“CosmicBeetle Advances: RansomHub’s Probation Period”

MITRE Techniques

• [T1595.002] Active Scanning: Vulnerability Scanning – CosmicBeetle scans its targets for a list of vulnerabilities it can exploit. “CosmicBeetle scans its targets for a list of vulnerabilities it can exploit.”
• [T1590.005] Gather Victim Network Information: IP Addresses – CosmicBeetle scans the internet for IP addresses vulnerable to the vulnerabilities it can exploit. “CosmicBeetle scans the internet for IP addresses vulnerable to the vulnerabilities it can exploit.”
• [T1583.001] Acquire Infrastructure: Domains – CosmicBeetle registered its own leak site domain. “CosmicBeetle registered its own leak site domain.”
• [T1587.001] Develop Capabilities: Malware – CosmicBeetle develops its custom toolset, Spacecolon. “CosmicBeetle develops its custom toolset, Spacecolon.”
• [T1588.002] Obtain Capabilities: Tool – CosmicBeetle utilizes a large variety of third-party tools and scripts. “CosmicBeetle utilizes a large variety of third-party tools and scripts.”
• [T1588.005] Obtain Capabilities: Exploits – CosmicBeetle utilizes publicly available PoCs for known exploits. “CosmicBeetle utilizes publicly available PoCs for known exploits.”
• [T1588.001] Obtain Capabilities: Malware – CosmicBeetle probably obtained ransomware from RansomHub and the leaked LockBit 3.0 builder. “CosmicBeetle probably obtained ransomware from RansomHub and the leaked LockBit 3.0 builder.”
• [T1190] Exploit Public-Facing Application – CosmicBeetle gains initial access by exploiting vulnerabilities in FortiOS SSL-VPN and other public-facing applications. “CosmicBeetle gains initial access by exploiting vulnerabilities in FortiOS SSL-VPN and other public-facing applications.”
• [T1204] User Execution – CosmicBeetle relies on user execution for some of its tools, though this is usually done by the threat actor via RDP. “CosmicBeetle relies on user execution for some of its tools, though this is usually done by the threat actor via RDP.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – CosmicBeetle executes various BAT scripts and commands. “CosmicBeetle executes various BAT scripts and commands.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – CosmicBeetle executes various PowerShell scripts and commands. “CosmicBeetle executes various PowerShell scripts and commands.”
• [T1136.001] Create Account: Local Account – CosmicBeetle often creates an attacker-controlled administrator account. “CosmicBeetle often creates an attacker-controlled administrator account.”
• [T1078] Valid Accounts – CosmicBeetle abuses valid accounts whose credentials it successfully obtains. “CosmicBeetle abuses valid accounts whose credentials it successfully obtains.”
• [T1140] Deobfuscate/Decode Files or Information – ScRansom samples protect public RSA keys by encryption. “ScRansom samples protect public RSA keys by encryption.”
• [T1110.001] Brute Force: Password Guessing – CosmicBeetle utilizes RDP and SMB brute-force attacks. “CosmicBeetle utilizes RDP and SMB brute-force attacks.”
• [T1212] Exploitation for Credential Access – CosmicBeetle exploits known vulnerabilities to obtain credentials. “CosmicBeetle exploits known vulnerabilities to obtain credentials.”
• [T1485] Data Destruction – CosmicBeetle renders some encrypted files unrecoverable. “CosmicBeetle renders some encrypted files unrecoverable.”
• [T1486] Data Encrypted for Impact – CosmicBeetle encrypts sensitive files on compromised machines. “CosmicBeetle encrypts sensitive files on compromised machines.”