In a sophisticated cyberattack, hackers have effectively disabled critical security systems to steal sensitive credentials. This new method of attack highlights the lengths cybercriminals will go to in order to remain undetected while harvesting valuable information.
Attackers Overwhelm Security Defenses
Recently, a threat actor successfully bypassed various security measures, including Microsoft Defender and Sysmon, before deploying Mimikatz to extract credentials. The incident underscores a meticulous strategy to erase digital footprints and avoid detection by security teams.
The breach began on June 7 when attackers compromised a web server, executing reconnaissance commands that initially seemed routine. However, this quickly escalated into a sophisticated operation employing multiple techniques to evade defenses.
Intrusion Techniques and Evading Detection
According to a report from Huntress, shared with Cyber Security News, investigators identified the breach following suspicious activity detected by their Security Operations Center (SOC). This discovery led to the identification of a steganographic webshell hidden within an image file, marking the attack’s commencement.
The concealed webshell, named UA4fp7R.aspx, was traced back to an image directory. Despite remediation efforts, the attackers repeatedly returned, eventually escalating to full credential theft.
Credential Theft and Defensive Sabotage
This case is notable not only for the credential theft but also for the premeditated sabotage of security systems. The attackers executed a batch script, i.bat, to disable IIS HTTP logging and weaken Microsoft Defender, using PowerShell commands to remove various security monitoring capabilities.
Further, they used taskkill and Windows service controls to terminate Sysmon, Filebeat, and other security tools, effectively blinding the environment to their activities. By using Image File Execution Options, they froze critical security processes, ensuring their actions went undetected.
With defenses neutralized, the attackers focused on stealing credentials. They modified registry settings to store passwords in plaintext and used tools to extract sensitive data, writing it to files like pass.txt and hash.txt. The Mimikatz tool was employed to directly access memory-stored credentials.
Preventive Measures and Future Outlook
Fortunately, the intrusion was contained before any data exfiltration occurred, thanks to the timely detection by the SOC. However, this incident serves as a stark reminder of the importance of comprehensive security measures.
Organizations are urged to maintain robust security practices, such as keeping software updated, ensuring thorough logging, and protecting internet-facing servers with firewalls or VPNs. Effective incident response is also crucial to prevent attackers from regaining access to compromised systems.
As cyber threats continue to evolve, strengthening security operations centers and accelerating threat detection will be vital in defending against similar sophisticated attacks in the future.
