Share this page!

Sophos X-Ops Profile picture
Twitter logo
Aug 9 17 tweets 4 min read
NEW: Multiple attackers increase pressure on victims, complicate incident response

Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...

1/17
There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”

Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17
In an issue we highlighted in our Active Adversary Playbook 2022, we’re seeing organizations being hit by multiple attackers. 3/17
Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type. 4/17
Today, Sophos X-Ops is releasing our latest Active Adversary white paper: Multiple Attackers: A Clear and Present Danger. In the paper, we take a deep dive into the problem of multiple attackers, exploring how and why organizations are attacked several times. 5/17
Recent case studies from our Managed Detection and Response (#MDR) and Rapid Response (RR) teams provide insight into the how, and exploring cooperation and competition among threat actors helps explain the why. 6/17
Our key findings are:

🔹The key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack. 7/17
🔹Multiple attacks often involve a specific sequence of exploitation, especially after widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers, and #ransomware. 8/17
🔹While some threat actors are interdependent (e.g., IABs later enabling ransomware), others, such as cryptominers, try to terminate rival #malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access. 9/17
🔹Historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems. 10/17
🔹Ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies which directly or indirectly benefit other groups. 11/17
🔹Certain features of the underground economy may enable multiple attacks – for instance, IABs reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize. 12/17
🔹Some of the case studies we analyze include a ransomware actor installing a backdoor which was later abused by a second ransomware group; and an incident where... 13/17
... one organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. After the dust had settled, Sophos discovered some files which had been encrypted by all three groups. 14/17
At this stage there’s only anecdotal evidence to suggest that multiple attacks are on the rise, but, as Sophos’ Director of Incident Response, @AltShiftPrtScn, notes: 15/17
“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.” 16/17
Read more from @darkartlab and see our latest Active Adversary whitepaper, Multiple Attackers: A Clear and Present Danger...

news.sophos.com/en-us/2022/08/…

17/17

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Sophos X-Ops Profile picture
Aug 10
The real excitement in this month’s 121-CVE #PatchTuesday collection wasn’t the size of the haul; it was the part where Microsoft took us all the way back to 2019 for a moment.

1/6 Image
Remember Follina, the MSDT issue that rolled onstage in late May? Turns out that vulnerability (CVE-2022-30190) has a cousin. An *older* cousin. 2/6
Researcher Imre Rad reported to the company back in December 2019. We explain in today’s blog post how it is you’re only hearing about it in August 2022. 3/6
Read 6 tweets
Sophos X-Ops Profile picture
Aug 10
3 attackers, 2 weeks – 1 entry point...

Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack.

After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups.

1/17 Image
In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration – a firewall rule exposing Remote Desktop Protocol (RDP) on a management server – but used different ransomware strains and tactics. 2/17 Image
The first ransomware group, identified as Lockbit, exfiltrated data to the Mega cloud storage service, used Mimikatz to extract passwords, and distributed their ransomware binary using PsExec. 3/17 Image
Read 17 tweets
Sophos X-Ops Profile picture
Mar 30
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
Read 19 tweets
Sophos X-Ops Profile picture
Mar 29
NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Read 14 tweets
Sophos X-Ops Profile picture
Mar 3
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
Read 23 tweets
Sophos X-Ops Profile picture
Dec 22, 2021
NEW: Avos Locker remotely accesses boxes, even running in Safe Mode

Infections involving this relatively new ransomware-as-a-service spiked in November and December...

1/16
Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target. 2/16
In a recent series of ransomware incidents involving this ransomware, Sophos Rapid Response discovered that attackers had booted their target computers into Safe Mode to execute the ransomware, similar to now-defunct Snatch, REvil, and BlackMatter ransomware families. 3/16
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(