A recent breach in the manufacturing sector involved phishing and data exfiltration, with attackers achieving a breakout time of just 48 minutes. This incident underlines the need for faster automated responses as threats evolve swiftly. nAffected: manufacturing sector
Keypoints :
- Phishing attack leads to rapid data exfiltration in the manufacturing sector.
- Breakout time for the attackers was only 48 minutes.
- Attackers used phishing techniques associated with the Black Basta ransomware group.
- More than 15 users targeted through a flood of spam emails.
- Threat actors impersonated IT staff to gain control via Quick Assist.
- Detection and response automation can significantly reduce threat containment time.
- Dynamic-link library sideloading was used to evade detection.
- Service accounts were exploited, highlighting their vulnerabilities.
- Data exfiltration was performed using WinSCP to an external server.
- Proactive measures included taking data centers offline to prevent further breaches.
MITRE Techniques :
- Phishing (T1566): Initial access achieved through a mass spam email campaign targeting users.
- Process Injection: Dynamic-link Library Injection (T1055.001): Malicious DLL smuggled into legit processes to evade detection.
- Scheduled Task/Job: Scheduled Task (T1053.005): Attackers created scheduled tasks for lateral movement.
- Exfiltration Over Web Service (T1567): Data was exfiltrated over web requests to a remote server.
- Interactive Logon with Service Account (T1078.002): Attacker accessed and exploited a service account for elevated permissions.
Indicator of Compromise :
- Two domains used for malicious activity: pefidesk[.]com for data exfiltration and uptemp[.]icu as the Command and Control (C2) server.
- Malicious DLL named winhttp.dll was identified, linked to the OneDrive update process.
- Artifacts indicating phishing attempts through spam email waves and Microsoft Teams messages targeting users were noted.
- A spike in email volume from external sources targeting specific users can be used as an IOC.
Full Story: https://reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/