Summary:
The article discusses a sophisticated cyber attack attributed to the TA4557/FIN6 group, which utilized various techniques such as resume lures, LOLbins, and exploitation of vulnerabilities to gain initial access and perform lateral movement within a network. The threat actor employed tools like Cobalt Strike and Cloudflared for command and control and tunneling. The campaign highlights the ongoing threat posed by this group, which has been active since 2018, and the evolving nature of their tactics.
#TA4557 #FIN6 #Cloudflared
The article discusses a sophisticated cyber attack attributed to the TA4557/FIN6 group, which utilized various techniques such as resume lures, LOLbins, and exploitation of vulnerabilities to gain initial access and perform lateral movement within a network. The threat actor employed tools like Cobalt Strike and Cloudflared for command and control and tunneling. The campaign highlights the ongoing threat posed by this group, which has been active since 2018, and the evolving nature of their tactics.
#TA4557 #FIN6 #Cloudflared
Keypoints:
Initial access was gained through a resume lure as part of a TA4557/FIN6 campaign.
LOLbins like ie4uinit.exe and msxsl.exe were abused to run the more_eggs malware.
Cobalt Strike and a Python-based C2 Pyramid were used for post-exploitation activities.
The threat actor exploited CVE-2023-27532 on a Veeam server for lateral movement and privilege escalation.
Cloudflared was installed to tunnel RDP traffic.
Eight new detection rules were created based on the findings of this report.
The campaign has been ongoing with minimal changes since late 2023.
Proofpoint has been tracking TA4557 since 2018, noting their unique tool and malware usage.
MITRE Techniques:
Initial Access (T1566): Utilizes phishing techniques through resume lures to gain initial access.
Execution (T1203): Executes malicious payloads using Windows shortcuts and LOLbins.
Persistence (T1053): Creates scheduled tasks to maintain persistence of the more_eggs malware.
Privilege Escalation (T1068): Exploits CVE-2023-27532 to escalate privileges on a Veeam server.
Lateral Movement (T1021): Uses RDP to move laterally between servers after gaining access.
Command and Control (T1071): Establishes communication with Cobalt Strike and Pyramid for command and control.
Credential Access (T1003): Accesses LSASS memory to extract credentials during the attack.
Discovery (T1083): Uses tools like SharpShares and Seatbelt for reconnaissance within the network.
IoC:
[domain] johnshimkus[.]com
[domain] pin.howasit[.]com
[domain] shehasgone[.]com
[ip address] 108.174.197.15
[ip address] 144.208.127.15
[ip address] 172.96.139.82
[file name] John Shimkus.zip
[file hash] SHA256: ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f
[file name] VeeamHax.exe
[file hash] SHA256: aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d
[file name] cloudflared-windows-amd64.exe
[file hash] SHA256: 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608
Mitigation:
Implement email filtering to detect and block phishing attempts, especially those using resume lures.
Monitor for the use of LOLbins and implement application whitelisting to prevent unauthorized execution.
Employ network segmentation to limit lateral movement opportunities within the environment.
Regularly update and patch systems to mitigate known vulnerabilities, such as CVE-2023-27532.
Utilize endpoint detection and response (EDR) solutions to monitor for suspicious activities and command and control communications.
Conduct regular security awareness training for employees to recognize phishing attempts and malicious attachments.
Full Research: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/