A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.
已观察到与LockBit 3.0勒索软件即服务 (RaaS) 操作相关的攻击者滥用 Windows Defender 命令行工具来解密和加载 Cobalt Strike 有效负载。
According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.
根据 SentinelOne 上周发布的一份报告,该事件发生在通过Log4Shell 漏洞对未修补的 VMware Horizo n Server 获得初始访问权限之后。
"Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.
研究人员朱利奥·丹塔斯(Julio Dantas)、詹姆斯·豪姆(James Haughom)和朱利安·赖斯多夫(Julien Reisdorffer)说:“一旦实现了初始访问,攻击者就会执行一系列枚举命令,并试图运行多个工具,包括Meterpeter、PowerShell Empire和一种侧面加载CS的新方法。”。
LockBit 3.0 (aka LockBit Black), which comes with the tagline "Make Ransomware Great Again!," is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.
LockBit 3.0(又名LockBit Black)是多产的LockBit RaaS家族的下一代,于2022年6月出现,旨在消除其前身中发现的关键弱点,其口号是“让勒索软件再次伟大起来!”。
It's notable for instituting what's the first-ever bug bounty for a RaaS program. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.
值得注意的是,它为 RaaS 程序设立了有史以来的第一个漏洞赏金。除了改进泄漏站点以命名和不合规目标并发布提取的数据外,它还包括一个新的搜索工具,可以更轻松地找到特定的受害者数据。
The use of living-off-the-land (LotL) techniques by cyber intruders, wherein legitimate software and functions available in the system are used for post-exploitation, is not new and is usually seen as an attempt to evade detection by security software.
网络入侵者使用离地 ( LotL )技术,其中系统中可用的合法软件和功能用于后期利用,这并不新鲜,通常被视为逃避安全软件检测的尝试。
Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What's different this time around is the use of MpCmdRun.exe to achieve the same goal.
今年 4 月初,LockBit 的一家附属公司被发现利用名为 VMwareXferlogs.exe 的 VMware 命令行实用程序来删除 Cobalt Strike。这次不同的是使用 MpCmdRun.exe 来实现相同的目标。
MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.
MpCmdRun.exe 是一个命令行工具,用于在 Microsoft Defender 防病毒软件中执行各种功能,包括扫描恶意软件、收集诊断数据以及将服务恢复到以前的版本等。
In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.
在 SentinelOne 分析的事件中,初始访问之后是从远程服务器下载 Cobalt Strike 有效负载,随后使用 Windows Defender 实用程序对其进行解密和加载。
"Tools that should receive careful scrutiny are any that either the organization or the organization's security software have made exceptions for," the researchers said.
研究人员说:“应该接受仔细审查的工具是该组织或该组织的安全软件已对其进行例外处理的任何工具。”。
"Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls."
“像 VMware 和 Windows Defender 这样的产品在企业中具有很高的流行度,并且如果允许它们在已安装的安全控制之外运行,那么它们对威胁参与者的实用性很高。”
The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.
调查结果出炉之际,初始访问代理 (IAB) 正在积极向其他攻击者出售对公司网络的访问权限,包括托管服务提供商 (MSP) 以获取利润,进而提供了一种危害下游客户的方法。
In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an "initial access vector to multiple victim networks, with globally cascading effects."
2022 年 5 月,来自澳大利亚、加拿大、新西兰、英国和美国的网络安全当局警告称,攻击将易受攻击的托管服务提供商 (MSP) 武器化为“对多个受害者网络的初始访问媒介,具有全球级联效应”。
"MSPs remain an attractive supply chain target for attackers, particularly IABs," Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).
Huntress 研究员 Harlan Carvey说: “MSP 仍然是攻击者的一个有吸引力的供应链目标,尤其是 IAB,”他敦促公司保护他们的网络并实施多因素身份验证 (MFA)。
知其雄,守其雌,为天下溪;知其白,守其黑,为天下式,知其荣,守其辱,为天下谷。
——《道德经.第二十八章》
本文翻译自:
https://thehackernews.com/2022/08/lockbit-ransomware-abuses-windows.html
如若转载,请注明原文地址
翻译水平有限 :(
有歧义的地方,请以原文为准 :)
