Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire is aware of widespread exploitation attempts targeting the recently disclosed ownCloud vulnerability CVE-2023-49103. CVE-2023-49103 (CVSS: 10) is tracked as a disclosure of… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
The eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups. In a parallel analysis, eSentire’s Threat Response Unit (TRU) reports that the latest Qakbot campaigns are leading to Cobalt Strike infrastructure, which TRU tracks as INF5.
INF5-associated Cobalt Strike is also an observed outcome of attacks leveraging Matanbuchus, another MaaS known to be used by Conti. Technical analysis of Qakbot’s delivery and execution methods demonstrate three distinct clusters of activity, which suggests multiple operators may be utilizing the backdoor and infostealer – largely towards ransomware operations.
TRU notes a strong correlation between Qakbot activity and one of Conti’s subsidiary ransomware groups, BlackBasta. Previous campaigns observed by TRU also leveraged SquirrelWaffle and appeared to be aimed largely at email exfiltration. Interestingly, replaying exfiltrated emails is one of the methods that threat actors which utilize Qakbot employ to bypass email security controls. TRU has tracked and deployed detection for the Qakbot malware since it’s integration into the ransomware economy in 2020.
A Qakbot campaign has been observed affecting industries and sectors across the board, including Government, Financial Services, Legal, Manufacturing, and Education. Qakbot campaigns originate from malicious email spam campaigns that are highly opportunistic in nature. At least one of the spam campaigns delivering Qakbot is attributed to TA570, recently observed attempting to exploit the Follina vulnerability via Qakbot.
As is typical of botnet campaigns, once a number of infections have been established, Qakbot operators and affiliates can prioritize infections based on information collected from infected systems. This is facilitated by Qakbot´s initial discovery phase – an important feature of modern botnet malware that allows its operators to get a broader network perspective on the victim organization. Objectives of campaigns leveraging Qakbot vary from incident to incident.
Qakbot has been observed:
The last significant Qakbot campaign observed by TRU was associated with SquirrelWaffle and Cobalt Strike in November 2021. In those campaigns, Qakbot was leveraged to exfiltrate emails, likely to be used in email replay attacks.
In the recent June 2022 campaign, TRU and others have observed Qakbot occasionally dropping Cobalt Strike as before.
eSentire‘s Threat Response Unit (TRU) observed three distinct clusters of activity associated with Qakbot during technical analysis of the delivery and execution methods of Qakbot incidents in June 2022. Given that multiple threat actors have been observed utilizing Qakbot (including TA551, TA577, and TA570) it‘s possible that these clusters represent distinct campaigns and/or threat groups. But they could also simply reflect evolution of the Qakbot malware offering itself.
A report of Qakbot leading to BlackBasta was published in early June by NCC Group. Tracking both Qakbot activity and BlackBasta leak site activity, TRU finds a temporal correlation between the two (Figure 2). However, given that Qakbot is offered as a service, and tends to be associated with multiple malspam campaigns it‘s likely that other groups besides BlackBasta are leveraging the malware.
Cobalt Strike infrastructure associated with Qakbot in the latter half of June tended to be registered to .icu domains. TRU tracks this infrastructure as INF5. Interestingly, the same infrastructure has been observed in Matanbuchus campaigns using a similar html smuggling approach, but with .msi files, rather than .lnk files for User Execution.
Domains for the associated Cobalt Strike are listed in the IOCs section below. It‘s worth noting that these domains were not observed in the BlackBasta-associated attack reported by NCC Group.
The sparse incident in March 2022 operated on malspam campaign that used .ocx file extensions loaded in regsvr32 while the June 2022 campaign relies on User Execution of a windows shortcut (.lnk) file that relies on HTML smuggling.
A map of the attack path shows the common flow of attacks that leverage Qakbot (Figure 3). The June 2022 Qakbot campaigns rely on email for initial access (Mitre Technique T1566), delivering a zipped file (a form of Defense Evasion that helps malware bypass email filters). Qakbot C2 and second-stage payloads are typically delivered from compromised infrastructure (T1584), often making them harder to track than purpose-built infrastructure.
The malicious document contains macros (Figure 4). Reverse engineering of the Qakbot sample by TRU (Figure 5) reveals three injection targets: explorer.exe, msra.exe, and OneDriveSetup.exe.
In one incident observed by TRU, OneDriveSetup.exe was the chosen injection target (Figure 6), while in the lab, reversing the sample led to injection into explorer.exe. The injected process performed several fundamental discovery techniques, including account discovery, domain discovery, and network configuration discovery. Throughout the attack path, Qakbot makes heavy use of trusted windows processes, particularly cmd.exe, regsvr32.exe, net.exe, nslookup.exe, whoami.exe, and ipconfig.exe. See below for a full list of indicators.
In June 2022, a Qakbot campaign emerged leveraging HTML smuggling of .lnk (Windows shortcut) files (Figure 7). HTML smuggling and password-protected .zip files help Qakbot bypass email security, during the social engineering phase of the attack. Once User Execution is achieved, Qakbot installs itself and begins initial Discovery process (Figure 8). In some cases, Qakbot dropped Cobalt Strike, which performed additional Discovery on the infected device – presumably a first step to network-wide compromise towards ransomware deployment.
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.