This blog summarizes an investigation of a brute force attack that led to the discovery of a larger ransomware ecosystem, suggesting ties to initial access brokers. Analysts explored the anomaly in attack procedures that deviated from standard practices of threat actors, indicating a complex underlying infrastructure. Affected: network security, ransomware ecosystem
Keypoints :
- The investigation began with a brute force attack on an exposed RDP server.
- The attack exposed the network to a sophisticated threat actor utilizing various IP addresses.
- Anomalies in threat actor behavior were identified, specifically their exploration of credential files.
- Maltrail indicated that some of the offending IP addresses were linked to Hive ransomware.
- Further investigations uncovered multiple associated domains and suggested a broad ransomware infrastructure.
MITRE Techniques :
- Brute Force Attack (T1110) – The threat actor attempted to gain access to the RDP server using multiple login attempts.
- Credential Dumping (T1003) – Uncharacteristically, the actor searched file systems for credentials, indicating deviation from standard credential extraction methods.
- Remote Service: Remote Desktop Protocol (T1021) – The attack leveraged RDP to gain unauthorized access to the network.
Indicator of Compromise :
- [IP Address] 64.190.113[.]159
- [IP Address] 147.135.36[.]162
- [Domain] specialsseason[.]com
- [Domain] 1vpns[.]com
- [Certificate Fingerprint (SHA-256)] 6bc8b8f260f9f9bfea69863ef8d3c525568676ddadc09c14655191cad1acdb5b
Full Story: https://huntress.com/blog/brute-force-or-something-more-ransomware-initial-access-brokers-exposed
Views: 31