Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
- Recent email campaign delivering Agent Tesla malware by disguising malicious PowerPoint files as shipping documents.
- Agent Tesla is a Remote Access Trojan (RAT) capable of stealing credentials, keystrokes, and clipboard data from infected systems.
- It often targets credentials from web browsers, email clients, and chat applications.
How did we find it?
- Our Machine Learning PowerShell classifier automatically detected malicious code execution resulting from the victim opening a macro-laced PowerPoint document.
- Our 24/7 SOC was alerted and investigated.
What did we do?
- Investigated and confirmed the activity is malicious.
- Isolated the host to contain this incident in accordance with the business’ policies.
- Provided remediation recommendations and support.
What can you learn from this TRU positive?
- Agent Tesla is considered a “Malware-as-a-Service” (MaaS) that is used by advanced and less-sophisticated threat actors.
- Threat actors can buy Agent Tesla licenses, with pricing ranging from $15 to $69.
- By outsourcing malware development, threat actors can work on improving other components of their attacks, such as email attacks that can evade security controls.
- Stolen credentials are increasingly valuable for gaining initial access into networks, particularly for extortion attacks.
- A recent variant of Agent Tesla also added the ability to hijack Bitcoin addresses and use several tricks to evade detection
Recommendations from our Threat Response Unit (TRU) Team
- Leverage a layered defense to prevent email-borne malware
- Employ email filtering and protection measures
- Implement anti-spoofing measures such as DMARC and SPF
- Employ a Multi-Factor Authentication solution to reduce the impact of compromised credentials
- Educate users to identify and report suspicious emails by conducting security awareness training on a consistent basis
- Take proactive measures to protect endpoints against malware
- Ensure antivirus signatures are up-to-date
- Keep all applications patched regularly and prioritize implementing any patches released for vulnerabilities discovered by software vendors
- Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats
- Disable the use of macros across the organization or limit use only to employees and/or specific apps that require macros. See UK's National Cyber Centre guidance on Macro Security for additional guidance
- Malware-as-a-Service threats can enter the network in a variety of ways. What level of visibility do you have across your network, endpoints, and overall environment to detect malicious behavior at scale?
- Do you have the ability to respond to malware threats such as Agent Tesla in time to prevent data theft from an endpoint?
- Do you have the necessary visibility into your endpoints and network to identify credentials or any other data stolen by Agent Tesla?
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.