The threat actors used RDP to find the domain controller which became the hub of their activity.Ĭobalt Strike was executed which has the ability to create connections (using Cobalt Strike servers) to compromise networks and create persistent channels between the target and the attackers. PSEXESVC was executed which let users execute processes on remote systems without the need to have any kind of client software present on the remote computers. This access was leveraged and a user account was created that had a similar name to that of a legitimate administrator account. This vulnerability allows any user to connect without having to authenticate, allowing access and granting administrator privileges. ![]() ![]() An unpatched FortiGate appliance, which controlled Remote Desktop Protocol (RDP) access for users, was found to be the likely entry point into the environment. ![]() ![]() The ransom note (shown below) gave specific instructions as to what was happening, details on how to resolve the problem and a link where to contact them.Ī typical ransomware response was initiated, and forensic analysis was completed. A ransom note, UNLOCK_, appeared on computers throughout a company and when triaging what happened, encrypted files were observed.
0 Comments
Leave a Reply. |