threat Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign
Learn More
fortimanager
Emerging Threat CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained
Learn More
cisa-alert-aa24-290a
Emerging Threat Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Learn More
Emerging Threat CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Learn More
emerging-threat
Emerging Threat CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows
Learn More
RansomHub-Ransomware
Emerging Threat RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A
Learn More
pioneer-kitten-ransomware
Emerging Threat Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations
Learn More
north-korean-APT-group
Emerging Threat Andariel: North Korean APT Group Targets Military and Nuclear Programs
Learn More