Threat Actors’ Systems Vulnerable to Exploitation by Other Threat Actors

MITRE Techniques

• [T1047] Windows Management Instrumentation – Backdoor registered to WMI and operated daily; ‘The backdoor was registered to Windows Management Instrumentation (WMI) and operated daily at 11:00 PM.’
• [T1053] Scheduled Task – The backdoor operated daily at 11:00 PM, implying scheduled task/job usage; ‘operated daily at 11:00 PM.’
• [T1105] Ingress Tool Transfer – Downloaded malicious files including CoinMiner from the C2 server; ‘The backdoor downloaded malicious files including the CoinMiner from the C2 server.’
• [T1059.003] Command and Scripting Interpreter – Used MS-SQL xp_cmdshell to install a backdoor; ‘they then installed a backdoor into the victim system using MS-SQL’s xp_cmdshell procedure.’
• [T1021.001] Remote Desktop Protocol – Configured reverse RDP to access the Miner bot; ‘The CoinMiner threat actor configured a reverse RDP environment using the Fast Reverse Proxy tool to access the Miner bot.’
• [T1090] Proxy – Modified Fast Reverse Proxy to automatically connect to the proxy server for use in attacks; ‘the normal version requires the user to import the information of the target server… The CoinMiner threat actor modified the Fast Reverse Proxy file’s code so that it automatically connects to the proxy server and uses it in their attack.’
• [T1110] Brute Force – RDP brute force attack on exposed systems; ‘The ransomware threat actor launched a RDP brute force attack on the TCP 30 port.’
• [T1021.001] Remote Desktop Protocol – Lateral movement via RDP after gaining initial access; ‘distributed the ransomware to multiple systems… lateral movement into the network.’