DFIR News

March 2021
This month we will discuss…


HAFNIUM targeting Exchange Servers with 0-day exploits
This publication deals with the intelligence report on the attack campaign of the threat actor HAFNIUM, which consisted mainly in exploiting 0-days vulnerabilities in on-premises versions of the Microsoft Exchange Server. This actor exploited these vulnerabilities to deploy several webshells that would allow them to act on the victim's system and network.
chinese-5103333_640.jpg

What can you get?

In this article we can extract information of several types, one of them is to know what systems and vulnerabilities have allowed us to carry out these attacks, and feed our risk analysis process contemplating these scenarios, where service of a reliable manufacturer is vulnerable and that allows a gateway to attackers. Secondly, it informs us of the threat actor HAFNIUM, its main targets and victims, countries affected, and the actor's tools or modus operandi. And finally, the technical details that help our analysts and detection systems to know this type of attack and be able to identify it before it causes a major impact.

What we recommend?

This type of report is very interesting to be included in our knowledge bases and, thanks to the Threat Hunting (TH) and Cyber Threat Intelligence (CTI) processes, we can manage this possible threat, include it in our landscape, and know our enemies; aside from getting us acquainted with this kind of valuable intelligence report.

By RTF. Senior Forensic Analyst at ONE



Ransomware attacks more than doubled last year as cyber-crime operations scale up during coronavirus pandemic
This publication summarizes the Ransomware marketplace and its impact on 2020. It highlights that 64% of the attacks are attributed to Ransomware-as-a-Service (RaaS) business model and how lucrative this is for cyber criminals; the most common entry vectors and how much it can cost to enterprises. Ransomware presence doubled up on 2020 and it is expected that it will keep growing up.
ransomware-2321110_640.jpg

What can you get?

There are some good takeaways in this article. It provides some intelligence about Ransomware families and the most common entry vectors. We have to remark how important it is to reduce the dwell time, as it is explained in the publication that, on average, threat actor spends 13 days in an environment before deploying the malware. In the meantime the actors tries lateral movements, credential dumping, data exfiltration and destruction of backups. It is encouraging, after all, to see that three entry vectors represent the 98% of them (RDP, phishing and known vulnerabilities on public facing applications), thus we can narrow down where to focus to reduce the threat.

What we recommend?

In our experience, with Cyber Threat Intelligence (CTI) providing knowledge of the adversary's capabilities and the Tactics, Techniques and Procedures (TTPs) associated to them, we can reduce the dwell time with Threat Hunting (TH), a proactive activity to detect threats. TH will allow you to detect possible ongoing threats but it also will help to improve your visibility and detection capabilities. We recommend, in addition to a traditional reactive approach, to start applying proactive hunts carried out by experienced investigators and incident responders. We also recommend security awareness training to prepare people against social engineering, apply security updates and backup the systems regularly.

By IGS. Senior Forensic Analyst at ONE


This website www.one-esecurity.com uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK