Leading deception-based cyber defense solution company Illusive Networks revealed on May 6 that it detected and thwarted a nation-state attack linked to a COVID-19 related phishing scam. That led to the discovery of new tools used by cyber criminals, and researchers are investigating the potential involvement of two or more groups.
Illusive Networks' researchers suspect that the objective of this advanced persistent threat (APT) was a large-scale ransomware attack. The initial infection vector was a sophisticated phishing email related to COVID-19 which was opened by an end user. Attack characteristics appear almost identical to the BazarBackdoor attack developed by TrickBot, a well-known cybercrime group. Following the initial breach, attackers worked quickly to gain a broad presence across the network, Illusive Networks said.
The initial breach occurred before Illusive technology was installed, but the Illusive platform was deployed immediately and within 24 hours, it identified suspicious interaction with a distributed deception on a protected print server. An unauthorized user with strong credentials had established a base of operations on the print server and had moved laterally from it to infiltrate other systems across several domains. Illusive back tracked the user's lateral movement and found dozens of compromised machines the attackers had reached by moving laterally using RDP, WMI and other means, according to the company.
Illusive identified several tools including a PowerShell script that had an embedded secondary tool (shell code) - a Cobalt Strike beacon that is indicative of the attack being associated with the TrickBot group. The Cobalt Strike beacon allowed the attackers to communicate back to a command and control center. More than one communication link to command and control was apparent, leading researchers to suspect two or more groups worked separately, yet in collusion, to progress the attack. Additional tools discovered include Metasploit, mimikatz and SharpHound/Bloodhound. No other security solution was able to provide real-time detection with the necessary forensics information to prove that an APT was occurring, Illusive Networks said.
Matan Kubovsky, the company's vice president of research and development, said "Security solutions may not always be able to protect an enterprise from a breach, so more focus should be allocated to threat detection once an attacker has entered the system, regardless of the tools they are using."
"In this case, Illusive was able to deploy in a matter of hours and detected a breach almost immediately, as the technology focuses on the lateral movement of the attack and not the tool itself. The Illusive platform's ability to accurately identify attacks in progress and provide rich, real-time forensics meant we could quickly contain the attack," he said.