Blog | Scenario

BumbleBee malware loader

ByDetecteam 2023-06-292023-06-29

TLP

TLP CLEAR

Author

David Deflache

Summary

This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a hidden DLL file, introducing the Bumblebee malware loader. The loader established communication with the Bumblebee command-and-control servers and dropped a Cobalt Strike beacon on the compromised system. The threat actors then conducted reconnaissance using various Windows utilities and gained RDP access to a server using the local Administrator account. They deployed AnyDesk for persistence and performed Active Directory and privilege escalation discovery. The intrusion culminated with preparations for a domain-wide ransomware deployment, but the threat actors were evicted before executing their final actions.

DATA

windows_security.xml_Download

TIMELINE

references

MITRE ATT&CK

Blog | Scenario

TrueBot
ByDetecteam 2023-08-172023-08-17

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In May 2023, a campaign using the “404 TDS” Traffic Distribution System delivered Truebot via email. Recipients clicking the email link were redirected through multiple URLs, ending in a fake Adobe Acrobat document download that was a Truebot executable. After execution, Truebot copied and renamed, then…

Read More TrueBot
Blog | Company

Launching Detecteam
BySebastien Tricaud 2022-09-162023-02-08

Detecteam is a continuous Breach and Attack Simulation platform to enable you discover attacks you cannot detect. Have you noticed when an attack is found and described, the vendor’s security research team writes a fairly accurate document, update it over time with new discovers and provide a list of Indicator of Compromises (IoC) in the…

Read More Launching Detecteam
Blog | Scenario

F5 Server Audit
ByDetecteam 2023-11-092023-11-09

TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…

Read More F5 Server Audit
Blog | Scenario

oneday SSH bruteforce
ByDetecteam 2023-07-112023-07-11

TLP TLP TLP CLEAR Author David Deflache Summary In this attack scenario, an individual with the IP address 192.168.0.42 and a valid username is engaging in an authentication brute force attack through SSH. Their target is a system with the IP address 192.168.0.111, using the default SSH port 22. The attacker executes a loop of…

Read More oneday SSH bruteforce
Blog | Scenario

Adobe Coldfusion Exploitation (CVE-2023-29298) data
ByDetecteam 2023-07-182023-07-18

TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

Read More Adobe Coldfusion Exploitation (CVE-2023-29298) data
Blog | Scenario

ESXiArgs VMware Ransomware
ByDetecteam 2023-06-132023-06-13

TLP TLP TLP CLEAR Author Jordi Lobo Summary ESXiArgs VMware Ransomware: Massive VMware: Ransomware attack targeting the VMware ESXi hypervisor. Exploits CVE-2021-21974 vulnerability: This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated….

Read More ESXiArgs VMware Ransomware

TLP