Cisco Talos shares insights related to recent cyber attack on Cisco

MITRE Techniques

• [T1566] Phishing – “The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker.”
• [T1078] Valid Accounts – “After obtaining the user’s credentials, the attacker enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.”
• [T1569.002] System Services: Service Execution – “The attacker dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.”
• [T1136.001] Create Account: Local Account – “The attacker created an administrative user called “z” on the system using the built-in Windows ‘net.exe’ commands. This account was then used in some cases to execute additional utilities…”
• [T1098.005] Account Manipulation: Device Registration – “the attacker enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.”
• [T1546.012] Event Triggered Execution: Image File Execution Options Injection – “This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems.”
• [T1070] Indicator Removal on Host – “to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the ‘wevtutil.exe’ utility to identify and clear event logs…”
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – “wevtutil.exe el” and “wevtutil.exe cl [LOGNAME]”
• [T1021] Remote Services – “To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix.”
• [T1012] Query Registry – “The threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating.”
• [T1071.001] Application Layer Protocol: Web Protocols – “Commands are retrieved by making HTTP GET requests to the C2 server using the following structure: /bot/cmd.php?botid=%.8x” and “The malware also communicates with the C2 server via HTTP GET requests that feature the following structure: /bot/gate.php?botid=%.8x”
• [T1219] Remote Access Software – “remote access tools such as LogMeIn and TeamViewer.”
• [T1090.003] Proxy: Multi-hop Proxy – “initially leveraging traffic anonymization services like Tor”
• [T1573.002] Encrypted Channel: Asymmetric Cryptography – Content related to securing C2 communications (described in context of C2/TTPs in the article mapping)
• [T1048] Exfiltration Over Alternative Protocol – “they exfiltrated the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.”