Between August 28-31 and September 1-4, 2024, Blackpoint’s Active Security Operations Center (SOC) responded to 381 total incidents and partner saves across on-premises, Microsoft 365, and Google Workspace protected environments, with confirmed or likely threat actor use of:
- Greenshot, AnyDesk, and TeamViewer remote management tools for persistence and collection, combined with RDP abuse for initial access;
- Classroom Spy Pro likely for collection; and
- ProcDump and Mimikatz for credential access.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Editor’s note: As part of a stronger internal technical review cycle, moving forward, please expect these incident analyses to be released on Tuesdays instead of Fridays, and summarized as part of the weekly Threat Digest email newsletter released every Wednesday.
Greenshot, AnyDesk, and TeamViewer Incident with Healthcare Partner on August 30, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- Greenshot
- AnyDesk & TeamViewer
- RDP and SSL-VPN abuse
- Antivirus (AV) and / or EDR present in environment? No
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use RDP for initial access to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Dedicated software center
- Heuristics-based activity monitoring and remediation
- Regularly audit both environment and endpoints
Greenshot, AnyDesk, and TeamViewer Incident Timeline for 2024-08-30
- Blackpoint’s MDR+R technology identified an RDP connection from a public IP address (1) from a user account of a Healthcare partner.
- Initial investigation by the Active SOC found that the user accessed Dropbox and used the Greenshot tool, indicating a roughly even chance that the threat actor’s goal included exfiltration.
- Additional analysis discovered that the threat actor utilized AnyDesk and TeamViewer on the host, coupled with additional suspicious network events in Netstat connected to Russian IP addresses.
- Active SOC analysts isolated the affected device to prevent further malicious activity before reaching out to the Healthcare partner with additional details and remediation advice.
More About Greenshot, AnyDesk, and TeamViewer
Click for details on these remote management tools
Greenshot
Greenshot is a lightweight screenshot software tool for Windows (2). The tool is capable of:
- Creating screenshots of a selected area, window, or the full screen
- Annotate, highlight, or obfuscate portions of the grabbed screenshot
- Export the screenshot to a file, a printer, copy to the clipboard, email, and more.
AnyDesk
AnyDesk is a remote desktop application that allows users to remotely access systems and transmit data between devices (3). AnyDesk is a legitimate tool that can run in the cloud or on-premises, making it a versatile tool for IT administrators. The tool is used by many Managed Service Providers (MSPs) to provide remote assistance, system management, and monitoring to their end clients.
TeamViewer
TeamViewer is a remote access and control software that allows users to connect to and control other computers and devices (4). TeamViewer is a legitimate tool used by organizations, as it is capable of assisting with:
- Asset management
- Mobile device management
- Device monitoring
- Endpoint protection
Click for details on threat actor abuse of these remote management tools
Threat Actor Abuse of Greenshot
Threat actors use the Greenshot tool to collect information from the compromised system — especially screenshotting credentials, sensitive dashboards, databases, and more.
Greenshot is likely an attractive tool for threat actors due to being a legitimate tool and more likely to evade detection.
Threat Actor Abuse of AnyDesk
AnyDesk is an attractive tool for threat actors to maintain persistent access to compromised devices and to evade detection.
Specifically, Blackpoint’s APG has tracked 20 ransomware operations purportedly using AnyDesk, including:
- Akira
- Black Basta
- BlackSuit
Threat Actor Abuse of TeamViewer
Threat actors often find TeamViewer and similar tools an attractive target for use during cyberattacks (5), due to:
- The access these types of tools provide
- The ability to remain undetected and blend into normal traffic
- The potential for persistent access to compromised networks
APG Threat Analysis of RDP for Initial Access and Remote Management Tool Abuse for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use RDP for initial access and abuse remote management tools such as TeamViewer, AnyDesk, and Greenshot over the next 12 months.
This assessment is based on internal Blackpoint observed attacks, such as incidents on:
- March 14, 2024, involving a Consumer Cyclicals partner (6); and
- June 09, 2024, involving an Industrials partner (7)
The APG’s assessment is further supported by external reports from other research teams recording threat actor abuse of legitimate tools, including AnyDesk and TeamViewer. For example:
- In February 2023, Proofpoint security researchers reported that a threat group, TA866, targeted organizations in the U.S. and Germany with a new Screenshotter malware, similar to the Greenshot legitimate tool, to perform surveillance and data theft (8).
- TA866 reportedly exfiltrated screenshots of the victims’ systems and analyzed them to determine if the target was valuable enough for further compromise.
- In June 2024, TeamViewer reported that they had been the victim of a cyberattack attributed to the Russia-linked APT29 threat group (9).
- While the company reported that the incident was contained to their internal corporate IT environment and did not affect customer data or their product environment, the incident highlights how threat actors both use legitimate tooling and target the tooling organization specifically, likely in an attempt to target customers via supply chain attack.
- In August 2024, Silent Push security researchers reported an ongoing campaign targeting banks in the U.K. via social engineering attacks to deploy AnyDesk software (10).
- Threat actors reportedly used social engineering, spoofed websites, and phishing attacks to lure victims into downloading AnyDesk software via a generic online help link.
Recommended RDP and Remote Management Tool Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations and mitigations for threat actor use of RDP for initial access and remote management tool abuse in your environment.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results. Employee training should also include how and when to report incidents to an incident response authority.
- Previous incidents involving the use of legitimate remote management software have been initiated via social engineering attacks. Exposing employees to frequently observed social engineering tactics can aid in providing them with the awareness and knowledge to identify such tactics.
- Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO-poisoned instance.
- Dedicated software centers can also help IT administrators and security professionals identify when unusual or rogue software is downloaded, as there is a “known good” list of software to compare with suspicious applications or files.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols, ensuring your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Threat actors have often abused legitimate tools in an attempt to blend in with normal traffic, as they did during this instance with Greenlight, TeamViewer, and AnyDesk. This type of detection can help identify when unusual software has been installed and prevent threat actors from successfully completing malicious actions.
- Regularly audit both the environment and endpoints for what “normal” user activity looks like, identify old and unused credentials or authorizations, and account for possible “shadow IT.” Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
- This incident involved the use of a screenshot tool, Greenshot, which has not been commonly observed in widely reported cyberattacks. Regularly auditing the environment can help quickly identify unusual but legitimate software installed on endpoints and remove them before successful execution.
Classroom Spy Pro Incident with Institutions & Organizations Partner on September 01, 2024
Topline Takeaways
- Industry target: Institutions & Organizations
- Attacker information:
- RDP
- Classroom Spy Pro
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that a roughly even chance likelihood that threat actors will continue to abuse classroom remote monitoring software such as Classroom Spy Pro to exploit other Institutions & Organizations over the next 12 months.
- Recommended remediations and mitigations:
- Multifactor authentication (MFA)
- Regularly audit both environment and endpoints
- Heuristics-based activity monitoring and remediation
- Application allowlisting and blocklisting
Classroom Spy Pro Incident Timeline for 2024-09-01
- Blackpoint’s MDR+R technology detected multiple RDP connections and remote executions from a gateway of an Institutions & Organizations partner.
- Initial investigation by the Active SOC found Classroom Spy Pro, an institutional spyware program, running on a machine.
- Additional analysis discovered an SSL-VPN connection made by a user account, as well as additional machines that had the spy software pushed to them remotely.
- Active SOC analysts isolated all affected machines and disconnected the VPN connection before reaching out to the Institutions & Organizations partner with additional details and remediation advice.
- Post-incident threat intelligence from the APG has correlated this incident with a rising trend of threat actors abusing SSL-VPN.
- On Friday, September 06 — five days after this incident occurred on September 01 — SonicWall updated their security bulletin for SonicWall CVE-2024-40766 with news of threat actors exploiting the vulnerability via SSL-VPN for initial access to impacted endpoints, in a similar tactical move to the threat actor use case shown in this incident.
- Note that as of this incident update on September 09, 2024, the APG and Blackpoint Active SOC have seen no evidence of explicit threat actor abuse of CVE-2024-40766 in Blackpoint managed environments.
More About Classroom Spy Pro
Click for details
Classroom Spy Pro is a classroom management software that allows users to monitor and control students’ computers (18). The software has the capability to conduct a variety of actions, including:
- Share a screen with the school remotely,
- Control computers,
- Limit the internet usage; and
- Block applications.
Classroom Spy Pro is specifically designed to monitor student computer activity within an educational setting. These monitoring and screen recording capabilities put this software alongside multiple other legitimate tools frequently abused by threat actors for monitoring victim activity, such as ScreenConnect (AKA ConnectWise) (19).
There is a roughly even chance that threat actors are testing or experimenting with abusing classroom software such as Classroom Spy Pro to monitor the activities of victims, deploy malware, and steal sensitive information.
APG Threat Analysis of Classroom Spy Pro for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts a roughly even chance likelihood that threat actors will actively use Classroom Spy Pro for information theft over the next 12 months.
The APG’s assessment is based primarily on external reports from other research teams. For example:
- In July 2024, Microsoft security researchers released a report detailing the activities of a threat group, Onyx Sleet, which included the use of malware and tooling that would allow the group to monitor and record victims’ screens and activities (20).
To reiterate, it is the APG’s assessment that there is a roughly even chance that threat actors are testing, experimenting with, and outright abusing classroom software such as Classroom Spy Pro to monitor the activities of victims, deploy malware, and steal sensitive information as a normal part of their threat campaigns.
We will continue to monitor the abuse of all remote monitoring and management tools, regardless of industry vertical or specific software package, to help our partners continue to protect their environments.
Recommended Classroom Spy Pro Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations and mitigations of threat actor abuse of Classroom Spy Pro for information theft in your environment.
- Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
- The threat actor in this incident utilized a VPN connection to access the victim environment. Requiring the use of MFA can aid in providing an additional layer of authentication and make it more difficult for threat actors to gain initial access to the environment.
- Regularly audit both environment and endpoints for what “normal” user activity looks like, any old and unused credentials or authorizations, and possible “shadow IT” that was previously unaccounted for. Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
- During this incident, the threat actor deployed software designed for education institutions to monitor students’ computers. Regularly auditing the environment and endpoints can help identify unusual software or applications that would not normally be used for legitimate actions or that are unapproved.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- The threat actor in this incident utilized RDP to move laterally within the network. This type of detection can help quickly identify abnormal use of RDP and lateral movement activity before the threat actor can successfully complete an attack.
- Implement application controls, including blocklists and allowlists, to help manage and control software installation by end users to only approved and vetted applications.
- This incident included the deployment of classroom spy software, which may or may not have been previously deployed or “made sense” to be deployed in this monitored environment. Implementing application controls can aid in preventing unapproved software from being deployed and executed.
ProcDump and Mimikatz Incident with Industrials Partner on August 30, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- RDP
- ProcDump
- Mimikatz
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use ProcDump and Mimikatz for credential access to exploit other Industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Multifactor authentication (MFA)
- Least-privilege access controls
- Heuristics-based activity monitoring and remediation
- Password managers
ProcDump and Mimikatz Incident Timeline for 2024-08-30
- Blackpoint’s MDR+R technology detected an Industrials partner’s local administrator account mounting the ADMIN share and executing services.exe.
- Initial investigation by the Active SOC found that the same user account used a Living-off-the-Land Binaries and Scripts (LOLBAS) technique, which abuses comsvcs.dll to dump credentials on the RDP server.
- The threat actor also utilized ProcDump and Mimikatz to dump all credentials from the domain.
- After dumping credentials, the threat actor pivoted to another user account to begin spreading throughout the network.
- The threat actor further used a compromised user account to grab a binary, MENU63.DBR, which spawned a command prompt and executed a batch script, UPDDOTNET.BAT.
- The binary in question was located on an internal IP address.
- Additional analysis discovered that the threat actor was able to authenticate on the host from the partner’s SSL VPN.
- After successfully connecting to the customer’s SSL VPN IP range, the threat actor was able to escalate privileges to the local administrator account.
- Active SOC analysts isolated all impacted devices before reaching out to the Industrials partner with additional details and to begin the remediation process of disabling user accounts and closing open ports from the SSL VPN.
- Post-incident threat intelligence from the APG has correlated this incident with a rising trend of threat actors abusing SSL-VPN.
- On Friday, September 06 — six days after this incident occurred on August 30, 2024 — SonicWall updated their security bulletin for SonicWall CVE-2024-40766 with news of threat actors exploiting the vulnerability via SSL-VPN for initial access to impacted endpoints, in a similar tactical move to the threat actor use case shown in this incident.
- Note that as of this incident update on September 09, 2024, the APG and Blackpoint Active SOC have seen no evidence of explicit threat actor abuse of CVE-2024-40766 in Blackpoint managed environments.
More About ProcDump and Mimikatz for Credential Access
Click for more about ProcDump and Mimikatz
ProcDump
ProcDump is a command-line utility designed to monitor applications for CPU spikes and generate crash dumps during a spike that an administrator can use to determine the cause (11).
Additionally, ProcDump can serve as a process dump utility and embedded into other scripts.
Mimikatz
Mimikatz is an open-source tool created in 2007 used to extract sensitive information, such as credentials, from a system’s memory (12). Mimikatz can extract passwords from memory or on-disk password stores, including:
- Plaintext passwords,
- Kerberos tickets, and
- NTLM password hashes.
Click for how threat actors abuse ProcDump and Mimikatz
Threat Actor Abuse of ProcDump
ProcDump is an attractive tool for threat actors due to its command-line capabilities and its legitimacy, which likely aids in evading detection (13).
Blackpoint’s APG has tracked at least 6 ransomware operations and 9 threat groups that have been observed utilizing the ProcDump tool in publicly reported incidents.
Threat Actor Abuse of Mimikatz
Mimikatz is an attractive tool option for threat actors due to its powerful capabilities, and its open-source nature allows for easier modification (14).
Blackpoint’s APG has tracked at least 22 ransomware operations that have used Mimikatz in publicly reported attacks.
APG Threat Analysis of ProcDump and Mimikatz for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely abuse ProcDump and Mimikatz for credential theft over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, such as this June 03, 2024, incident involving a Consumer Non-Cyclicals partner (13).
The APG’s assessment is augmented by external reports from other research teams related to the malicious use of ProcDump and Mimikatz. For example:
- In May 2024, Microsoft security researchers released a report detailing the TTPs of a North Korea-linked threat actor, Moonstone Sleet (14).
- Moonstone Sleet had reportedly used legitimate tools, including both ProcDump and Mimikatz, alongside its ransomware deployments as part of their campaign’s tool sets.
- In August 2024, Securonix security researchers reported an ongoing campaign targeting Chinese-speaking users with Cobalt Strike payloads delivered via social engineering attacks (15).
- The threat actor reportedly used social engineering to gain initial access, deployed Cobalt Strike, and later used Mimikatz to gain control over the environment.
Recommended ProCdump and Mimikatz Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations for mitigating threat actor use of ProcDump and Mimikatz for credential access in your environment.
- Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access – to help decrease the chances of undetected credential compromise.
- Mimikatz and ProcDump are often abused to dump credentials; requiring the use of MFA can add an additional layer of security for any accounts.
- Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
- The threat actor in this incident gained access to an administrator account to execute credential dumping tools. Implementing least privilege can help ensure that basic user accounts are not able to access processes that would allow threat actors to dump credentials. Additionally, providing separate administrator and user accounts, when possible, helps ensure that employees are not always logged into or accessing administrator-level permissions when not needed.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- This type of monitoring can help detect abnormal downloads of legitimate software, like ProcDump and Mimikatz, as well as anomalous logins.
- Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
- ProcDump and Mimikatz harvest credentials; requiring the use of secure password managers can help provide an additional obstacle for threat actors and help keep credentials confidential.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environments, certain details may be occasionally omitted and/or obfuscated to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click here for full list of references and resources
- VirusTotal’s Repository: “205.220.129.21” by VirusTotal on 2024-02-05
- Greenshot’s Website: “Greenshot” by Greenshot on N/A
- AnyDesk’s Website: “AnyDesk Homepage” by AnyDesk on N/A
- TeamViewer’s Website: “TeamViewer Homepage” by TeamViewer on 2024-04-25
- Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
- Blackpoint Cyber’s Blog: “This Week in Review: AnyDesk, TeamViewer, QuickBooks, and IsErIk malware” by Blackpoint Cyber on 2024-03-22
- Blackpoint Cyber’s Blog: “Potential BianLian Ransomware, TeamViewer, and BitLocker” by Blackpoint Cyber on 2024-06-14
- Proofpoint’s Blog: “Screentime: Sometimes It Feels Like Somebody’s Watching Me” by Axel F. on 2023-02-08
- TeamViewer’s Bulletin: “TeamViewer IT security incident” by TeamViewer on 2024-07-04
- Silent Push’s Blog: “Silent Push tracks threat actor targeting UK banks in ongoing AnyDesk social engineering campaign” by Silent Push on 2024-08-08
- Microsoft’s Repository: “ProcDump v11.0” by Microsoft on 2022-12-12
- Deep Instinct’s Blog: “LSASS Memory Dumps are Stealthier than Ever Before” by Asaf Gilboa on 2021-01-24
- StationX’s Blog: “How to use Mimikatz for Hacking in 2024: The Definitive Guide” by Adam Goss on 2024-05-13
- Microsoft’s Repository: “HackTool:Win32/Mimikatz” by Microsoft on 2023-11-22
- Microsoft’s Blog: “Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks” by Microsoft Threat Intelligence on 2024-05-28
- Securonix’s Blog: “From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users” by Den Iuzvyk and Tim Peck on 2024-08-29
- Classroom Spy’s Website: “Classroom Spy Pro Homepage” by Classroom Spy on N/A
- CISA’s Advisory: “Protecting Against Malicious Use of Remote Monitoring and Management Software” by CISA on 2023-01-26
- Microsoft’s Blog: “Onyx Sleet uses array of malware to gather intelligence for North Korea” by Microsoft Threat Intelligence on 2024-07-25