TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Using Backup Utilities for Data Exfiltration | Huntress

2024-03-13 · Read original ↗

ATT&CK techniques detected

15 predictions
T1021.001Remote Desktop Protocol
97%
“. the threat actor then pinged both s3. us - central - 1. wasabisys [. ] com and s3. us - east - 005. backblazeb2 [. ] com, after which they downloaded an archive from which they extracted the restic backup application, which they renamed to dns. exe, executing via the following …”
T1021.001Remote Desktop Protocol
89%
“server " / v fdenytsconnections / t reg _ dword / d 0 / f 1 > \ windows \ temp \ ygecix 2 > & 1 even though rdp access was apparently enabled, there were no indications that the threat actor attempted to log into the second endpoint via rdp before both endpoints were isolated and…”
T1078Valid Accounts
82%
“using previously compromised credentials, from an endpoint named “ debian. ” the first instance of the compromised account name appearing in the investigative timeline was on the day that the alerts were generated and reported on via the soc, and there were no observed failed log…”
T1078Valid Accounts
81%
“##s _ access _ key _ id and aws _ secret _ access _ key environment variables. per the investigative timeline, these attempts went on for about 17 minutes. the threat actor was then observed initializing the backup application to the other s3 bucket, via the following command : r…”
T1560.001Archive via Utility
73%
“##5beb843c06835fd8c1edbc35cac mitre att & ck mapping initial access - t1078. 002, valid accounts initial access - t1133, external remote services execution - t1059. 003, windows command shell persistence - t1078. 002, valid accounts defense evasion - t1027, obfuscated files or in…”
T1048Exfiltration Over Alternative Protocol
69%
“using backup utilities for data exfiltration | huntress background as an mdr provider supporting over 2. 7 million endpoints across an extremely diverse customer base, huntress sees a great deal of both legitimate and malicious activities. in a number of instances, huntress analy…”
T1048Exfiltration Over Alternative Protocol
65%
“actor had some a priori knowledge of the infrastructure, including compromised credentials and locations of data suitable for exfiltration. indicators threat actor endpoint netbios name : debian exfiltration sites : s3. us - central - 1. wasabisys [. ] com, s3. us - east - 005. b…”
T1486Data Encrypted for Impact
60%
“using backup utilities for data exfiltration | huntress background as an mdr provider supporting over 2. 7 million endpoints across an extremely diverse customer base, huntress sees a great deal of both legitimate and malicious activities. in a number of instances, huntress analy…”
T1078Valid Accounts
60%
“server " / v fdenytsconnections / t reg _ dword / d 0 / f 1 > \ windows \ temp \ ygecix 2 > & 1 even though rdp access was apparently enabled, there were no indications that the threat actor attempted to log into the second endpoint via rdp before both endpoints were isolated and…”
T1048Exfiltration Over Alternative Protocol
50%
“##5beb843c06835fd8c1edbc35cac mitre att & ck mapping initial access - t1078. 002, valid accounts initial access - t1133, external remote services execution - t1059. 003, windows command shell persistence - t1078. 002, valid accounts defense evasion - t1027, obfuscated files or in…”
T1078Valid Accounts
40%
“attempts to the first endpoint, none of them were for the compromised account ( a different account name was being attempted ), and the attempts continued well after the threat actor successfully logged into the first endpoint. as further indicated via the investigative timeline,…”
T1003OS Credential Dumping
38%
“using backup utilities for data exfiltration | huntress background as an mdr provider supporting over 2. 7 million endpoints across an extremely diverse customer base, huntress sees a great deal of both legitimate and malicious activities. in a number of instances, huntress analy…”
T1563.002RDP Hijacking
37%
“. the threat actor then pinged both s3. us - central - 1. wasabisys [. ] com and s3. us - east - 005. backblazeb2 [. ] com, after which they downloaded an archive from which they extracted the restic backup application, which they renamed to dns. exe, executing via the following …”
T1204.002Malicious File
36%
“using previously compromised credentials, from an endpoint named “ debian. ” the first instance of the compromised account name appearing in the investigative timeline was on the day that the alerts were generated and reported on via the soc, and there were no observed failed log…”
T1537Transfer Data to Cloud Account
33%
“using backup utilities for data exfiltration | huntress background as an mdr provider supporting over 2. 7 million endpoints across an extremely diverse customer base, huntress sees a great deal of both legitimate and malicious activities. in a number of instances, huntress analy…”

Summary

“Double extortion” attacks, often perpetrated by ransomware threat actors, include data exfiltration prior to file encryption. Huntress analysts have observed various means of data exfiltration, but recently observed the use of a legitimate backup application seen by others to be associated with a Noberus/ALPHV ransomware affiliate.