Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
After eight long hours attempting to siege an online education institution – including initial access, lateral movement, and ransomware deployment - an unidentified threat actor withdraws. Through the combined effort of proactive and reactive security measures, the learning institution and eSentire’s defense teams worked together to deflect hands-on attack paths through a synthesis of automatic and manual defense actions. Eight hours of siege telemetry gives interesting insights into threat actor choices and behaviors, key among them: what brings both the SunCrypt and Netwalker ransomware families together in one attack? After a look at the timeline of interesting behaviors in this eight-hour attempt at Double Extortion, we briefly cover candidate hypotheses.
Public events through August report observations of the SunCrypt ransomware group infiltrating educational institutions [1], while the FBI reported similar targeting of educational institution for Netwalker in July [2]. Like the Maze ransomware group, both groups follow the recent underground market business model in ransomware tactics: Double Extortion. Double Extortion occurs when threat actors successfully a) exfiltrate sensitive data from the targeted organization and b) encrypt critical files within the organization. Both actions can give threat actors considerable leverage for extorting ransom funds from their victims. SunCrypt recently claimed they were part of the Maze Cartel – a social contract between various ransomware groups working together to optimize the many phases of a ransomware deployment attack – but the Maze ransomware group has denied their claim [1]. Observations of SunCrypt and Netwalker ransomwares in the same session does raise the question of whether the Maze Cartel, another ransomware group, or an independent threat actor are behind the attack. The threat actor’s tactics – from initial access to deployment – appear to fall in line with NetWalker’s observed playbook [3]. However, given the public knowledge of such tactics and availability of tools involved, we cannot completely rule out an independent actor. We will briefly explore each hypothesis after disclosing the timeline of the attack, reflecting on winning factors in the resulting battle of attrition.
Minutes past the zeroth hour (labeled 12PM), the VPN pool of the organization and one of their workstation endpoints (labeled system zero) received successful connections via an unknown IP address. An hour later (1 PM), a member of the VPN pool successfully logged in to workstation zero via RDP using organization account A (initial access: valid account [4]). Using a service account (B) that had recently been created (+), they re-established RDP with the new account on machine zero (privilege escalation: valid account [4]) and executed mimikatz [5] via PowerShell (credential theft: credentials from password stores [6]). This activity was detected at eSentire’s Security Operations Center and the host was put into isolation. A broader investigation was opened to assess initial access and active response actions. Once the VPN was identified as a vector, the organization shut down the compromised VPN tunnel. Minutes later, the threat actor switched to another tunnel and, once again, the second tunnel was shut down. At this point, no active traces of intrusion were present. Four hours later, (approx. 7:30 PM) likely using the valid credentials they had retrieved through credential theft, the intruder quietly logged into a second machine (two) with account B and dropped SunCrypt ransomware to disk, followed by an attempt to deploy it to other hosts (two->many) on the network (deployment: lateral tool transfer [7]) via psexec [8]. This raised an alert and activated standby defense teams. In the moments before host two was isolated, the intruder attempted to enable psexec via services. Experiencing interference from endpoint defense, they downloaded and used an AV uninstaller program – often used to resolve conflicts between AV software and attempted to execute it. The also used account D to get on the domain controllers (DC) and perform more domain recon before, finally, attempting to execute (execution [9]) an instance of Netwalker Ransomware on the lone endpoint – which also failed. The host was isolated, and the defense teams remained on alert, actively investigating for artifacts and return attempts. After execution, the intruder attempted to delete ransomware samples but wasn‘t able to empty the recycle bin before host isolation, leaving samples for analysis.
Fig 1. Timeline of events. Timeline has been shifted to obscure details. Each system has its own row in the graph, while each account is represented by a distinct marker type. Action performed by adversaries is colored red, Defensive actions are colored blue, and actions that occurred independent of the incident are colored green.
Hypotheses are presented in order of apparent evidence, but keep in mind that strong circumstantial evidence can sometimes be a result of deception. Social engineering and reputation attacks are, after all, a common tactic in organized crime and conflict. eSentire Threat Intelligence draws no final conclusions about attribution given the limited ground truth available about adversaries involved.
Looking at Microsoft’s Q2 Ransomware report [3], the attack path is reminiscent of NetWalker Ransomware group:
A multi-layered defense went a long way to deflecting the intruder’s numerous access, lateral movement, and execution attempts. When threat actors find organizations with poor perimeter controls or have driven motives to compromise a particular target, they can make several attempts at compromise. If they have collected credentials and performed domain reconnaissance in any of their attempts, they can return through different accounts and systems in future attempts with valid credentials which require no exploits or malspam-based execution abuses and do not, therefore, raise alerts. However, a multi-layered security posture can provide organizational resilience against the final goal of these attacks by interrupting malicious actions as they are performed by the threat actor. Such threat actors may theoretically achieve their objectives given enough time and resources. The job of the defense team is to make it more trouble than it's worth. In the meantime, eSentire advises keeping an eye on the latest remote vulnerabilities – often targeted by ransomware groups [11].
In this case, pro-defensive attrition actions include:
Detection, investigation, and response tools used:
[2] https://healthitsecurity.com/news/fbi-alerts-to-rise-in-targeted-netwalker-ransomware-attacks
[4] https://attack.mitre.org/techniques/T1078/003/
[5] https://attack.mitre.org/software/S0002/
[6] https://attack.mitre.org/techniques/T1555/
[7] https://attack.mitre.org/techniques/T1570/
[8] https://attack.mitre.org/software/S0029/
[9] https://attack.mitre.org/tactics/TA0002/
[11] https://www.esentire.com/security-advisories/ransomware-groups-exploit-remote-access-services
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.