Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
Oct 09, 2024THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
BY eSentire Threat Response Unit (TRU)
February 28, 2023 | 7 MINS READ
eSentire, a leading global provider of cybersecurity solutions, shut down 10 cyberattacks hitting six different law firms throughout January and February of 2023. The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware.
These campaigns present a heightened threat given how quickly they can transition to the intrusion phase of a cyberattack. Since 2022, eSentire’s Threat Response Unit (TRU) has observed SocGholish dropping the Cobalt Strike intrusion framework within 10 minutes, while GootLoader has been observed dropping IcedID (a banking-trojan-turned-loader) and escalating to hands-on intrusions by the threat actors.
GootLoader is a popular malware that gives threat actors initial access to the victim’s IT environment. Once on the victim’s computer, GootLoader has been known to download the GootKit Remote Access Trojan (RAT), the REvil ransomware, or Cobalt Strike, a popular tool used to gain a foothold in the target’s environment and expand throughout the target’s network.
Throughout 2022, while GootLoader infections have continued to escalate to hands-on intrusions, no ransomware has been observed even when intruders are allowed nearly free reign. In those cases, only Collection was observed. Given GootLoader’s primary target is law firms, TRU acknowledges the possibility that GootLoader has shifted to espionage and exfiltration operations. To achieve initial access, as in previous GootLoader campaigns, the threat actors used Search Engine Optimization (SEO) poisoning to lure and infect the victims with the GootLoader malware.
In this campaign, the cybercriminals compromised legitimate (but vulnerable) WordPress websites and unbeknownst to the website owners, added new blog posts to the sites. Titles which were effective at tricking legal firm employees included “a verbal agreement between a buyer and seller of real estate is considered“ (Figure 1) and "professional firefighters association collective agreement."
While the term “agreement” is the commonly observed keyword in titles, GootLoader catches legal employees with other legal language too, such as “contract salary calculator.” Gootloader uses legal titles in such a way that when a business professional searches on the Internet for specific contracts or agreements, there is little SEO competition for the collection of words used together, thus GootLoader-infected blogs often rise to the top five search results. Once the legal employee clicks on the link, they’re presented with a fake forum page providing an alleged agreement template or contract template (Figure 2).
When the employee downloads and executes the document, they are actually downloading and executing the GootLoader malware. TRU responded to multiple incidents involving several law firm customers and, in all cases, the victims searched for document templates. Interestingly, law firm employees were also the target of two previous GootLoader campaigns detected by TRU, one in January 2022 and a second in June 2022.
A second attack campaign in January attempted to infect law firm employees and other business professionals with the SocGholish malware. SocGholish is a loader type malware that can perform reconnaissance activity and deploy secondary payloads including Cobalt Strike. Threat actors using SocGholish typically function as initial access brokers and other threat actors can leverage this service to gain entry into victim organizations. Recently, the Lockbit ransomware operation has been observed using SocGholish.
In August 2022, TRU saw a significant increase in attacks using SocGholish and now they are seeing another round of attacks using the malware. In this campaign, the threat actors are poisoning websites en masse and using them as watering holes to attract their victims. TRU discovered that the threat actors hijacked the website of a business that provides Notary Public services in the metropolitan area of Miami, Florida. Notary Public services are used for general financial transactions, estates, deeds, powers-of-attorney, and foreign and international business.
The threat actors compromised the Notary Public’s website so that when visitors came to the website an official-looking message pops up telling the visitor to update their Chrome Browser (See Figure 3). However, when the visitor goes to update their browser, they are actually downloading the SocGholish malware. The threat actors most likely took control of the website, possibly via a WordPress vulnerability, and added a page with the fake Chrome Browser alert so that when one visited the home page of the Notary Public business, they were redirected to the Chrome Browser update page.
By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value, as opposed to those on the web looking for a recipe for barbecue, for example.
"Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks like the ones we are currently seeing, have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, Solarmarker, and recent campaigns leveraging Google Ads to float top search results."
"TRU observed that the GootLoader attacks in 2022 and those in January and February are not leading to Ransomware malware, which is curious. The increased absence of Ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations."
"GootLoader used to be exclusively associated with the GootKit banking trojan. When we first observed it diversifying its payloads in 2021, it was still using typical Internet lures like "download" – a keyword that ensnares private and business users alike. However, throughout 2022 and 2023, GootLoader has nearly exclusively leveraged legal language in their lures."
Protecting against browser-based threats means intercepting User Execution – when employees unknowingly download and execute malware from the internet.
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.