Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
- We uncovered a recent email campaign delivering IcedID malware to a business services customer
- IcedID has joined the likes of Qakbot, Emotet and other banking malware observed acting as precursor threats to ransomware
- For IcedID, this has recently included the Conti ransomware threat.
- In the past, IcedID has been linked to Egregor, Maze, RansomExx and Sodinokibi (REvil) ransomware campaigns
- IcedID contains instructions to automatically profile the victim’s computer and assist operators in orienting to high-value targets.
net group "Domain Admins" /domain
net view /all
net view /all /domain
net config workstation
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
nltest /domain_trusts /all_trusts
cmd.exe /c chcp >&2
List of Discovery commands executed by IcedID
How did we find it?
- Our 24/7 SOC was alerted and investigated
What did we do?
- Investigated and confirmed the activity is malicious
- Isolated the host to contain this incident in accordance with the business’ policies
- Provided remediation recommendations and support
What can you learn from this TRU positive?
- The rise of new ransomware groups over the last twelve months has led to increased demand for victims to extort. Threats such as IcedID have risen to meet this demand, offering footholds into environments obtained through widespread attacks.
- Following a common ransomware attack chain, IcedID has been observed initiating Cobalt Strike followed by hands on keyboard activity and eventual ransomware
- Dwell time from initial foothold to interactive attackers deploying ransomware can take place within hours
- Detection and containment in the early stages of an attack are critical
- Threat Actors are
constantly finding methods for bypassing initial defenses (such as email filters) and trick users into executing malicious code
- Preventing email-borne malware requires a layered defense:
- Employ email filtering and protection measures:
- Implement anti-spoofing measures such as DMARC and SPF
- Employ a Multi-Factor Authentication solution to reduce the impact of compromised credentials
- Train users to identify and report suspicious emails
- Protect endpoints against malware
- Ensure antivirus signatures are up to date
- Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats
- Limit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro Security
- Ask yourself…
- What level of visibility do you have across your network, endpoint and overall environment to detect malicious behavior at scale?
- What tools are you employing for email filtering and how is that activity monitored?
- What level of managed endpoint support do you have in place?
- Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill switch when required?
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.