Share this page!

SophosLabs Profile picture
Twitter logo
3 Sep, 14 tweets, 3 min read
NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️

In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...

1/14
ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14
As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14
1 MINUTE

In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. 4/14
3 MINUTES

Three minutes later, they installed a second, backup web shell. 5/14
30 MINUTES

Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. 6/14
FOUR HOURS

Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands. 7/14
48 HOURS

Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. 8/14
5 DAYS

After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer. 9/14
Over the course of the intrusion, the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike, and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities). 10/14
The web shells, installed early on, were used mainly for initial access; Cobalt Strike and AnyDesk were the primary tools they used for the remainder of the attack. 11/14
IOCs

The encoded PowerShell commands from this attack are provided in the article linked below for threat researchers and responders. 12/14
See all the technical details from @thepacketrat and @AltShiftPrtScn: news.sophos.com/en-us/2021/09/…

13/14
SophosLabs would like to acknowledge Anand Ajjan, Andrew Ludgate, and Gabor Szappanos of SophosLabs, and Sergio Bestulic and Syed Zaidi from Sophos MTR’s Rapid Response Team for their contributions to this report. 14/14

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

SophosLabs Profile picture
1 Sep
NEW: Fake pirated software sites serve up malware droppers as a service 🏴‍☠️

During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00 Image
... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00 Image
While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00 Image
Read 13 tweets
SophosLabs Profile picture
9 Aug
NEW 👇

BlackMatter ransomware emerges from the shadow of DarkSide

1/12
In late July, a new RaaS appeared on the scene.

Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. 2/12
We decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on... 3/12
Read 12 tweets
SophosLabs Profile picture
11 Jun
NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11
As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11
We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11
Read 11 tweets
SophosLabs Profile picture
8 Jun
NEW on Patch Tuesday: Six in-the-wild exploits patched in Microsoft’s June security fix release

Security fixes address five critical vulnerabilities, including scripting and Defender bugs—and one actively exploited flaw in MSHTML...

(a thread) 1/7 Image
The June security update drop has a mere 49 new vulnerability fixes, plus five synchronized fixes delivered by Adobe.

Only five of Microsoft’s bug fixes are rated as critical. But that doesn’t lessen the importance of applying patches as soon as possible. 2/7
All five critical patches are for bugs that are potentially exploitable for remote code execution (RCE). And one of them, a vulnerability in the Windows MSHTML “platform”, is already being exploited. 3/7
Read 7 tweets
SophosLabs Profile picture
2 Jun
NEW: AMSI bypasses remain tricks of the malware trade

Malware developers continue to try to sabotage or evade Microsoft’s Anti-Malware Software Interface in “fileless” and living-off-land attacks...

(a thread) 1/13
As Windows 10 and the latest generation of Windows Server platforms have risen to prominence, malware developers and malicious actors have increasingly aimed to evade detection by taking out those platforms’ anti-malware traffic cop: Microsoft’s Antimalware Scan Interface. 2/13
AMSI, introduced in 2015, provides a way for software to talk to security products, requesting scans of files, memory, or streams for malicious payloads in a vendor-agnostic way. 3/13
Read 13 tweets
SophosLabs Profile picture
1 Jun
A NEW ransomware enters the fray: Epsilon Red

A bare-bones ransomware offloads most of its functionality to a cache of PowerShell scripts...

(a thread) 1/13
Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red.

The malware was delivered as the final executable payload in a hand-controlled attack in which every other early-stage component was a PowerShell script. 2/13
While the name and tooling were unique to this attacker, the ransom note left behind resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections.

There were no other obvious similarities between the Epsilon Red ransomware and REvil. 3/13
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @SophosLabs has new unrolls!

Check out other threads from @SophosLabs!

Read all threads by @SophosLabs

:(