Illusive Networks Uncovers New Nation-State Cyberattack Tools

The Israeli cyber security company said it was able to quickly contain an assault by an advanced persistent threat actor due to its platform's ability to accurately identify attacks in progress and provide real-time forensics  

 

Photo: Bigstock

Leading deception-based cyber defense solution company Illusive Networks revealed on May 6 that it detected and thwarted a nation-state attack linked to a COVID-19 related phishing scam. That led to the discovery of new tools used by cyber criminals, and researchers are investigating the potential involvement of two or more groups.
 
Illusive Networks' researchers suspect that the objective of this advanced persistent threat (APT) was a large-scale ransomware attack. The initial infection vector was a sophisticated phishing email related to COVID-19 which was opened by an end user. Attack characteristics appear almost identical to the BazarBackdoor attack developed by TrickBot, a well-known cybercrime group. Following the initial breach, attackers worked quickly to gain a broad presence across the network, Illusive Networks said. 
 
The initial breach occurred before Illusive technology was installed, but the Illusive platform was deployed immediately and within 24 hours, it identified suspicious interaction with a distributed deception on a protected print server. An unauthorized user with strong credentials had established a base of operations on the print server and had moved laterally from it to infiltrate other systems across several domains. Illusive back tracked the user's lateral movement and found dozens of compromised machines the attackers had reached by moving laterally using RDP, WMI and other means, according to the company. 
 
Illusive identified several tools including a PowerShell script that had an embedded secondary tool (shell code) - a Cobalt Strike beacon that is indicative of the attack being associated with the TrickBot group. The Cobalt Strike beacon allowed the attackers to communicate back to a command and control center. More than one communication link to command and control was apparent, leading researchers to suspect two or more groups worked separately, yet in collusion, to progress the attack. Additional tools discovered include Metasploit, mimikatz and SharpHound/Bloodhound. No other security solution was able to provide real-time detection with the necessary forensics information to prove that an APT was occurring, Illusive Networks said. 
 
Matan Kubovsky, the company's vice president of research and development, said "Security solutions may not always be able to protect an enterprise from a breach, so more focus should be allocated to threat detection once an attacker has entered the system, regardless of the tools they are using."
 
"In this case, Illusive was able to deploy in a matter of hours and detected a breach almost immediately, as the technology focuses on the lateral movement of the attack and not the tool itself.  The Illusive platform's ability to accurately identify attacks in progress and provide rich, real-time forensics meant we could quickly contain the attack," he said. 
 

You might be interested also

Photo: Bigstock

Russia’s Geopolitics and Strategy in the Future

Commentary:  The last complete Russian military doctrine was conceived during a very different phase of the East-West confrontation, before Russia's participation in the war in Syria and hence even before the new projection of Russian power onto the Mediterranean. In any case, 2020 is an end point for Russian military planners. Many things will be decided in the relations between East and West based on the military doctrine developed this year