adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5ac29be4-309c-436f-84ff-49dd4f98e940.json

335 lines
No EOL
28 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "2",
"date": "2024-12-10",
"extends_uuid": "",
"info": "OSINT - Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild",
"publish_timestamp": "1733842710",
"published": true,
"threat_level_id": "3",
"timestamp": "1733842681",
"uuid": "5ac29be4-309c-436f-84ff-49dd4f98e940",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": true,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": true,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": true,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": true,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": true,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#3c4200",
"local": false,
"name": "vulnerability:exploitability=\"industrialised\"",
"relationship_type": ""
},
{
"colour": "#b5c500",
"local": false,
"name": "vulnerability:sighting=\"exploited\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1733840961",
"to_ids": false,
"type": "vulnerability",
"uuid": "e390ffc1-4643-4cb1-9879-81e690345f2d",
"value": "CVE-2024-50623"
}
],
"Object": [
{
"comment": "CVE-2024-50623: Enriched via the cve_advanced module",
"deleted": false,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "vulnerability",
"name": "vulnerability",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "8",
"timestamp": "1733840975",
"uuid": "82d226c3-f026-457f-bc31-2681363f32c9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "82d226c3-f026-457f-bc31-2681363f32c9",
"referenced_uuid": "e390ffc1-4643-4cb1-9879-81e690345f2d",
"relationship_type": "related-to",
"timestamp": "1733840976",
"uuid": "81fb7f40-7657-4274-a27c-68e51a903585"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "id",
"timestamp": "1733840975",
"to_ids": false,
"type": "vulnerability",
"uuid": "1e7fdf31-4876-402b-8b35-5b1d446b34d8",
"value": "CVE-2024-50623"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1733840975",
"to_ids": false,
"type": "text",
"uuid": "a667afa1-48f7-48e4-a761-b19d6afba7eb",
"value": "In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "modified",
"timestamp": "1733840976",
"to_ids": false,
"type": "datetime",
"uuid": "e041830a-2c1c-45a7-9266-00e47ed20ee3",
"value": "2024-10-30T21:35:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "published",
"timestamp": "1733840976",
"to_ids": false,
"type": "datetime",
"uuid": "e7e851c9-66cd-4c04-9f90-e4060416291f",
"value": "2024-10-28T00:15:00+00:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1733840976",
"to_ids": false,
"type": "text",
"uuid": "3b2b27d0-ed3c-40e8-a67c-99a39147fbbf",
"value": "Published"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "references",
"timestamp": "1733840976",
"to_ids": false,
"type": "link",
"uuid": "59656e76-433e-47bb-a91f-ff0dcb94850d",
"value": "https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory"
}
]
},
{
"comment": "Observed IP addresses for callbacks",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1733841010",
"uuid": "76f0ea51-6353-4d87-bc75-5361e67461ac",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "473ca882-9594-458e-9b41-6d0f41287282",
"value": "176.123.5.126"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "c155289b-5044-4e72-a709-bda5364ce11f",
"value": "5.149.249.226"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "ea52cc9c-2c86-4db3-8d88-0af90dd1c199",
"value": "185.181.230.103"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "ffc2df49-597c-4674-83ef-7ed27870e852",
"value": "209.127.12.38"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "671fc60a-50dd-4a15-91ba-9f6e1e303315",
"value": "181.214.147.164"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1733841010",
"to_ids": true,
"type": "ip-dst",
"uuid": "05aff488-86cc-4c73-be2c-2257da0dc920",
"value": "192.119.99.42"
}
]
},
{
"comment": "Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024",
"deleted": false,
"description": "An object describing a Sigma rule (or a Sigma rule name).",
"meta-category": "misc",
"name": "sigma",
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
"template_version": "1",
"timestamp": "1733841191",
"uuid": "b813daad-c8b3-4b84-86af-1d22cdce6dce",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1733841191",
"to_ids": false,
"type": "text",
"uuid": "ce63a48d-a1aa-4e96-a7bd-c35059bf3ee5",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sigma",
"timestamp": "1733841191",
"to_ids": true,
"type": "sigma",
"uuid": "9f5ef5aa-66a0-4738-bfe1-110723569a5e",
"value": "title: Possible Cleo MFT Exploitation 2024\r\nid: f007b877-02e3-45b7-8501-1b78c2864029\r\nstatus: experimental\r\ndescription: Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.\r\nauthor: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson\r\nreferences: []\r\ndate: 2024/12/09\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n ParentImage|endswith: '\\javaw.exe'\r\n Image|endswith: '\\cmd.exe'\r\n CommandLine|contains:\r\n - 'powershell'\r\n - ' -NonInteractive'\r\n - ' -noni '\r\n - ' -enc '\r\n - ' -EncodedCommand'\r\n ParentCommandLine|contains:\r\n - 'VLTrader'\r\n - 'lexicom'\r\n - 'Harmony'\r\n - 'VersaLex'\r\n\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a Sigma rule (or a Sigma rule name).",
"meta-category": "misc",
"name": "sigma",
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
"template_version": "1",
"timestamp": "1733841235",
"uuid": "557b06ae-948d-4af8-9a10-99202f8a8b41",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sigma",
"timestamp": "1733841235",
"to_ids": true,
"type": "sigma",
"uuid": "949851d7-4aae-410d-b0cc-03491f4dcff1",
"value": "title: Javaw Spawning Suspicious Powershell Commands\r\nid: a0ec945f-2328-40e9-96f6-27dadf72861b\r\nstatus: experimental\r\ndescription: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.\r\nauthor: Chad Hudson, Matt Anderson\r\nreferences: []\r\ndate: 2024/12/09\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n ParentImage|endswith:\r\n - '\\javaw.exe'\r\n Image|endswith:\r\n - '\\cmd.exe'\r\n cmdline:\r\n CommandLine|contains:\r\n - ' -nop'\r\n - ' -noni'\r\n - ' -NonInteractive'\r\n - ' -w hidden '\r\n - ' -windowstyle hidden*'\r\n - '(New-Object Net.WebClient).Download*'\r\n - ' -enc '\r\n - ' -EncodedCommand '\r\n powershell:\r\n CommandLine|contains: powershell\r\n condition: selection and cmdline and powershell\r\nfalsepositives:\r\n - Unknown\r\nDetects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software."
}
]
}
],
"EventReport": [
{
"name": "Report from - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild (1733841037)",
"content": "# Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the WildDecember 9, 2024# Threat Advisory: Oh No Cleo! Cleo Software Actively Being Exploited in the Wild\r\n\r\nBy: Team Huntress\\|Contributors:John Hammond## Summary\r\n\r\nOn December 3, Huntress identified an emerging threat involving Cleo\u00e2\u0080\u0099s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We\u00e2\u0080\u0099ve directly observed evidence of threat actors exploiting this software en masse and performing post\\-exploitation activity. Although Cleo published an update and advisory for CVE\\-2024\\-50623\u00e2\u0080\u0094which allows unauthenticated remote code execution\u00e2\u0080\u0094Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.\r\n\r\n**TL;DR \\- This vulnerability is being actively exploited in the wild and fully patched systems running 5\\.8\\.0\\.21 are still exploitable. We strongly recommend you move any internet\\-exposed Cleo systems behind a firewall until a new patch is released.**\r\n\r\nBased on our analysis, all versions prior to and including 5\\.8\\.0\\.21 are vulnerable:\r\n\r\n* Cleo Harmony\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n* Cleo VLTrader\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n* Cleo LexiCom\u00c2\u00ae (5\\.8\\.0\\.21\\)\r\n\r\nOur team is working to reach the Cleo team to report our findings and develop a new patch to fully mitigate exploitation. This blog will be frequently updated as more details emerge.\r\n\r\n## Tradecraft We Observed\r\n\r\nThe three software solutions Harmony, VLTrader, and LexiCom are often installed in the root of the filesystem, as the suggested default in their installation process:\r\n\r\n````\r\nC:\\LexiCom \r\n\r\nC:\\VLTrader \r\n\r\nC:\\Harmony\r\n\r\n````We have also observed installation folders in the typical **\\[.highlight]C:\\\\Program Files (x86\\)\\[.highlight]** directory. Inside of the installation folder are numerous subdirectories, with some more pertinent to the tradecraft than others:\r\n\r\n**\\[.highlight]logs\\\\\\[.highlight]** \r\n\r\n**\\[.highlight]host\\\\\\[.highlight]** \r\n\r\n**\\[.highlight]autorun\\\\\\[.highlight]** \r\n\r\n(etc.)\r\n\r\nAs an example, we would find logs in a full path: **\\[.highlight]C:\\\\LexiCom\\\\logs\\\\LexiCom.xml\\[.highlight]**. Below is a record of the logs following threat actor exploitation:\r\n\r\nThere are multiple things to note in this log snippet:\r\n\r\n1. The first artifact of the attack chain is **\\[.highlight]autorun\\\\healthchecktemplate.txt\\[.highlight]**. \r\n \r\nAutorun files are immediately read, interpreted, and evaluated by LexiCom, Harmony, and VLTrader. **We believe this is one of multiple files dropped onto the filesystem via the arbitrary file\\-write vulnerability.** Files placed in the **\\[.highlight]autorun\\[.highlight]** folder are immediately deleted following their processing.\u00c2\u00a0 ***Note:*** *We have also seen* **\\[.highlight]autorun\\\\healthcheck.txt\\[.highlight]** *used as well.*\r\n2. A \u00e2\u0080\u009cWarning\u00e2\u0080\u009d on the second entry indicates this instance is running version **5\\.8\\.0\\.0**, which is the *unpatched* version. **Our proof\\-of\\-concept, which we will discuss below, successfully exploits version 5\\.8\\.0\\.21\\.**\r\n3. The **\\[.highlight]healthchecktemplate.txt\\[.highlight]** autorun looks to invoke \u00e2\u0080\u009cImport\u00e2\u0080\u009d functionality, which is native and natural functionality of the Cleo software. \r\n \r\nThe Import process reads in from a local file on disk. In this case, it loads **\\[.highlight]temp\\\\LexiCom6836057879780436035\\.tmp,\\[.highlight]** **which we believe to be a *second* file dropped via the arbitrary file\\-write vulnerability.** This .tmp file is actually a .ZIP file, containing a subdirectory **\\[.highlight]hosts\\[.highlight]** with an inner **\\[.highlight]mail.xml\\[.highlight]** file, as you see imported. \r\n \r\nThe **\\[.highlight]main.xml\\[.highlight]** file observed from in\\-the\\-wild exploitation contains:\r\n\r\nNote the specific (and mischievous) date and timestamps: **2020/10/10 00:00:00** \u00f0\u009f\u0098\u0089\r\n\r\nThis **\\[.highlight]main.xml\\[.highlight]** file stages a *new* autorun with an action (presumably built out to be **\\[.highlight]healthcheck.txt\\[.highlight]**) to invoke a PowerShell command and gain code execution. Unfortunately, the **\\[.highlight]healthchecktemplate.txt\\[.highlight]** and **\\[.highlight]healthcheck.txt\\[.highlight]** files placed in the autoruns subdirectory were automatically deleted and we do not yet know their contents.\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 1: Exploitation as displayed within one of the Cleo software solutions*\r\n\r\n\u00e2\u0080\u008d\r\n\r\nThe decoded PowerShell command has been observed with this structure:\r\n\r\nThis process reaches out to an external IP address to retrieve new JAR files for continued post\\-exploitation. These JAR files contain webshell\\-like functionality for persistence on the endpoint.\u00c2\u00a0\r\n\r\nWe observed attackers later deleting these JAR files post execution in order to prolong their attacks and stay relatively stealthy.\r\n\r\nAlso within the same logs folder, there may be a LexiCom.dbg log file. It will also contain information about any malicious autoruns files that have been processed, like so:**\u00e2\u0080\u008d**\r\n\r\n````\r\n[timestamp] LexiCom.syncer [redacted] Request In <<< Multipart: \r\n VLSync:SentReceipt;service=AS2;path=\"autorun/healthchecktemplate.txt\"\r\n\r\n````For further post\\-exploitation, the threat actors were observed enumerating potential Active Directory assets with domain reconnaissance tools like **nltest.exe**.\r\n\r\nHuntress EDR depicts this child\\-parent process relationship like so:\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 2: Parent\\-child process relationship between nltest.exe*\r\n\r\n\u00e2\u0080\u008d\r\n\r\n## **Observed IP addresses for callbacks**\r\n\r\n \r\n**\\[.highlight]176\\.123\\.5\\.126\\[.highlight]** \\- AS 200019 (AlexHost SRL) \\- Moldova\u00c2\u00a0\r\n\r\n**\\[.highlight]5\\.149\\.249\\.226\\[.highlight]** \\- AS 59711 (HZ Hosting Ltd) \\- Netherlands\u00c2\u00a0\r\n\r\n**\\[.highlight]185\\.181\\.230\\.103\\[.highlight]** \\- AS 60602 (Inovare\\-Prim SRL) \\- Moldova\r\n\r\n**\\[.highlight]209\\.127\\.12\\.38\\[.highlight]** \\- AS 55286 (SERVER\\-MANIA / B2 Net Solutions Inc) \\- Canada\r\n\r\n**\\[.highlight]181\\.214\\.147\\.164\\[.highlight]** \\- AS 15440 (UAB Baltnetos komunikacijos) \\- Lithuania**\u00e2\u0080\u008d**\r\n\r\n**\\[.highlight]192\\.119\\.99\\.42\\[.highlight]**\u00c2\u00a0 \\- AS 54290 (HOSTWINDS LLC) \\- United States\r\n\r\n\u00e2\u0080\u008d\r\n\r\n# Targets Exploited\r\n\r\nFrom our telemetry, we\u00e2\u0080\u0099ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC.\u00c2\u00a0 After some initial analysis, however, we have found evidence of exploitation as early as December 3\\.\u00c2\u00a0\r\n\r\nThe majority of customers that we saw compromised deal with consumer products, food industry, trucking, and shipping industries.\u00c2\u00a0There are still several other companies outside of our immediate view who are potentially compromised as well.\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 3: View of vulnerable Cleo server as seen on Shodan* \r\n\r\n\u00e2\u0080\u008d\r\n\r\n# The Huntress Proof\\-of\\-Concept\r\n\r\nHuntress communicated with Cleo on December 9 after creating our proof\\-of\\-concept. Over a Zoom call, they confirmed our understanding and the recreation of the attack chain.\u00c2\u00a0\r\n\r\nPrincipal Security Researcher Caleb Stewart crafted a Python script that leverages the arbitrary file\\-write primitive to place files inside the **\\[.highlight]autoruns\\[.highlight]** subdirectory and prove its execution. This was tested successfully against LexiCom as well as VLTrader with both versions 5\\.8\\.0\\.0 **and patched version 5\\.8\\.0\\.21**.\r\n\r\n At the time of writing, Cleo is preparing a new CVE designation and expects a new patch to be released mid\\-week.\u00c2\u00a0\r\n\r\n\u00e2\u0080\u008d\r\n\r\n# How to Stay Protected\r\n\r\nAt the time of writing, the 5\\.8\\.0\\.21 patched versions are insufficient against the exploit we are seeing in the wild. Speaking over a Zoom call, Cleo expressed that they will have a new patch available as soon as possible.\r\n\r\nIn the interim, we have suggested mitigations in an attempt to limit the attack surface. Knowing that the latter half of this attack path relies on code execution via the **\\[.highlight]autoruns\\[.highlight]** directory, it is possible to reconfigure Cleo software to disable this feature. **However, this will not prevent the arbitrary file\\-write vulnerability until a patch is released.**\r\n\r\n1. Got to the \u00e2\u0080\u009cConfigure\u00e2\u0080\u009d menu of LexiCom, Harmony, or VLTrader\r\n2. Select \u00e2\u0080\u009cOptions\u00e2\u0080\u009d\u00c2\r\n3. Navigate to the \u00e2\u0080\u009cOther\u00e2\u0080\u009d pane\r\n4. Delete the contents of the \u00e2\u0080\u009cAutorun Directory\u00e2\u0080\u009d field\r\n\r\n*This will remove the ability to process Autorun files. Please apply your own risk and threat model here \\-\\- your mileage may vary if you know that you use this feature in production.*\r\n\r\n\r\n\r\n*Figure 4: Cleo Harmony System Options showing the Autorun Directory option* \r\n\r\n\u00e2\u0080\u008d\r\n\r\nIf you are not a Huntress partner, review the **\\[.highlight]hosts\\[.highlight]** subdirectory in your software installation directory to determine if you have been affected. The presence of a **\\[.highlight]main.xml\\[.highlight]** or a **\\[.highlight]60282967\\-dc91\\-40ef\\-a34c\\-38e992509c2c.xml\\[.highlight]** file (a name that looks to be reused across infections) with an embedded PowerShell\\-encoded command is a definitive indicator of compromise.\u00c2\u00a0\r\n\r\n\u00e2\u0080\u008d\r\n\r\n# How Huntress Has Responded\u00c2\r\n\r\nWe are actively detecting and neutralizing activity related to the exploit. To do so, we have taken a three\\-pronged approach to effectively detect, investigate, and respond to the threat.\u00c2\u00a0\u00c2\u00a0\r\n\r\nHuntress SOC analysts Austin Worline, Chad Hudson, Jai Minton, Tanner Filip created **detections** specifically conjured to hone in on and detect the activity triggered by the range of compromised Cleo products.\u00c2\u00a0\u00c2\u00a0\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 5: Cleo Detection in Huntress EDR*\r\n\r\n\u00e2\u0080\u008d\r\n\r\nIn tandem, Huntress analyst Amelia Casley generated an internal **investigation guide** to ensure that the global Huntress SOC team could triage this emerging threat in a scalable and consistent way to keep our community secure. This guide included a re\\-usable CyberChef recipe to analyze the encoded PowerShell adversaries were deploying.\u00c2\u00a0\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 6: Extract of Huntress SOC Investigation Guide*\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 7: CyberChef recipe* \r\n\r\n\u00e2\u0080\u008d\r\n\r\nFurthermore, Huntress neutralized this threat where it appeared on endpoints by leveraging the **IP Blocking** feature in Huntress Managed EDR. IP blocking adds a degree of cost to a threat actor, requiring them to rotate their infrastructure in order to reattempt a compromise. Once completed, we shared a detailed report with any impacted partners and customers.\u00c2\u00a0\r\n\r\n\u00e2\u0080\u008d\r\n\r\n\r\n\r\n*Figure 8: Blocking Threat actor IPv4s on hosts subject to attempted compromised*\r\n\r\n\u00e2\u0080\u008d\r\n\r\n## Appendix A:\u00c2\r\n\r\n### Sigma rules\r\n\r\n* \u00e2\u0080\u008dPossible Cleo MFT Exploitation 2024\u00e2\u0080\u008d\r\n* Javaw Spawning Suspicious PowerShell\u00c2\r\n\r\n\u00e2\u0080\u008d\r\n\r\n## Appendix B:\r\n\r\n### Indicators of Compromise (IOCs)\r\n\r\n\r\n\r\n| Item | Details |\r\n| --- | --- |\r\n| **176\\.123\\.5\\.126** | Attacker IP embedded in encoded PowerShell |\r\n| **5\\.149\\.249\\.226** | Attacker IP embedded in encoded PowerShell |\r\n| **185\\.181\\.230\\.103** | Attacker IP embedded in encoded PowerShell |\r\n| **209\\.127\\.12\\.38** | Attacker IP embedded in encoded PowerShell |\r\n| **181\\.214\\.147\\.164** | Attacker IP embedded in encoded PowerShell |\r\n| **192\\.119\\.99\\.42** | Attacker IP embedded in encoded PowerShell |\r\n| **60282967\\-dc91\\-40ef\\-a34c\\-38e992509c2c.xml** | Standard XML file to prepare post\\-exploitation |\r\n| **healthchecktemplate.txt** or **healthcheck.txt** | Malicious autoruns files |\r\n\r\n\u00e2\u0080\u008d\r\n\r\n## Acknowledgments\r\n\r\n\u00e2\u0080\u008d*Special thanks to Jai Minton, Tanner Filip, Dray Agha, Austin Worline, Chad Hudson, Amelia Casley, Jamie Levy, John Hammond, Caleb Stewart, Matt Kiely, Matt Anderson, and others for their tireless efforts and contributions to this investigation and writeup.*\r\n\r\n\u00e2\u0080\u008d\r\n\r\n## \r\n\r\nCall to ActionCategories \r\nResponse to Incidents#### \r\n\r\n#### See Huntress in action\r\n\r\nOur platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science\\-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC).Book a DemoShare## You Might Also Like\r\n\r\n#### Qakbot Malware Takedown and Defending Forward\r\n\r\nLearn More#### Incident Response: A Choose Your Own Adventure Exercise\r\n\r\nLearn More#### Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software\r\n\r\nLearn More#### Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders\r\n\r\nLearn More#### 2024 Wrapped: Huntress Managed SAT Edition\r\n\r\nLearn More#### It\u00e2\u0080\u0099s Not Safe to Pay SafePay\r\n\r\nLearn More#### Managed SIEM and the Art of Perfecting Cyber Defense\r\n\r\nLearn More#### A Parent's Guide to Securing Children's Tech Gifts\r\n\r\nLearn More#### You Can Run, but You Can\u00e2\u0080\u0099t Hide: Defender Exclusions\r\n\r\nLearn More## Sign Up for Blog Updates\r\n\r\nSubscribe today and you\u00e2\u0080\u0099ll be the first to know when new content hits the blog.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nWork Email\\*\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n By submitting this form, you accept our **Privacy Policy**\r\n\r\n\r\n\r\n\r\n\r\nThank you! Your submission has been received!\r\n\r\nOops! Something went wrong while submitting the form.\r\n\r\n\r\n\r\nThis form requires javaScript to be enabled.\r\n\r\nResponse to IncidentsResponse to Incidents",
"id": "829",
"event_id": "269946",
"timestamp": "1733841123",
"uuid": "8519fecc-c4ec-4b31-9fb6-ff3dfa37c293",
"deleted": false
}
]
}
}
Reference in a new issue View git blame Copy permalink