In a complex cybersecurity breach involving advanced tactics, a threat actor leveraged Cobalt Strike beacons to infiltrate an IT system, culminating in the deployment of LockBit ransomware.
This intrusion spanned 11 days, showcasing multi-layered persistence mechanisms, extensive reconnaissance, lateral movement, data exfiltration, and impact delivery via ransomware.
The attack began in late January 2024 with the execution of a malicious executable named setup_wm.exe, masquerading as the Windows Media Configuration Utility.
This executable deployed a Cobalt Strike beacon, enabling the attacker to establish a Command and Control (C2) channel.
Within 30 minutes, the threat actor initiated reconnaissance commands, such as nltest, to identify domain controllers.
Utilizing stolen credentials, the attacker deployed proxy tools like SystemBC and GhostSOCKS on the domain controller, though Windows Defender partially blocked these tools.
Persistence was achieved by scheduling tasks and injecting malicious payloads into legitimate processes like WUAUCLT.exe.
Persistence and Lateral Movement
On gaining a foothold, the threat actor’s tactics included:
- Scheduled Tasks: Persistent execution of SystemBC and GhostSOCKS proxies was ensured through automated tasks on compromised systems.
- Registry Modifications: “Run” keys were utilized to automatically execute payloads at login.
- Lateral Movement: The attacker exploited Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and PsExec to infiltrate additional servers, including file and backup servers.
These movements facilitated the deployment of additional beacons and proxies, enabling further access points for their operations.
Credential theft was a key component of the attack. Credentials were retrieved from the Local Security Authority Subsystem Service (LSASS) process and a Veeam backup system.
Reconnaissance efforts included tools like Seatbelt and SharpView for system and Active Directory enumeration.
A binary named check.exe was employed to probe remote hosts, identifying disk usage and installed programs.
The attacker also attempted, but failed, to extract the NTDS.dit file from the domain controller due to restrictions imposed by Windows Defender.
Data Exfiltration via Rclone
According to the DFIR Report, the attacker used the open-source tool Rclone to exfiltrate sensitive data.
Initial attempts to transfer data via FTP failed, leading them to switch to Mega.io, where they successfully offloaded data over a 40-minute period.
Subsequently, they repeated exfiltration using a new FTP configuration, with large volumes of data being transferred continuously for 16 hours.
On the eleventh day, the operation escalated with the deployment of LockBit ransomware.
The attacker prepared batch scripts to automate the distribution of the ransomware binary, ds.exe, across the environment.
Tools like PsExec, WMI, and BITSAdmin were extensively utilized to propagate the payload.
Defense evasion tactics included disabling Windows Defender through registry edits and group policy modifications.
Within two hours, ransomware successfully encrypted systems, altering desktop backgrounds to display ransom notes.
The entire campaign, from initial access to ransomware deployment, spanned approximately 239 hours.
The operation highlights the sophistication of threat actors, leveraging tools like Cobalt Strike, SystemBC, and GhostSOCKS for persistent access and control. Key indicators from the attack include:
- Cobalt Strike URLs such as
compdatasystems[.]com. - FTP servers like
93.115.26[.]127. - Proxy servers for GhostSOCKS and SystemBC.
This incident underscores the need for robust security monitoring, proactive threat hunting, and rapid incident response to mitigate such high-impact attacks.
