This article discusses an intriguing case of a brute force attack that led to the discovery of a broader ransomware ecosystem associated with initial access brokers. The scenario highlights the complexities of intrusion analysis, demonstrating how traditional techniques can reveal unexpected patterns and linkages to larger cybercriminal infrastructure. Affected: network security, ransomware ecosystem, initial access brokers, organizations.
Keypoints :
- Brute force attack on exposed RDP server initiated the investigation.
- Successful compromise of a user account allowed access to the victimβs network.
- Threat actor used multiple IP addresses for a single compromise, suggesting a well-structured operation.
- Unusual method observed as the threat actor retrieved credentials from text files instead of using common tools.
- Link established between compromise and known ransomware, specifically Hive and BlackSuit.
- Discovery of domains associated with threat actors indicates a broader infrastructure of ransomware-as-a-service.
MITRE Techniques :
- Brute Force (T1110) β The attacker attempted to gain access to the RDP server by guessing credentials through multiple login attempts.
- Credential Dumping (T1003) β The threat actor displayed unusual behavior by manually searching for credentials in text files instead of using automated processes.
- Command and Control (T1071) β Use of multiple IP addresses and domains indicates a structured command and control mechanism.
Indicator of Compromise :
- [IP Address] 64.190.113[.]159
- [IP Address] 147.135.36[.]162
- [Domain] specialsseason[.]com
- [Domain] 1vpns[.]com
- [Certificate Fingerprint (SHA256)] 6bc8b8f260f9f9bfea69863ef8d3c525568676ddadc09c14655191cad1acdb5b
Full Story: https://www.huntress.com/blog/brute-force-or-something-more-ransomware-initial-access-brokers-exposed