Recent findings indicate that a manufacturing sector breach involving phishing led to a substantial data exfiltration, with an alarming breakout time of just 48 minutes. Attackers employed tactics associated with the Black Basta ransomware group, highlighting a pressing need for faster security response capabilities. Recommendations for heightened defense measures against such threats are provided, alongside insights into future attack trends. Affected: manufacturing sector
Keypoints :
- Attackers achieved a breakout time of 48 minutes, significantly faster than previous averages.
- The breach utilized phishing techniques to gain initial access and control over user machines.
- Attackers impersonated IT help-desk staff to exploit social engineering tactics.
- DLL sideloading was employed to evade detection during the attack.
- Data exfiltration was executed using WinSCP, moving sensitive data to a remote server.
- Automated response measures can dramatically reduce response times to threats.
MITRE Techniques :
- TA0001:T1566 – Phishing: Mass email spam campaign targeting users preceded initial access.
- TA0004:T1055.001 – Process Injection: Dynamic-link Library Injection: Attackers injected malicious code into legitimate processes using DLL sideloading.
- TA0002:T1053.005 – Scheduled Task/Job: Scheduled Task: Used for executing injected processes on other internal hosts with scheduled tasks.
- TA0003:T1078.002 – Domain Accounts: Accessed a service account used to manage an SQL database, gaining elevated permissions.
- TA0010:T1567 – Exfiltration Over Web Service: Outbound web requests for data exfiltration from critical hosts.
Indicator of Compromise :
- [Domain] pefidesk[.]com
- [Domain] uptemp[.]icu
- [Hash] c80883615157bd83dfed24683eee343a7b2ac5ab7949b3a260dc10e9f0044bb4
Full Story: https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/