Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
BY eSentire Threat Response Unit (TRU)
August 30, 2022 | 10 MINS READ
eSentire's security research team, the Threat Response Unit (TRU), has discovered that the IT infrastructure used to attack Cisco in May 2022 was also used in an attempted compromise of one of its clients in April 2022. In their client’s case, eSentire prevented the deployment of ransomware into the company’s environment. The client is a large workforce management solutions holding company made up of numerous subsidiaries that provide employee staffing, recruiting, contract staffing and services around identifying and placing direct hires. TRU believes that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack. Security company Mandiant reported on this actor recently, in association with UNC2165, but didn't name them.
During the initial investigation of the attack against the workforce management company, TRU researchers were especially interested in the criminal(s)’ use of a crypter product called CryptOne. Essentially, a crypter is a piece of software used to encrypt a malware payload so it will sneak past anti-virus software. Following this thread, TRU, found a security report from Secureworks which detailed the use of CryptOne by a hacker group they call Gold Drake but which is more commonly known as Evil Corp.
This thread led to a security report by Mandiant which details various cyberattacks that were carried out by an affiliate group of Evil Corp, which they call UNC2165. Interestingly, it is in this report that TRU discovered that the Evil Corp affiliate (UNC2165) was known to use compromised VPN credentials in their attacks. Within their reporting, Mandiant also described the activities of one of the Evil Corp members which were very similar to the Tactics, Techniques and Procedures (TTPs) of the attack TRU detected and shut down. However, Mandiant did not name the threat actor.
TRU began scouring underground hacker forums for posts from this threat actor and discovered a member of exploit.in, an underground Russian forum, whose posts were eerily similar to the modus operandi (MO) of the hacker who attacked eSentire’s client and the hacker described by Mandiant. The threat actor uses the alias mx1r.
For those who are not familiar, Evil Corp is one of the most infamous Russian hacking groups on the underground. Evil Corp was sanctioned in 2019 by the U.S. Treasury’s Office of Foreign Assets Control (OFA) for developing the Dridex banking malware and using it to steal over $100 million USD from hundreds of banks and financial institutions. Because of the sanctions, it is believed that the cybercriminals behind Evil Corp switched their MO and began running a ransomware-as-a-service operation, instead of attacking victims with their Dridex banking malware. As such, they have recruited an array of criminal affiliates to carry out their online crimes.
The cybercriminals were able to break into the workforce management corporation’s IT network using stolen Virtual Private Network (VPN) credentials. TRU caught them trying to move laterally through the network using an arsenal of red team tools. Red team tools are typically used by security penetration testers who are testing the security of an organization’s IT infrastructure. However, in this case, they were used by the threat actors to gain a deeper foothold into the victim’s environment. The red team tools they used included: Cobalt Strike, network scanners and Active Domain crawlers. Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim’s VPN network.
As stated, the hackers first gained access to the workforce management corporation in April 2022 via compromised VPN credentials. Interestingly, TRU spotted several underground forum posts, dating from April 2022, where a hacker going by the alias, mx1r, was looking for VPN credentials for companies with billion-dollar revenues (Figure 1). TRU then discovered posts on a Dark Web access broker auction site where a threat actor was purchasing VPN credentials for large U.S. companies. Access broker auctions are run by cybercriminals who have broken into a company’s IT environment and are selling their illegal access.
Figure 1: mx1r placing a bid for access to a $2 billion dollar company
As previously mentioned, the threat actors who attacked the workforce management corporation attempted to move laterally through the company’s IT network using an arsenal of red team tools which included Cobalt Strike. A GitHub account, under the mx1r alias, shows a handful of code repositories containing red team tools (Figure 2). As noted by Mandiant, these repositories are consistent with the Evil Corp affiliate’s (UNC2165) tactics.
Figure 2: A GitHub account using the mx1r alias
Additionally, Joe´s Sandbox identified the Command and Control (C2) server, used in the attack, as also serving as the C2 for the CryptOne Metasploit. Metasploit is a library of tools designed for penetration testing. The CryptOne Metasploit package is wrapped in the CryptOne crypter. The CryptOne crypter has been used by the Hades Ransomware Group and ISFB (the Gozi Banking Trojan Group), both of which have associations with Evil Corp.
Coincidentally, mx1r had a handful of other underground posts, in addition to the VPN posts. One of them was in July 2019 where the cybercriminal was recruiting a coder to “cleanup Metasploit and modules from similar frameworks”. Later, in December 2019, mx1r showed an interest in purchasing version 4.1 of Cobalt Strike. (Figure 3).
Figure 3: mx1r asks to buy a copy of Cobalt Strike version 4.1 on the Russian-speaking forum, exploit.in
In June 2021, Secureworks reported that CryptOne Metasploit was deploying Cobalt Strike during a Hades ransomware campaign. In October 2021, mx1r also showed an interest in hiring a “crypting expert” (Figure 4).
Figure 4: mx1r looking to hire a crypter for 'the team'
eSentire’s TRU also saw the threat actors continue to try and move laterally within the workforce management corporation’s network via Remote Desktop Protocol (RDP) access, which Mandiant also observed as a tactic used by Evil Corp affiliate/UNC2165.
Another tactic observed by TRU was the threat actor’s attempt to launch a Kerberoasting attack. This is an attack where the cybercriminal attempts to crack passwords within Windows Active Directory through the Kerberos authentication protocol. This tactic is also consistent with the TTPs of the Evil Corp affiliate/UNC2165, according to Mandiant.
While TRU successfully shut down the attackers before they could fully penetrate the client’s network, TRU suspects that the threat actors intended to infect the workforce corporation and its subsidiaries with ransomware.
While the TTPs of the attack against the workforce management corporation match those of Evil Corp, the infrastructure used matches that of a Conti ransomware affiliate, who has been seen deploying Hive and Yanluowang ransomware. Looking at various technical details of the malicious infrastructure leveraged, TRU discovered a handful of additional instances of Cobalt Strike infrastructure. TRU tracks this infrastructure cluster as HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a reputation for attacking critical targets including hospitals, energy companies and IT companies.
Interestingly, Cisco attributed their breach to a threat actor who has ties to three hacker groups: the Lapsus$ threat group, the Yanluowang ransomware operators, and a group that Mandiant security firm calls UNC2447. They have been known to drop the FiveHands/Hello Kitty ransomware into their victims’ environments.
UNC2447 was previously observed deploying FiveHands ransomware at the same time TRU observed the infrastructure cluster, it tracks as ShadowStrike, being leveraged for FiveHands and Conti ransomware attacks. Note: several security organizations assert that both the Hive Ransomware Group and FiveHands gang are connected to former members of the Conti Ransomware Group.
Microsoft tracks the infrastructure used by the Conti ransomware group and its affiliates as DEV-0365, and HiveStrike bears some interesting similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti. It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti's new subsidiaries. Conti's subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand. It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.
Tactical – This incident was escalated to active incident handling, in which hands-on defenders were engaged, to intercept the attackers and kick them out before they could disrupt the corporation‘s business. In cases where exfiltration or other high-impact actions are suspected, eSentire‘s Incident Response team is engaged.
Operational –The threat group‘s Infrastructure, TTPs and other artifacts, tracked by TRU, were swept through indicator hunts and defense rule deployment. eSentire‘s Security Operations Center (SOC) actively monitors threat signals 24/7 for potential attacks.
Strategic – TRU continues to enahnce its threat actor tracking capabilities as the attack landscape evolves. New detection models are built regularly based on original research and curated threat intelligence to enhance automated blocking, SOC investigation and response capabilities.
Below are a few basic security steps that every company should be employing to defend against ransomware attacks, as well as cyberattacks in general.
If an organization gets hit by a ransomware attack and finds that it does NOT have reliable backups of its key IT systems and data, it is important to have in place remediation measures such as the following:
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more about how we protect organizations globally? Connect with an eSentire Security Specialist.
The initial investigation was kicked off by eSentire’s Security Operations Center (SOC) when they received an alert for the detection of malicious PowerShell abuse. The event was immediately identified as Cobalt Strike, as hands-on actions began to take place.
As is typical during the initial stage of a ransomware attack, the hands-on intruder performs some cursory discovery of the network they’ve landed in to help determine potential privilege escalation paths and opportunities for lateral movement.
net group "Domain Admins" /domain
nltest /domain_trusts /all_trusts
Trusted Windows Process:
c:\windows\system32\findstr.exe
BloodHound and Netscan were used to attempt lateral movement within the network
Bring Your Own Virtual Machine (BYOVM)
The attackers registered their own virtual machine with the VPN pool
Further research on the Attacker IP shows that the IP was observed, by GreyNoise, scanning the internet for targets. TRU reached out to GreyNoise for more telemetry and learned that the scans were quiet and minimal, and the attacker avoided revealing telemetry.mThis may represent the initial access broker gaining access to organizations before selling it to ransomware affiliates.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.