One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8630725 |
| Date de publication | 2024-12-27 20:35:48 (vue: 2024-12-27 21:08:25) |
| Titre | Inside the LockBit Arsenal - The StealBit Exfiltration Tool |
| Texte | ## Snapshot The Cybereason Global Security Operations Center (GSOC) has analyzed StealBit, a data exfiltration tool developed by the LockBit ransomware group ## Description StealBit is provided to affiliates as part of LockBit\'s ransomware-as-a-service program and is used to exfiltrate data from compromised systems to facilitate double extortion attacks. The tool has evolved over time, incorporating new features aimed at enhancing evasion and efficiency. Notably, while older versions avoided execution on systems in certain countries, including Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Uzbekistan, and Moldova, newer versions have removed this restriction, broadening their target base. StealBit employs the I/O completion port threading model to optimize data exfiltration efficiency, allowing for parallel processing of multiple files and reducing the overall time required for exfiltration. It also supports interprocess communication between multiple StealBit processes on a single system, enabling scalable designation of files for exfiltration. Additionally, StealBit offers a drag-and-drop feature for operators with graphical user interface access, enhancing usability. However, some features, such as data compression and hidden operation modes, are not fully implemented, potentially exposing the malware\'s presence on compromised systems. ## Microsoft Analysis and Additional OSINT Context StealBit is a data exfiltration tool associated with the LockBit ransomware group, particularly noted for its use in LockBit 2.0 operations. It facilitates the rapid transfer of stolen data to attacker-controlled endpoints, supporting the group\'s double extortion tactics. StealBit is sometimes employed alongside other tools like Rclone or WinSCP to exfiltrate data before encryption. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\'t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Use [device discovery](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=magicti_ta_learndoc) brings together incident and alert management across email, devices, and identities, centralizing investigations for threats in email. Organizations can also leverage web browsers tha |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/defender/microsoft 365/security/office access accessed across action additional additionally advanced affiliates against aimed alert alerts all allow allowing alongside also analysis analyzed anti antivirus any apply are armenia arsenal artifacts associated attacker attackers attacks automated automatically avoided azerbaijan base before behavior behind belarus between block breach breaches brings broadening browser browsers build campaign can card center centralizing certain changes check click cloud com/blog/research/threat com/deployedge/microsoft com/en com/microsoft communication completion compression compromised configure content context controlled copyright countries cover cybereason data defender delivered delivery deployment description designation detect detected detection detections/hunting developed device devices discovery distribution doesn domains double drag drop edge edr efficiency email emails employed employs enable enable enabling encryption encyclopedia endpoint endpoint/automated endpoint/configure endpoint/device endpoint/edr endpoint/prevent endpoints enhancing ensures equivalent evasion even evolved evolving execution exfiltrate exfiltration exposing extortion facilitate facilitates feature features files finding first from full fully general georgia global graphical group gsoc has have hidden however https://docs https://learn https://www i/o identify identities immediate impact impersonation implemented incident including incoming incorporating increase inside intelligence interface interprocess invest investigation investigations its kazakhstan kyrgyzstan learndoc leverage like links lockbit mailbox malicious malware management mdo messages microsoft mitigations mode model modes moldova monitor monitored mtb multiple name=ransom:win32/stealbit name=trojan:win32/stealbit network new newer non not notably noted ocid=magicti offers office 365 older onboarding on operation operations operators optimize organizations osint other over overall parallel part particularly passive permission phishing policies port post potentially presence prevent processes processing product program prohibited protection protection/microsoft provided queries ransom:win32/stealbit ransomware rapid rapidly rclone real recommendations reduce reducing references remediate remediation removed report report: reproduction required reserved resilience resolve response restriction rights running run russia safelinks scalable scanning scenes security security/safe security/set security/virus sender service services settings sight significantly single site smartscreen smartscreen/ snapshot solutions that some sometimes specific status stealbit stolen stopping such supporting supports suspicious system systems tactics tajikistan take tamper target techniques them thereof these those threading threat threats through time together tool tools transfer trojan:win32/stealbit turkmenistan turn ukraine unmanaged urls us/wdsi/threats/malware us/windows/security/operating usability use used user use uzbekistan versions view=o365 visibility visited volume web websites well when winscp without works worldwide written your it features in so to |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.