One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1627964 |
| Date de publication | 2020-03-30 12:00:00 (vue: 2020-03-30 12:08:30) |
| Titre | Stories from the SOC- RIG Exploit Kit |
| Texte |
Executive summary
AT&T Alien Labs® Open Threat Exchange® (OTX) recently created a pulse for a new threat entitled the RIG Exploit Kit which had been observed distributing ransomware to victim companies across a variety of industry verticals. This exploit was discovered by BroadAnalysis who outlined the exploit’s intricacies in a whitepaper that was released December 2, 2019. BroadAnalysis provided a step-by-step explanation of this exploit’s lifecycle, including all indicators of compromise (IOCs). Using the pulses created in OTX and threat intelligence from Alien Labs, AT&T’s Security Operations Center (SOC) was able to identify the initial behaviors of this threat and work in concert with the customer’s staff to mitigate the ongoing activity.
Investigation
Initial alarm review
Indicators of Compromise (IOCs)
The initial alarm surfaced as the result of a Domain Name System (DNS) request to the OTX IOC usa.lucretius-ada[.]com, an IOC associated with the first stage of the cyber kill chain.
Upon further review, we realized this alarm triggered on the basis of a DNS request. After preliminary analysis, we determined the traffic did not directly correlate to an infection occurring on the endpoint, so we made the conscious decision to expand the Investigation.
Expanded investigation
Events search
Given the fact that we had a positive hit on the domain as an IOC, we then conducted a query for all events that matched this domain. Subsequently, we discovered twelve firewall events egressing to this domain from varying points of origin, other than the initial source found in the alarm. After aggregating the related events, we determined there were six unique sources that had established connections to this domain.
Reviewing these source devices, two appeared to be cell phones based on their hostnames, and the other devices appeared to be either user endpoints or possibly servers. These assets are not registered assets in USM Anywhere; thus, we were unable to derive additional information. Given the limited knowledge of the unregistered assets, at this point we had to rely on interfacing with the customer to verify if these devices were vulnerable and how best to plan our avenue for thwarting this threat.
Event deep dive
Now that we observed successful network traffic to the malicious domain, we turned back to the white paper from BroadAnalysis. The indicator we are matching is a specific URL on this domain. Reviewing the white paper, the indicator is:
usa.lucretius-ada.com GET /zcvisitor/
We observed this URL in every firewall log from these six sources. At this time, we can confidently say that there are six devices who have successfully reached out to the malicious URL and that they are likely infected with this rig exploit.
Reviewing for additional indicators
After discovering these infected endpoints, we began building our notes for the Investigation. Simultaneously we reviewed the BroadAnalysis white paper to look for additional steps of the cyber kill chain being executed by these devices. Thankfully we were unable to discover any additional indicators and it appeared that we were still in the first stages of the exploit.
Response
Building the investigation
Given the urgency of the situation, we created a high severity Investigation for the customer. Utilizing the capabilities of USM Anywhere, we generated a CSV report with the full event activity we were able to observe so they could have visibility on the events and situation.
After attaching our report, we developed our notes to |
| Envoyé | Oui |
| Condensat | /zcvisitor/ 2019 able access across activity ada additional additionally affected after agents aggregating alarm alien alienvault all allow analysis any anywhere anywhere; appeared are assets associated at&t at&t’s attaching attempts avenue back based basis been began behaviors being best blocked broadanalysis building can capabilities cell center chain com companies compromise concert conducted confidently confirmation connection connections conscious correlate could created csv customer customer’s cyber december decision deep deploy derive determined developed devices did directly discover discovered discovering distributing dive dns domain due during egressing either endpoint endpoints entitled established event events every exchange® executed executive expand expanded explanation exploit exploit’s fact feedback firewall first forensic found from full further future gather generated get given had have heavily high hit hostnames how identify imaged including indicator indicators industry infected infection information initial intelligence interaction interfacing internal intricacies investigation ioc iocs is: kill kit knowledge labs labs® lifecycle likely limitations limited log logs look lucretius machines made malicious matched matching material mitigate more name network new not notes now observe observed occurring ongoing only open opened operations opportunities origin other otx out outlined paper phones plan point points positive possibly preliminary prevent provided pulse pulses query quicly ransomware reached realized recently recommendations reference registered related released relied rely report request response result review reviewed reviewing rig say search security servers severity simultaneously situation six soc source sources specific staff stage stages step steps stories subsequently successful successfully summary support surfaced system telemetry than thankfully then these threat thus thwarting ticket time traffic triage triggered turned twelve two unable under unique unregistered upon urgency url usa user using usm utilizing variety varying verified verify verticals victim visibility vulnerable what which white whitepaper that who work working would |
| Tags | Ransomware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.