Netscan.exe, Mimikatz, Angry IP Scanner, and RMM Tool Abuse

The Blackpoint Active SOC’s Week in Review for June 07, 2024

Between May 29-31 and June 01-05, 2024, Blackpoint’s Active Security Operations Center (SOC) responded to 70 total incidents. These incidents included 19 on-premises MDR incidents, no Cloud Response for Google Workspace, and 51 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

Netscan.exe Incident with Financials Partner on 2024-05-29

Topline Takeaways

  • Industry target: Financials
  • Attacker information:
    • netscan
    • FileZilla
    • Labtech RMM tool
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use netscan for discovery to exploit other Financials organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Heuristics-based activity monitoring and remediation
    • Application allowlisting and blocklisting
    • Least-privilege access controls
    • Regularly audit both environment and endpoints

Repeated Netscan.exe Incidents Timeline for 2024 May 29 and 2024 May 31 through June 1

  • Last Wednesday (2024-05-29), Blackpoint’s MDR+R technology alerted to a Financials user account, $useraccount1, downloading and running netscan on a machine at an unusual time. The user started to mount admin shares on a second machine. Another user account was observed conducting remote execution on the first affected machine and added a user account to the domain. The Blackpoint Active SOC team isolated the affected machine to prevent further malicious activity and reached out to the Financials partner.
  • Last Friday (2024-05-31), Blackpoint’s MDR+R technology alerted to another Financial user account downloading and running netscan on a machine and began to mount shares. Again, the Active SOC isolated the affected machine and alerted the Financials partner.
  • Last Saturday (2024-06-01), Blackpoint’s MDR+R alerted to another user account downloading and running netscan on the partner’s device; the user then began to mount shares on multiple machines. The same user downloaded netscan and FileZilla on the affected machine. Blackpoint’s MDR+R technology then alerted to the user account installing FileZilla on another end client host machine. Again, the Active SOC team isolated the affected devices to prevent further malicious activity and reached out to the partner.
  • The Active SOC team conducted a threat hunt on the environment, during which analysts:
    • Identified FTP and FileZilla connections from seven different devices calling out to two public IPs. One of the IP addresses was known malicious and traced back to Russia; the other traced back to the United States.
    • Determined that initial access stemmed from a user authenticating from one of the IP addresses to an end client host 31 minutes prior to the initial observed netscan activity. Thirteen minutes after the user account authenticated to the host, the user account was observed pinging “temp.sh”, using nslookup.exe to find the domain controller, then pinged the IP address traced to Russia. Then, netscan activity started and the user account was observed mounting 216 shares through the IP address range.
    • Identified the remote monitoring and management (RMM) tool LabTech installed on an affected host machine. LabTech was observed using ps1 scripts that were querying several users through the network, specifically looking for domain users.

More About Netscan.exe, FileZilla, and RMM Tool Abuse

Click for details

Netscan.exe

Netscan.exe is a configurable IPv4/IPv6 scanner that can pin computers, scan ports, discover shared folders, and retrieve any information about network devices via WMI, SNMP, HTTP, SSH and PowerShell (1). Blackpoint’s APG has tracked at least 17 ransomware operations that use the netscan.exe tool during reported incidents to identify targets within a compromised network.

FileZilla

FileZilla is a cross-platform FTP, FTPS, and SFTP client (2). Blackpoint’s APG has tracked at least six ransomware groups that have used the FileZilla tool to exfiltrate sensitive information from victims’ environment.

RMM Tool Abuse

RMM tools are tools used for managing a computer or a network from a remote location (3). The tool offers admins and IT companies a way to work more efficiently, allowing monitoring, installing software, and managing activities on the network. LabTech RMM (currently ConnectWise Automate) is a RMM that allows users to automate IT services, and provide proactive IT service delivery.

RMM tools are useful for organizations but also present a tremendous amount of risk to organizations as their inherent integration into environments also presents an attract target for threat actors (4), due to threat actor’s ability to abuse RMM tools to:

  • Blend in with legitimate traffic,
  • Bypass detection, as the tools use legitimate certificates and processes; and
  • Use a fully functional tool without having to spend the time and resources to develop the tool themselves.

APG Threat Analysis of Threat Actor Abuse of Legitimate Tools for 2024

Click for details

The APG predicts that threat actors will likely continue to abuse legitimate software and services for discovery, exfiltration, and lateral movement over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external incident reports that include the use of RMM tools.

  • In March 2024, the U.S. CISA released a #StopRansomware report detailing the Black Basta operation. The report included details of the operations’ use of netscan.exe for the discovery phase of an attack (5). Black Basta has been observed using the tool to conduct network scanning, likely in an attempt to identify other machines that can be accessed and encrypted.
  • In April 2024, the U.S. CISA released a #StopRansomware report detailing the Akira ransomware operation. The report included details of the operations’ use of FileZilla to exfiltrate data that can be used to extort victims in their double extortion operations (6).

RMM tools specifically are frequently abused during cyberattacks. Security researchers with ReliaQuest reported that between 2022 and 2024, more than one third of the intrusions the company responded to involved RMM tools (7).

Recommended Mitigations and Remediations for Threat Actor Abuse of Legitimate Tools and Processes

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate tools.

  • Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used at unusual times and by users that would not install these tools as part of their normal operations.
  • Implement application controls to help manage and control the installation of software, including file transfer and RMM software.
  • Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
  • Regularly audit and both environment and endpoints that can aid in identifying rogue software installed that can be abused for malicious actions.

Return to Top

Mimikatz Incident with Consumer Non-Cyclicals Partner on 2024-06-03

Topline Takeaways

  • Industry target: Consumer Non-Cyclicals
  • Attacker information:
    • Storm-0335
    • Mimikatz
    • malicious .exe file
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use Mimikatz to exploit other Consumer Non-Cyclicals organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Multifactor authentication (MFA)
    • Improve endpoint, asset, and overall environment visibility
    • Heuristics-based activity monitoring and remediation
    • Password managers

Mimikatz Incident Timeline for 2024-06-03

  • Blackpoint’s MDR+R alerted to a ransomware-linked emerging threat group, Storm-0335, detected on a Consumer Non-Cyclicals partner endpoint.
  • Shortly after the malicious file was detected, Blackpoint’s MDR+R technology alerted to potential Mimikatz LSASS dumping on a host machine.
  • The Active SOC team isolated all affected devices to prevent further malicious activities, and reached out to the Consumer Non-Cyclicals partner with additional information and remediation advice.

More About Mimikatz

Click for details

Mimikatz is a tool that is used to extract sensitive information, such as passwords and credentials, from a system’s memory (8). The tool was developed in 2007 and is still an effective tool for gathering credentials, which can then be used to move laterally, elevate privileges, and bypass detection methods.

The tool is capable of performing multiple credential gathering techniques, including pass-the-hash attacks, pass-the-ticket attacks, pass-the-key attacks, kerberoasting, and pass-the-cache attacks. Blackpoint’s APG has tracked at least 19 ransomware operations and 43 threat groups that have been reported using Mimikatz.

APG Threat Analysis of Mimikatz for 2024

Click for details

The APG predicts that threat actors will very likely continue to use Mimikatz over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external reporting related to the use of Mimikatz during a cyberattack.

  • In March 2023, security researchers with Palo Alto Unit 42 released a report detailing the Trigona ransomware operation, which included the use of Mimikatz during a reported incident (9). The group, similar to many other ransomware operations, used Mimikatz to gather credentials and manipulate the credentials that can be used to move laterally and access other areas of the compromised network where data can be exfiltrated and encrypted.
  • In June 2024, security researchers with Mandiant reported that Mimikatz was used in numerous incidents to obtain valid credentials (10). The researchers detailed the use of Mimikatz by both LockBit and Play ransomware operations that were then used for lateral movement and privilege escalation.

Recommended Mimikatz Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the abuse Mimikatz for credential access.

  • Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
  • Improve endpoint, assets, and overall environment, which can aid in identifying anomalous behavior related to credential dumping.
  • Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
  • Require the use of secure password managers and disable the storage of plaintext passwords and local password caching to make accessing passwords more difficult.

Return to Top

Angry IP Scanner and AnyDesk Incident with Energy Partner on 2024-06-04

Topline Takeaways

  • Industry target: Energy
  • Attacker information:
    • Angry IP Scanner
    • AnyDesk
    • r.exe
    • ipscan.exe
  • Antivirus (AV) and / or EDR present in environment? No
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Angry IP Scanner and AnyDesk to exploit other Energy organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Improve endpoint, asset, and overall environment visibility
    • Dedicated software center
    • Zero trust network architecture
    • Block inbound and outbound connections on common ports

Angry IP Scanner Incident Timeline for 2024-06-04

  • Blackpoint’s MDR+R technology alerted to Angry IP Scanner on an Energy partner’s machine. Blackpoint’s MDR+R technology then alerted to a silent installation of AnyDesk on a second machine in a suspicious location.
  • Blackpoint’s Active SOC team isolated the devices due to suspicious behavior to prevent any additional malicious activity, before conducting further investigation to identify a user account that created a domain admin user account. This discovery resulted in another device being isolated for potential compromise.
  • The Active SOC team then identified that there was a brute force attack against multiple M365 accounts, as well. One of the isolated devices was found to be exposed to the internet with multiple open ports, with an even chance that the threat actor exploited any service exposed to the internet from the compromised device.
  • The Active SOC team reached out to the Energy partner for further incident assistance and remediation advice.

More About AnyDesk Abuse and Angry IP Scanner

Click for details

AnyDesk

AnyDesk is a RMM tool that is used to remotely access and manage devices within a network; it is a legitimate tool that is often exploited by threat actors during cyberattacks. Blackpoint’s APG has tracked at least 18 ransomware operations that have used AnyDesk during reported incidents. Not only do threat actors abuse software, like AnyDesk, to conduct malicious activities but also target the software in cyberattacks as well.

In January 2024, AnyDesk’s parent company was targeted in a cyberattack, which highlights the dual-sided attractiveness of RMM tools by threat actors (11).

Angry IP Scanner

Angry IP Scanner is a network scanner that efficiently scans IP addresses and ports, with the ability to resolve hostnames, determine MAC addresses, and scan ports (12). Threat actors have often been observed using legitimate network scanners, like Angry IP Scanner, to identify remote systems within a compromised network.

In February 2024, the U.S. CISA released a #StopRansomware report detailing the Phobos ransomware operation, which included information about the group’s use of Angry IP Scanner (13). The group had been observed using the tool during the reconnaissance phase of their attacks to search for vulnerable RDP ports.

APG Threat Analysis of Angry IP Scanner and AnyDesk for 2024

Click for details

The APG predicts that threat actors will likely continue to use Angry IP Scanner and abuse AnyDesk for reconnaissance, discovery, and persistence over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, as well as external reporting related to the use of the abuse of two legitimate tools.

The U.S. CISA detailed Akira ransomware operators’ use of AnyDesk to establish command and control channels and use of the tool for remote file transfer. The group has also been observed using the tool to obtain remote access to victim systems (5).

Additionally, in January 2023, the U.S. CISA released an advisory warning of threat actors’ use of legitimate RMM tools, including AnyDesk. This included the identification of a malicious campaign involving the use of legitimate RMM software; specifically sending phishing emails that led to the download of the legitimate software, which the actors used in a refund scam to steal money from victims’ bank accounts (14).

In 2020, the U.S. CISA reported that Iranian-linked threat groups had been observed using the Angry IP Scanner to detect remote system connected to compromised networks (15). Threat actors can then move laterally to the discovered remote devices to collect sensitive information.

Similar to RMM software abuse, other legitimate tools like Angry IP Scanner can be abuse for malicious purposes. Security researchers with Zscaler reported a Google malvertising campaign that used multiple look-alike domains and leveraged Google Ads to push the domains to the top of the search engine results (16). The group registered 45 domains with sites impersonating legitimate software, including Angry IP Scanner.

This incident highlights the way threat actors abuse legitimate tools for conducting reconnaissance and discovery techniques, as well as lures for initial access.

Recommended Angry IP Scanner and AnyDesk Abuse Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate tools for persistence, discovery, and reconnaissance.

  • Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious installs and actions conducted by threat groups using unauthorized but legitimate tools and software.
  • Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as AnyDesk, that is installed from a third-party location outside of a dedicated center.
  • Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
  • Block inbound and outbound connections on common ports, which can aid in blocking illegitimate activities conducted by threat actors.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list

  1. SoftPerfect’s Blog: “SoftPerfect Network Scanner” by SoftPerfect on N/A

  2. FileZilla’s Blog: “FileZilla Features” by FileZilla on N/A

  3. Tarian’s Blog: “What is a RMM Software Tool?” by Tarian on 2024-02-15

  4. Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28

  5. CISA’s “#StopRansomware: Black Basta”: Advisory by CISA on 2024-05-10

  6. CISA’s Advisory: “#StopRansomware: Akira Ransomware” by CISA on 2024-04-18

  7. ReliaQuest’s Blog: “RMM Tool Abuse” by ReliaQuest Threat Research Team on 2024-02-20

  8. SentinelOne’s Blog: “What is Mimikatz?” by SentinelOne on 2024-04-03

  9. Palo Alto’s Blog: “Bee-Ware of Trigona, An Emerging Ransomware Strain’ by Frank Lee; Scott Roland on 2023-03-16

  10. Mandiant’s Blog: “Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools” by Bavi Sadayappan; Zach Riddle; Jordan Nuce; et. al. on 2024-06-03

  11. Blackpoint Cyber’s Blog: “AnyDesk Attack Response Stirs Threat Analyst Criticism and Doubts” by Blackpoint Cyber on 2024-02-07

  12. Airbus’s Blog: “Uncovering Cyber Intruders: A Forensic Deep Dive into NetScan, Angry IP Scanner, and Advanced Port Scanner” by Julien Houry on 2024-03-14

  13. CISA’s Advisory: “#StopRansomware: Phobos Ransomware” by CISA on 2024-02-29

  14. CISA’s Advisory: “Protecting Against Malicious Use of Remote Monitoring and Management Software” by CISA on 2023-01-26
  15. CISA’s Advisory: “Iran-Based Threat Actor Exploits VPN Vulnerabilities” by CISA on 2020-09-15
  16. Zscaler’s Blog: “Malvertising campaign targeting IT teams with MadMxShell” by Roy Tay and Sudeep Singh on 2024-04-17
DATE PUBLISHEDJune 7, 2024
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!