Boxed text outlines the details of one case conducted by CPIRT in 2023. Certain details have been modified to preserve client confidentiality
Boxed text outlines the details of one case conducted by CPIRT in 2023. Certain details have been modified to preserve client confidentiality
This section is based on the experience and data from a wide array of CPIRT analyses and mitigation cases, not limited to Check Point product users. CPIRT typically steps in after the clear manifestation of malicious activity, such as files encrypted by ransomware, identified email compromises, or the detection of unauthorized malware files or processes. Analysis of initial threat indicators, or ‘triggers’, offers a different perspective of the threat landscape.
Our Incident Response Team was contacted following an EDR security alert in a customer’s environment. Mimikatz, a notorious credential-stealing tool, was caught in the act and blocked by the EDR system. This unusual activity raised immediate concerns, indicating the presence of an adversary and its attempt to unobtrusively navigate the network. The client, realizing the potential gravity of the situation, reached out to CPIRT for assistance.
We define incident triggers as the first indication of a compromise that prompted the client to seek IR services. Ransomware stands out as the predominant factor, accounting for approximately 30% of all Incident-Triggers. Ransomware attacks are often highly visible and severely disruptive, requiring immediate action.
Twenty percent of CIPRT cases in 2023 were triggered by an alert from a security product in the customer’s environment. These are often alerts of the highest severity, while lower severity alerts do not usually require the same response. Interestingly, behavioral anomalies, which include any unusual activity that the regular user observes and that deviate from established patterns, prompted 13% of incident response (IR) engagements. This high percentage reflects their significance as a red flag for potentially severe security issues. However, it is important to keep in mind that reports of behavioral anomalies are often less reliable and may result in False Positives.
In the graph above, the suspicious email category refers to any suspect inbound or outbound email activity. Suspicious outbound emails are extremely concerning, as they often indicate an email compromise in the organization. If not detected in time, these incidents may lead to an unauthorized money transfer, which is another common IR trigger that comprised 3% of our cases in 2023.
Incident triggers that are less frequent but still critical include CERT alerts, in which the initial indication of compromise is provided by the local CERT, and dark web monitoring, in which the initial alert comes from finding mentions on underground forums of a breach or offers to buy initial access. Despite their lower prevalence, these triggers often indicate sophisticated and severe threats that can have significant ramifications if not addressed promptly.
As we delved deeper into the incident, the plot thickened. We detected signs of data exfiltration, coupled with the discovery of a RAT (Remote Access Tool) and encryption binaries on the Active Directory server. These elements were prepared for a wide-scale deployment across the network – the unmistakable precursors of a ransomware attack, mere minutes from execution.
“Top Attack” refers to the category of the attack, not the indicator that triggered the investigation. Analysis of the top attack types shows that ransomware is the most prevalent threat type, accounting for 46% of IR cases. Business Email Compromise (BEC), at 19% of the cases, is detected through indicators such as suspicious email activity or fraudulent money transfers.
In 2023, attacks thataimed to steal specific user identities, such as BEC, browser hijacking, and account takeover were even more prevalent, with an increase of over 20% over the previous year. Contributing to this increase was the growing reliance on cloud infrastructure as well as the prominence of access brokers, who sell credentials and access to organizations.
The CPIRT analysis reveals that tools such as AnyDesk and TeamViewer, which are typically benign remote-desktop applications, are increasingly used by threat actors for Command and Control. In fact, AnyDesk alone was used in 39% of the incidents that we analyzed this year. This tactic underscores a stealth approach by attackers, who are leveraging tools that evade traditional malware detection. These tools, originally intended for legitimate use, are increasingly used by threat actors, which makes it more complicated to distinguish between conventional and malicious activities on networks. In contrast, known malicious tools, such as Mimikatz and CobaltStrike were involved in 26% and 16% of breaches, respectively.
Further investigation into the incident revealed the use of AnyDesk as the remote command tool of choice by the attackers, providing them with persistent access to the compromised systems. Their initial access did not trigger security alerts, allowing the threat actor to hide in plain sight.
Several families emerge as particularly prominent in the 2023 CPIRT ransomware threat landscape. Notably, the ‘Royal’ ransomware has rapidly evolved to become a potent threat, accounting for a significant number of incidents. In most cases, phishing was used as the initial access vector, often deploying malicious PDFs or employing callback phishing tactics to install remote desktop access. In addition, Royal actors repurposed tools like Cobalt Strike, NSudo, and PsExec for the second stages of the attacks.
ALPHV (BlackCat) ransomware demonstrated its versatility as it was used to attack various systems, including Windows, Linux, and VMware instances. As ALPHV operates as a Ransomware-as-a-Service (RaaS) model, deployed by distinct affiliates, we saw a variety of entry vectors and TTPs used before its deployment, making each incident unique and challenging to predict and defend against.
Not all breaches are leveraged immediately. The initial breach often begins when threat actors use mass scanners to exploit newly discovered vulnerabilities in devices across the internet. However, even after patching, webshells and other persistence mechanisms can remain intact. These footholds are often later sold by Initial Access Brokers (IABs) and may resurface months or years later in subsequent attacks.
These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.
While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer’s alertness and CPIRT’s prompt response, the ransomware attack was successfully thwarted before it could inflict damage.
This reality creates a false sense of security for administrators who believe patched devices are secure, while actually, a threat actor’s foothold might have been established much earlier. In our investigations this year, the longest period noted for a dormant threat was 22 months.
Following the patching of vulnerabilities, security procedures must include security scans to remove possible backdoors, webshells and other persistence mechanisms. Organizations must also continue to monitor for any anomalies that may indicate covert threats within network infrastructure.
