Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
This month’s focus is on Brute Ratel a “Command and Control” centre (see August’s definition) that allows the simulation of legitimate attacks by Red Teams.
In concrete terms, the tool is used to deploy a beacon in a target environment and then execute commands there (perform lateral movements, elevation of privileges, reinforce its presence in the infected system, etc.). Brute Ratel was also developed using reverse engineering methods on EDRs and antivirus DLLs.
While acquiring a licence required the verification of a corporate email address, the sharing of a pirated version on illegal forums in September 2022 democratised Brute Ratel. Brute Ratel has since become notorious for its illegal use by cybercriminals who hijack its search functions for malicious purposes, much like Cobalt Strike, the leader in this ‘market’.
Where Cobalt Strike, which is more widespread, is best detected, the relatively recent appearance of Brute Ratel allows attackers to be discovered less easily, especially as it specialises in bypassing detection by security solutions such as EDRs or anti-virus software.
Recently, it was the Black Basta Ransomware Family group that distinguished itself with the combined use of Brute Ratel and Cobalt Strike, whereas it previously used only the latter. The attack first used Qakbot as an infection vector to deploy Brute Ratel to collect data for the BloodHound Active Directory recognition tool and to compress the recovered data and exfiltrate it from the server.
DEFINITION OF THE MONTH
Lateral movement is a post-infection attack stage in the Kill Chain.
After compromising an initial machine on a network, the attacker will seek to move on, and take control of other workstations or servers. This process is done in 3 steps: an elevation of privileges, a search for targets, and then an attack or exploitation.
The objective of the elevation of privilege is twofold. Firstly, if possible, it is necessary to obtain local administrator privileges of the infected machine, which allows to take full control of it. The attacker will then look for identifiers on the machine (TTP T1081: hashes stored in the SAM database or lsass.exe, passwords stored in the browser, in scripts, etc.), which can allow him to obtain accounts on the network.
Then, the target search process is classic: the attacker will scan the network for a vulnerable machine, or for which he has obtained valid authentication information.
Finally the attacker will compromise the machines he has targeted. Often these are T0886 / T0859 techniques: the attacker has obtained a valid account (by finding a password in a script, phishing or brute force), and uses a legitimate service to connect, such as SMB or RDP.
The other most commonly used technique is T0866: a service is exploited. In the Windows environment, Pass the Hash (T1550.002) and Pass the Ticket (T1550.003) attacks often use services such as PsExec to connect to administrative shares (T1021.002) and execute a malicious payload.
Other techniques are more often related to industrial systems: T0812 (default passwords) and T0843 (firmware update).
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.