Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Drive by exploit attack attempting to deploy malware on a victim’s workstation
TRU team linked the attack to Purple Fox Exploit Kit which exploits known vulnerabilities in Internet Explorer to execute malicious code
Additional exploit payloads are retrieved via data hidden in image files (a technique known as steganography). These payloads are customized to the target based on system configuration.
The attacker’s objective is deployment of rootkits on end user devices.
How did we find it?
Our Machine Learning PowerShell classifier detected obfuscated PowerShell executing as a result of a successful Internet Explorer exploit. eSentire MDR for Endpoint prevented the resulting PowerShell code from executing.
Our 24/7 SOC was alerted and investigated
Attempted execution of malicious PowerShell code resulting from a successful Internet Explorer exploit.
What did we do?
Alerted the customer and isolated the host as we investigated
Confirmed the exploit attempt was blocked successfully and the customer’s workstation was not compromised
Provided remediation recommendations and support
TRU analyzed the attack infrastructure and exploit payloads associated to the Purple Fox threat. Information gleaned was fed back into our processes including adding further detection measures across the Atlas XDR platform to better protect our global customer base from attacks such as this.
The investigation we performed confirmed that the PowerShell code was hidden behind several layers of obfuscation to impede analysis. Our analysts observed the code fetching a remote image in this instance. The image uses a technique known as steganography to embed data or tools within the image without changing its appearance. In this case there are three different colors used in the image and one of the color components was altered to embed the malicious tooling, a level of detail often missed without expert level threat hunting and investigation capabilities.
What can you learn from this TRU positive?
Drive-by-exploit attacks remain a viable attack vector
Vulnerable applications exposed to untrusted code (such as web browsers) are most at risk
These attacks require no interaction from the user, simply visiting a malicious page is enough
Purple Fox uses several techniques to evade detection, impede analysis and customizes its behavior based on the victim’s machine.
Preventing drive-by-exploits requires a layered defense:
Audit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor security updates
Protect endpoints against malware using managed endpoint detection and response support
Rapid identification and containment of successful exploits is necessary to limit impact. Unsuccessful attempts still present an opportunity to shore up defenses.
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
