Business email compromise (BEC) and ransomware were the top threats observed by Cisco Talos Incident Response (Talos IR) in the second quarter of 2024, together accounting for 60 percent of engagements.  

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row. There was a slight increase in ransomware where Talos IR responded to Mallox and Underground Team ransomware for the first time this quarter, as well as the previously seen Black Basta and BlackSuit ransomware operations.  

For the third quarter in a row, the most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 60 percent of engagements this quarter, a 25 percent increase from the previous quarter.  

Technology was the most targeted vertical this quarter, accounting for 24 percent of engagements, closely followed by healthcare, pharmaceuticals and retail. There was a 30 percent increase in engagements affecting the technology sector from the previous quarter. Organizations in the technology sector may be seen as gateways into other industries and organizations given their significant role in supplying and servicing a wide range of sectors, making them attractive targets for adversaries.  

Technology organizations often have extensive digital assets supporting critical infrastructure, which means they have minimal tolerance for downtime and may, therefore, be more likely to pay extortion demands. 

Talos IR also observed a slight increase in network device targeting this quarter, accounting for 24 percent of engagements. This activity included password-spraying, vulnerability scanning and exploitation.  

 

Surge in BEC continues  

Within BEC attacks, adversaries will compromise legitimate business email accounts and use them to send phishing emails to obtain sensitive information, such as account credentials. Adversaries can also use compromised accounts to send emails with fraudulent financial requests, such as changing bank account information related to payroll or vendor invoices. 

In a few of the observed BEC incidents that involved a method of phishing as an infection vector, adversaries leveraged SMS phishing, or “smishing,” to compromise accounts. This involves adversaries sending fraudulent text messages to trick recipients into sharing personal information or clicking on malicious links.  

Targeting employees’ personal mobile devices can be an effective method for initial access because they may not have the same security controls as their corporate devices. Organizations should ensure SMS phishing scams are included in security awareness training for employees.   

In one engagement, adversaries compromised a user’s account by sending a phishing email to the employee’s personal email address that redirected the user to a fake login page. The user had passwordless authentication through an authenticator application but received a multi-factor authentication (MFA) push notification and accepted it, granting the adversary access.  

In another cluster of activity, adversaries used compromised credentials obtained through unknown means to access a valid email account. The adversary then created Microsoft Outlook mailbox rules to send emails to a folder named “deleted” before using the compromised account to send out over a thousand phishing emails to internal and external recipients. The phishing emails contained a link that led to a fake login page intended to harvest credentials. 

Ransomware accounted for 30 percent of engagements this quarter, a 22 percent increase from the previous quarter. Talos IR observed Mallox and Underground Team ransomware families for the first time this quarter. Talos IR also responded to the previously seen Black Basta and BlackSuit ransomware this quarter, which we recently assessed are two of the top players within the current ransomware landscape. 

Notably, 80 percent of ransomware engagements this quarter lacked proper MFA implementation on critical systems, such as virtual private networks (VPNs), playing a role in allowing adversaries to gain initial access. In addition, command obfuscation, such as Base64 encoding, was observed within 40 percent of ransomware engagements this quarter, likely to evade detection by disguising the true intent of the commands. 

Mallox 

In a Mallox ransomware engagement, adversaries compromised and encrypted a single Microsoft SQL server, consistent with public reporting on Mallox ransomware attacks. There were no signs of data staging, exfiltration or lateral movement. Talos IR could not determine the initial access vector due to a lack of customer telemetry.   

First discovered in 2021, Mallox (also known as TargetCompany and Fargo) is a ransomware-as-a-service (RaaS) operation that leverages double extortion techniques. Mallox has Linux and Windows variants of the encryptor and appends the file extension “.malox” to files after encryption. The operation is known to use brute force techniques to target unsecured Microsoft SQL servers and has been observed using Cobalt Strike beacons during attacks, although Talos IR did not observe Cobalt Strike in this incident. Cobalt Strike is a legitimate penetration testing tool that is commonly leveraged by adversaries for malicious activity. 

Underground Team 

Talos IR responded to an Underground Team ransomware attack in an engagement where the adversary leveraged Secure Shell (SSH) to move laterally in the environment. The adversary also strategically reactivated certain Active Directory user accounts that had been previously disabled, potentially a newly observed technique for Underground Team ransomware operators, based on a lack of public reporting. 

Talos IR’s review of the available Active Directory logs indicated that the adversary reactivated over 100 previously disabled accounts, likely an attempt to escalate privileges. Talos IR reviewed a specific compromised account leveraged by the adversary to establish persistence and move laterally. Using this account, the adversary also deployed the ransomware payload and encrypted multiple critical systems, including domain controllers, virtual machines, backups and server management systems. 

During the engagement, the threat actor also sent harassing messages to employees' personal emails. This technique was likely intended to coerce the victim to respond to the actor’s demands.  

Underground Team is a relatively new ransomware group that emerged in 2023. While not as prominent as other established ransomware actors, they have garnered attention for their tactics, techniques and procedures (TTPs) and how the group claims to offer cybersecurity help within their extortion demands, a common social engineering technique.  

BlackSuit 

Talos IR responded to a BlackSuit ransomware attack where adversaries gained access with valid credentials through a VPN that was not protected by MFA. Persistence was established by deploying the remote management tool AnyDesk in the environment, as well as Cobalt Strike. There is no easy way to effectively block all unauthorized remote management tools, but security can be greatly improved through a combination of policy and technical controls

Talos IR also observed the adversaries deploying several utilities not previously observed being leveraged by BlackSuit. The group used Microsoft PowerToys for lateral movement, SuperGrate, a Windows User Profile backup and migration utility, and Mimikatz DCSync, an old technique commonly leveraged by other ransomware operations to compromise credentials. 

The adversaries also leveraged living-off-the-land binaries (LoLBins) like PsExec and the Windows Management Instrumentation command-line (WMIC) to move laterally across the network. Several legitimate tools were installed to assist with staging and exfiltrating data, such as WinRAR and WinSCP, commonly used by ransomware operations. The files delivering the ransom notes could also not be easily analyzed due to sandbox evasion techniques, a technique not typically observed within BlackSuit attacks.  

BlackSuit is a RaaS group that has been active since at least May 2023, gaining notoriety after the group’s threat to entities in the healthcare sector in November 2023. BlackSuit’s ransomware encryptors, supporting Linux and Windows variants, have been observed to have many similarities with the Royal ransomware group, leading researchers to believe BlackSuit is a rebrand of Royal ransomware operations. Talos and other researchers have compared the Royal and BlackSuit encryptors and confirmed the code was extremely similar.  

Black Basta 

Talos IR responded to a Black Basta engagement this quarter where adversaries gained initial access using compromised credentials on a valid RDP account that was not protected with MFA. Once inside the network, adversaries began acquiring credentials from the Windows Credential Manager through the New Technology LAN Manager (NTLM). Talos IR observed the adversaries using remote PowerShell execution, which is a common technique that uses WinRM to start a shell on remote systems.  

The adversaries leveraged the open-source command line tool Rclone to facilitate data exfiltration, a technique commonly used by ransomware actors. The Rclone configuration file was deleted before the adversary finished their attack. Sometimes, adversaries will forget to delete the configuration file, providing defenders with access tokens for the adversary-controlled server where the data was exfiltrated.  

This can allow defenders to download the stolen files and then delete them from the servers. Remote services, including RDP and SMB, were leveraged for lateral movement. Before the execution of ransomware, the adversaries disabled several tools, such as Windows Defender, to ensure the encryption process would not be interrupted.   

First discovered in April 2022, Black Basta is a RaaS operation that is a likely rebrand of the former Conti ransomware group that was shut down in Spring 2022. Black Basta ransomware is written in C++ and targets Windows and Linux systems. Black Basta affiliates have been observed using a wide range of initial access techniques, such as phishing, drive-by compromise, password spraying and exploiting known vulnerabilities. The targeting appears to be opportunistic and/or indiscriminate in nature. 

Network device targeting 

Talos IR observed a slight increase in network device targeting this quarter, accounting for 24 percent of engagements. This activity included password spraying, vulnerability scanning and exploitation. Network devices should be regularly patched and actively monitored because they provide a critical path for data entering and leaving the network. If compromised, an adversary could immediately pivot into an organization, divert or change network traffic, and monitor network communications.  

In one engagement, adversaries exploited a denial-of-service (DoS) vulnerability, tracked as CVE-2018-0296, affecting a Cisco Adaptive Security Appliance (ASA). The vulnerability in the web interface could allow an unauthenticated, remote attacker to cause a targeted device to reload unexpectedly, resulting in denial–of service.  

Adversaries also exploited a separate vulnerability within the Cisco ASA, tracked as CVE-2020-3259, that allowed them to remotely retrieve memory contents on the ASA, resulting in the unauthorized disclosure of sensitive information. Both the hardware and software used by the organization were past end-of-life (EOL) support. Talos IR recommends using supported hardware and software to prevent unwanted downtime and cyberattacks. 

In another cluster of activity, adversaries carried out a series of password-spraying attacks against the clientless VPN functionality of the organization’s ASA firewalls. The clientless functionality allows users to have a secure, remote access VPN tunnel to an ASA using a web browser without requiring a software or hardware client.  

The attack was ultimately unsuccessful because the organization enforced certificate-based authentication, which uses digital certificates stored in the user’s browser. If a user attempted to authenticate without a certificate, they would not be granted access. 

Initial vectors 

When known, the most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 60 percent of engagements There was a 25 percent increase from the previous quarter where valid accounts were also a top attack vector. 

In one engagement this quarter, adversaries compromised an organization’s trusted partner and abused the one-way trust network relationship to gain access. Organizations regularly set up one-way trust network relationships with partners or customers to facilitate controlled access to resources or services, which allows organizations to grant specific permissions or access controls to external entities without reciprocating access.  

Although it is intended to enhance security by limiting the potential exposure of critical assets, adversaries commonly abuse this relationship to gain access. As more organizations seek to expand their networks to include more partners and external services, adversaries will likely continue to exploit vulnerabilities within these relationships. Strengthening security controls and continuously monitoring access points will be crucial to mitigating these threats and safeguarding against potential breaches.    

Security weaknesses 

Vulnerable or misconfigured systems and a lack of proper MFA implementation were tied for the top observed security weaknesses this quarter, accounting for nearly all of the engagements. Talos IR observed a 46 percent increase in each of these security weaknesses from the previous quarter. 

Systems that are not up to date with the latest patches are potentially susceptible to vulnerabilities. Misconfigured systems are not configured with industry best practices for security in mind leaving the organization exposed, such as a public-facing server that is only supposed to be accessed internally. 

In one cluster of activity, a network switch was compromised that was past the device’s EOL support. Using a network switch that is past its EOL support is risky because it no longer receives security updates, bug fixes, or technical support from the manufacturer. Relying on outdated hardware increases the likelihood of unexpected failures and cyberattacks, which can disrupt business operations and result in costly downtime.  

In another engagement, the adversaries dumped credentials from the Security Account Manager (SAM) database through the Windows Registry, which enabled the adversary to move laterally throughout the environment because MFA was not properly implemented. There was not enough visibility in the engagement to identify the initial access vector, but organizations must understand MFA can prevent both initial access and lateral movement should an adversary compromise an account or system. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. MFA can also help prevent lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps.  

This quarter, Talos IR continued to observe users accepting MFA push notifications within engagements, but there was a notable decrease from the large surge in activity seen last quarter. In one cluster of BEC activity, several employees received phishing emails from a trusted partner’s email that had been compromised by the adversary.  

The emails contained links to fake login pages meant to harvest credentials. At least one employee provided credentials, which resulted in an MFA push notification being sent to the employee’s phone which they accepted granting the adversary access. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Additionally, the employee’s account did not have alerting in place to prevent impossible travel scenarios. Impossible travel refers to the scenario in which a user authenticates from two locations within an unrealistically brief period to have traveled between the locations.  

Talos IR recommends reviewing the configurations on identity access management (IAM) platforms for identifying risky login attempts, such as impossible travel to prevent unauthorized access. In addition, organizations should set up monitoring for device registrations and the generation of bypass codes. 

Top observed MITRE ATT&CK techniques 

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include: 

  • PowerShell was the top execution technique observed this quarter, accounting for 41 percent of engagements this quarter, a 33 percent increase from the previous quarter. 
  • Adversaries created new accounts more than any other persistence technique this quarter, accounting for 18 percent of engagements, more than double what was observed the previous quarter.  
  • The abuse of remote services, such as RDP, SSH, SMB and WinRM, were observed within 53 percent of engagements this quarter, a slight decrease from the previous quarter. 
  • The abuse of the LoLBin rundll32 was one of the top defense evasion techniques, accounting for 18 percent of engagements this quarter.  
  • Talos IR observed a 40 percent increase in remote access software usage this quarter, with AnyDesk being the most observed software, accounting for almost 30 percent of engagements.  

Reconnaissance

Example

T1589.001 Gather Victim Identity Information: Credentials

Adversaries may gather credentials that can be used during their attack.

T1598.003 Phishing for Information: Spearphishing Link

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack.

T1589.003 Gather Victim Identity Information: Employee Names

Adversaries may perform reconnaissance online to try to identify the names of employees to potentially target an organization.

T1595.002 Active Scanning: Vulnerability Scanning

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.

Resource Development

Example

T1588.006 Obtain Capabilities: Vulnerabilities

Adversaries may research information about specific vulnerabilities so they can be used within their attacks.

T1588.005 Obtain Capabilities: Exploits

Adversaries may obtain exploits to vulnerabilities so they can be leveraged within attacks.

T1584.001 Compromise Infrastructure: Domains

Adversaries may compromise domains so they can use them for malicious activities.

Initial Access

Example

T1078 Valid Accounts

Adversaries may use compromised credentials to access valid accounts during their attack.

T1566 Exploit in Public-Facing Application

Adversaries may exploit a vulnerability to gain access to a target system.

Execution

Example

T1059.001 Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack.

T1059.003 Command and Scripting Interpreter: Windows Command Shell

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack.

T1047 Windows Management Instrumentation

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack.

Persistence

Example

T1136 Create Account

Adversaries may create a new account to maintain persistence in a target environment.

T1078 Valid Accounts

Adversaries may abuse their access to valid accounts to maintain persistence in a target environment.

Privilege Escalation

Example

T1078.002 Valid Accounts: Domain Accounts

Adversaries may abuse their access to valid accounts to maintain persistence in a target environment.

Defense Evasion

Example

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection.

T1218.011 System Signed Binary Proxy Execution: Rundll32

Adversaries may abuse the Windows utility rundll32.exe to execute malware.

T1027.010 Obfuscated Files or Information: Command Obfuscation

Adversaries may obfuscate commands to evade detection during their attack.

T1564.008 Hide Artifacts: Email Hiding Rules

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner.

Credential Access

Example

T1110.003 Brute Force: Password Spraying

Adversaries use a list of usernames and passwords to try and gain access to user accounts.

T1003.003 OS Credential Dumping: NTDS

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement.

T1003 OS Credential Dumping

Adversaries may dump credentials from various sources to enable lateral movement.

T1110 Brute Force

Adversaries may use brute force account passwords to compromise accounts.

T1621 Multi-Factor Authentication Request Generation

Adversaries may generate MFA push notifications causing an MFA exhaustion attack.

Discovery

Example

T1018 Remote System Discovery

Adversaries may attempt to discover information about remote systems with commands, such as “net view”.

T1016.001 System Network Configuration Discovery: Internet Connection Discovery

Adversaries may ping a domain to check if the infected device is connected to the Internet.

T1033 System Owner / User Discovery

Adversaries may attempt to discover information about the logged in user of a compromised account with commands, such as “whoami”.

Lateral Movement

Example

T1021.001 Remote Services: Remote Desktop Protocol

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

T1021.004 Remote Services: SSH

Adversaries may abuse valid accounts using SSH to move laterally in a target environment.

T1021.006 Remote Services: WinRM

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment.

T1534 Internal Spearphishing

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally.

Collection

Example

T1005 Data from Local System

Adversaries may collect information from an infected system

T1560 Archive Collected Data

Adversaries may archive staged data using tools, such as WinRAR.

Command and Control

Example

T1219 Remote Access Software

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system.

T1071.001 Application Layer Protocol: Web Protocols

Adversaries abuse web protocols, such as HTTPS, for C2 communication.

Exfiltration

Example

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Adversaries may exfiltrate data over an unencrypted network protocol.

Impact

Example

T1486 Data Encrypted for Impact

Adversaries may use ransomware to encrypt data on a target system.

T1490 Inhibit System Recovery

Adversaries may disable system recovery features, such as volume shadow copies.