{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ransomware/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Trigona"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","AnyDesk","Mimikatz","PowerRun"],"_cs_severities":["high"],"_cs_tags":["trigona","ransomware","data exfiltration","custom tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","Nirsoft","AnyDesk"],"content_html":"\u003cp\u003eTrigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eInstallation of the Huorong Network Security Suite tool HRSword as a kernel driver service.\u003c/li\u003e\n\u003cli\u003eDeployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.\u003c/li\u003e\n\u003cli\u003eExecution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.\u003c/li\u003e\n\u003cli\u003eDeployment of AnyDesk for direct remote access to the breached systems.\u003c/li\u003e\n\u003cli\u003eExecution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.\u003c/li\u003e\n\u003cli\u003eUse of the custom \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.\u003c/li\u003e\n\u003cli\u003eFinal stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;uploader_client.exe\u0026rdquo; with command-line arguments indicative of data exfiltration (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to unusual or hardcoded server addresses used by the \u0026ldquo;uploader_client.exe\u0026rdquo; exfiltration tool (see IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.\u003c/li\u003e\n\u003cli\u003eMonitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.\u003c/li\u003e\n\u003cli\u003eReview AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.\u003c/li\u003e\n\u003cli\u003eEnable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T19:02:17Z","date_published":"2026-04-23T19:02:17Z","id":"/briefs/2026-05-trigona-custom-exfil/","summary":"Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.","title":"Trigona Ransomware Employing Custom Data Exfiltration Tool","url":"https://feed.craftedsignal.io/briefs/2026-05-trigona-custom-exfil/"},{"_cs_actors":["GOLD ENCOUNTER"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-26399"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["payouts-king","ransomware","qemu","vm","defense-evasion"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Payouts King ransomware, associated with the GOLD ENCOUNTER threat group, is utilizing QEMU, an open-source CPU emulator, to run hidden Alpine Linux virtual machines (VMs) on compromised Windows systems, effectively bypassing endpoint security solutions. This technique allows attackers to execute malicious payloads, store sensitive data, and create covert remote access tunnels over SSH without being detected by host-based security tools. Observed since November 2025 (tracked as STAC4713), this campaign initially exploited exposed SonicWall VPNs and the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent attacks have leveraged exposed Cisco SSL VPNs and Microsoft Teams phishing campaigns to deliver payloads. The attackers are likely tied to former BlackBasta affiliates based on similar initial access methods. This tactic enables persistence, elevated privileges, and data exfiltration while evading detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers gain initial access through exposed SonicWall VPNs, Cisco SSL VPNs, or by exploiting the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). Alternatively, they use Microsoft Teams phishing, tricking employees into downloading and executing malicious files via QuickAssist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e In some instances, a legitimate ADNotificationManager.exe binary is used to sideload a Havoc C2 payload (vcruntime140_1.dll).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQEMU Deployment:\u003c/strong\u003e A scheduled task named ‘TPMProfiler’ is created to launch a hidden QEMU VM as SYSTEM, utilizing virtual disk files disguised as databases and DLL files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVM Configuration:\u003c/strong\u003e The QEMU VM runs Alpine Linux (version 3.22.0), containing attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReverse SSH Tunnel:\u003c/strong\u003e Port forwarding is set up to establish a reverse SSH tunnel, providing covert access to the infected host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Attackers use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Rclone is leveraged to exfiltrate data to a remote SFTP location or other exfiltration methods, such as FTP, are used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncryption and Extortion:\u003c/strong\u003e The Payouts King ransomware encrypts systems using AES-256 (CTR) with RSA-4096 with intermittent encryption for larger files. Ransom notes are dropped, directing victims to leak sites on the dark web.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Payouts King ransomware attacks can result in significant data loss, system downtime, and financial repercussions for victim organizations. The use of QEMU VMs provides an additional layer of stealth, making detection and remediation more challenging. Targeted sectors are not specified in this report, but the use of exposed VPNs and phishing suggests a broad targeting scope. The ransom demands and potential data leaks on the dark web further compound the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges, as these are key indicators of compromise (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual SSH port forwarding and outbound SSH tunnels on non-standard ports, which could indicate a reverse SSH tunnel (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ADNotificationManager Sideloading Havoc C2\u0026rdquo; to identify instances where ADNotificationManager.exe is used to sideload the Havoc C2 payload (vcruntime140_1.dll) (see Rules).\u003c/li\u003e\n\u003cli\u003eReview and patch CVE-2025-26399 in SolarWinds Web Help Desk and apply necessary security measures for exposed SonicWall and Cisco SSL VPNs to prevent initial access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for processes creating shadow copies (vssuirun.exe) followed by unusual file access patterns (NTDS.dit, SAM, SYSTEM hives) via SMB, indicative of credential theft (see Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-payouts-king-qemu/","summary":"The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.","title":"Payouts King Ransomware Abusing QEMU VMs for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2026-04-payouts-king-qemu/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-1731"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["saas","phishing","ransomware","medusa"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief highlights two significant attack vectors observed by Cisco Talos. First, threat actors are exploiting legitimate SaaS notification pipelines (e.g., GitHub, Jira) to deliver phishing and spam, bypassing traditional email security measures by using a \u0026ldquo;Platform-as-a-Proxy\u0026rdquo; (PaaP) technique. This abuses the implicit trust placed in system-generated notifications from trusted enterprise tools, primarily targeting credential harvesting. Second, the Storm-1175 group is actively deploying Medusa ransomware, rapidly exploiting n-day vulnerabilities, including CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of BeyondTrust Privileged Remote Access. Defenders must adapt to these evolving tactics, as they bypass standard perimeter defenses and require more nuanced detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a legitimate SaaS account (e.g., GitHub, Jira) or creates a malicious project.\u003c/li\u003e\n\u003cli\u003eAttacker configures the SaaS platform to send notifications (e.g., project updates, issue assignments).\u003c/li\u003e\n\u003cli\u003eThe SaaS platform generates an email notification, appearing to originate from a trusted source.\u003c/li\u003e\n\u003cli\u003eThe email bypasses traditional email security checks (SPF, DKIM, DMARC) due to its legitimate source.\u003c/li\u003e\n\u003cli\u003eThe email contains a malicious link or attachment designed to harvest credentials or deliver malware.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link, leading to a phishing page or malware download.\u003c/li\u003e\n\u003cli\u003eIf the user enters credentials, the attacker gains access to their account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account for further malicious activities or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SaaS notification pipelines can lead to widespread credential compromise, potentially affecting numerous users within an organization. The \u0026ldquo;automation fatigue\u0026rdquo; associated with these notifications increases the likelihood of users falling victim to phishing attacks. Regarding Medusa ransomware, organizations face data encryption, system downtime, and potential financial losses from ransom demands, as Storm-1175 rapidly exploits vulnerabilities like CVE-2026-1731. The impact includes significant disruption to business operations and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest SaaS API logs into your SIEM to detect anomalous activities, such as suspicious project creation or mass invitations (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement instance-level verification and cross-reference notifications against internal SaaS directories to detect PaaP attacks (see Overview).\u003c/li\u003e\n\u003cli\u003eApply semantic intent analysis to identify notifications that deviate from a platform\u0026rsquo;s established functional baseline (see Overview).\u003c/li\u003e\n\u003cli\u003ePatch CVE-2026-1731 on all BeyondTrust Remote Support instances immediately to prevent Medusa ransomware deployment (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect Coinminer malware via SHA256 hash (see Rules).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for VID001.exe to identify potential Coinminer infections (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:00:20Z","date_published":"2026-04-09T18:00:20Z","id":"/briefs/2026-04-saas-phishing/","summary":"Threat actors are weaponizing legitimate SaaS notification pipelines to deliver phishing and spam emails, bypassing traditional email authentication protocols, and Storm-1175 is exploiting CVE-2026-1731 to deploy Medusa ransomware.","title":"SaaS Notification Pipeline Phishing and Medusa Ransomware Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-saas-phishing/"},{"_cs_actors":["Qilin Ransomware"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["qilin","edr-killer","ransomware","defense-evasion","windows"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Qilin ransomware group is actively deploying a sophisticated EDR killer as part of their attack chain. The initial stage involves a malicious \u0026ldquo;msimg32.dll\u0026rdquo; that is likely side-loaded by a legitimate application. This DLL version triggers its malicious logic from within its DllMain function, leading to immediate execution upon loading. The EDR killer employs advanced evasion techniques, including neutralizing user-mode hooks, suppressing Event Tracing for Windows (ETW) event generation, and utilizing structured exception handling (SEH) and vectored exception handling (VEH) to obfuscate control flow. Once active, the EDR killer component loads helper drivers to access physical memory and terminate EDR processes. This allows the malware to disable over 300 different EDR drivers across a wide range of vendors, hindering incident response and enabling further malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate application loads the malicious \u0026ldquo;msimg32.dll\u0026rdquo;, likely through DLL side-loading, triggering execution from within the DllMain function.\u003c/li\u003e\n\u003cli\u003eThe DLL allocates a heap buffer in process memory acting as a slot-policy table based on ntdll.dll\u0026rsquo;s OptionalHeader.SizeOfCode, dividing the code region into 16-byte slots.\u003c/li\u003e\n\u003cli\u003eThe malware iterates over the export table of \u0026ldquo;ntdll.dll\u0026rdquo; to resolve virtual addresses of syscall stubs, specifically targeting those starting with \u0026ldquo;Nt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eBased on resolved addresses, the malware marks corresponding entries in the slot-policy table with default or special policies, specifically targeting NtTraceEvent, NtTraceControl, and NtAlpcSendWaitReceivePort.\u003c/li\u003e\n\u003cli\u003eThe malware dynamically resolves ntdll!LdrProtectMrdata and invokes it to change the protection of the .mrdata section to writable.\u003c/li\u003e\n\u003cli\u003eThe loader overwrites the dispatcher slot within the .mrdata section with its own custom exception handler to intercept and modify exception handling.\u003c/li\u003e\n\u003cli\u003eThe custom exception handler manages breakpoint exceptions (0xCC), potentially as an anti-emulation technique.\u003c/li\u003e\n\u003cli\u003eThe EDR killer component loads helper drivers, \u0026ldquo;rwdrv.sys\u0026rdquo; for physical memory access and \u0026ldquo;hlpdrv.sys\u0026rdquo; to terminate EDR processes, after unregistering monitoring callbacks to prevent interference.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the Qilin EDR killer can disable over 300 different EDR drivers, severely impairing the ability of security teams to detect and respond to threats. This can lead to increased dwell time for ransomware and other malicious activities, resulting in significant data breaches, financial losses, and reputational damage. With telemetry collection disabled, defenders lose visibility into process, memory, and network activity, making it difficult to investigate and contain the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for DLLs loaded from non-standard locations, specifically \u0026ldquo;msimg32.dll,\u0026rdquo; using process creation logs to detect potential DLL side-loading attempts (rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect the modification of exception handler dispatchers, which is a key component of the EDR killer\u0026rsquo;s evasion techniques.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted drivers like \u0026ldquo;rwdrv.sys\u0026rdquo; and \u0026ldquo;hlpdrv.sys\u0026rdquo; using driver load events, as these are used to gain system privileges and terminate EDR processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including command-line arguments and parent processes, to aid in the detection of malicious DLL loading.\u003c/li\u003e\n\u003cli\u003eAnalyze process memory for evidence of user-mode hooks being neutralized or ETW event generation being suppressed. This requires more advanced memory forensics capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T10:00:56Z","date_published":"2026-04-02T10:00:56Z","id":"/briefs/2026-04-qilin-edr-killer/","summary":"Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.","title":"Qilin Ransomware EDR Killer Infection Chain","url":"https://feed.craftedsignal.io/briefs/2026-04-qilin-edr-killer/"},{"_cs_actors":["Scattered Spider","UNC3944","Octo Tempest","Roasted 0ktapus","Muddled Libra","Star Fraud","UNC6201","Salt Typhoon","GhostEmperor","FamousSparrow","UNC5807"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["threat-report","ransomware","phishing","saas"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the \u0026ldquo;Tier-0\u0026rdquo; nature of hypervisors to bypass guest-level defenses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Large-scale data theft from SaaS environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eM-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule \u0026ldquo;Detect PowerShell from Uncommon Location\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).\u003c/li\u003e\n\u003cli\u003eIncrease log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T10:45:30Z","date_published":"2026-03-25T10:45:30Z","id":"/briefs/2026-06-mtrends-2026/","summary":"The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.","title":"M-Trends 2026: Evolving Threat Landscape","url":"https://feed.craftedsignal.io/briefs/2026-06-mtrends-2026/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ransomware","firewall","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Interlock ransomware campaign specifically targets enterprise firewalls. The campaign\u0026rsquo;s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall\u0026rsquo;s management interface or VPN services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirewall Compromise:\u003c/strong\u003e The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like \u003ccode\u003essh\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e may be used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Encryption:\u003c/strong\u003e The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e After encryption, the attacker delivers a ransom note demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Possible):\u003c/strong\u003e Depending on the attacker\u0026rsquo;s goals, data exfiltration may occur prior to encryption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly patch and update firewall firmware to address known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:33:30Z","date_published":"2026-03-19T05:33:30Z","id":"/briefs/2024-01-interlock-firewall-ransomware/","summary":"The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.","title":"Interlock Ransomware Campaign Targeting Enterprise Firewalls","url":"https://feed.craftedsignal.io/briefs/2024-01-interlock-firewall-ransomware/"},{"_cs_actors":["Warlock"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["webshell","ransomware","tunneling"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a Warlock attack, as detailed in a Trend Micro analysis, involving the use of web shells, tunneling, and ransomware deployment. The Warlock group compromises systems by leveraging web shells for initial access and establishing tunnels for persistent access and command and control. This access is then used to deploy ransomware, encrypting critical data and demanding ransom payments from victims. The specific ransomware family and web shell variants employed are not detailed in the provided context, but the overall attack flow is consistent with financially motivated cybercrime operations. Defenders should prioritize detection of web shell activity, unauthorized tunneling, and ransomware execution to mitigate the risk of compromise by the Warlock group.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to the target system by exploiting vulnerabilities to deploy a web shell (details of the vulnerability are not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Execution:\u003c/strong\u003e The attacker executes commands through the web shell to perform reconnaissance and identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTunnel Establishment:\u003c/strong\u003e A tunnel is established to maintain persistent access and bypass security controls (specific tunneling technology not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages the established tunnel to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to harvest credentials to gain elevated privileges and access to critical resources (specific tools/techniques not provided).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansomware Deployment:\u003c/strong\u003e The attacker deploys ransomware across the network, encrypting files and rendering systems unusable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e A ransom note is left on the compromised systems, demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Possible):\u003c/strong\u003e Prior to encryption, the attacker may exfiltrate sensitive data to further pressure victims into paying the ransom (not explicitly stated, but a common practice).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Warlock attack results in significant disruption to victim organizations through ransomware deployment. Systems are rendered unusable due to encryption, potentially leading to operational downtime and financial losses. If data exfiltration occurs, the confidentiality of sensitive information is also compromised, increasing the potential for reputational damage and legal liabilities. The lack of specific victim counts and sector targeting data in the provided context limits a comprehensive impact assessment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy a web shell detection rule (see below) to identify suspicious web shell activity on web servers based on process creation.\u003c/li\u003e\n\u003cli\u003eImplement a network monitoring rule (see below) to detect unusual tunneling activity based on network connections from web servers.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring to detect unauthorized modifications to web server files that could indicate web shell installation (reference file_event log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:26:28Z","date_published":"2026-03-19T05:26:28Z","id":"/briefs/2024-05-warlock-webshell-ransomware/","summary":"The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.","title":"Warlock Group Deploys Web Shells, Tunnels, and Ransomware","url":"https://feed.craftedsignal.io/briefs/2024-05-warlock-webshell-ransomware/"},{"_cs_actors":["LockBit","BITWISE SPIDER","HelloKitty"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","cve-2023-46604","ransomware"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2023-46604 is a critical remote code execution (RCE) vulnerability affecting Apache ActiveMQ message brokers. This vulnerability allows a remote attacker with network access to the ActiveMQ broker to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. The vulnerability affects Apache ActiveMQ versions 5.16.0 before 5.16.7, 5.17.0 before 5.17.6, 5.18.0 before 5.18.3, and before 5.15.16, as well as corresponding versions of the Legacy OpenWire…\u003c/p\u003e\n","date_modified":"2026-02-25T09:22:01Z","date_published":"2026-02-25T09:22:01Z","id":"/briefs/2026-02-activemq-rce/","summary":"CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.","title":"Active Exploitation of Apache ActiveMQ RCE Vulnerability (CVE-2023-46604)","url":"https://feed.craftedsignal.io/briefs/2026-02-activemq-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["veeam","credential-access","mssql","windows","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam"],"content_html":"\u003cp\u003eAttackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like \u003ccode\u003esqlcmd.exe\u003c/code\u003e or PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esqlcmd.exe\u003c/code\u003e or uses PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to query the \u003ccode\u003e[VeeamBackup].[dbo].[Credentials]\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the encrypted Veeam credentials from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line activity, specifically \u003ccode\u003esqlcmd.exe\u003c/code\u003e and PowerShell.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Veeam Credential Access Command\u0026rdquo; to detect suspicious command executions targeting Veeam credentials in MSSQL databases.\u003c/li\u003e\n\u003cli\u003eReview and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all accounts with access to Veeam infrastructure.\u003c/li\u003e\n\u003cli\u003eRegularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-veeam-credential-access/","summary":"Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.","title":"Potential Veeam Credential Access via SQL Commands","url":"https://feed.craftedsignal.io/briefs/2024-07-veeam-credential-access/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-27199","path-traversal","ransomware","jetbrains"],"_cs_type":"threat","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eCVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable TeamCity server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) within a URL parameter related to administrative functions.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server processes the crafted request without proper sanitization of the file path.\u003c/li\u003e\n\u003cli\u003eThe relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, gaining full control over the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity\u0026rsquo;s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (\u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.\u003c/li\u003e\n\u003cli\u003eFollow CISA\u0026rsquo;s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-teamcity-path-traversal/","summary":"A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.","title":"JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)","url":"https://feed.craftedsignal.io/briefs/2024-04-teamcity-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["ransomware","impact","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential ransomware activity through the rapid creation of ransom notes via SMB shares. The rule focuses on file creation events originating from the SYSTEM account (PID 4), targeting common ransom note file extensions like .txt, .html, .pdf, and image files. This activity suggests an attacker has achieved lateral movement and is deploying ransom notes across multiple systems. The rule aggregates events within a 60-second window to reduce false positives and focus on high-frequency creation patterns indicative of automated ransomware deployment. Successful detection can help defenders quickly identify and contain ransomware outbreaks before widespread encryption occurs. The original Elastic detection rule was published on 2024-05-03 and updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network using valid accounts or exploits. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool to remotely create files over SMB. (T1021.002 - SMB/Windows Admin Shares)\u003c/li\u003e\n\u003cli\u003eThe SYSTEM account (PID 4) on a compromised host is used to create multiple files with the same name but different paths (C:*) over SMB.\u003c/li\u003e\n\u003cli\u003eThe created files have file extensions commonly associated with ransom notes: .txt, .htm, .html, .hta, .pdf, .jpg, .bmp, .png.\u003c/li\u003e\n\u003cli\u003eThe files are dropped into at least 3 unique paths within a short time frame (60 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts data and leaves the ransom notes to instruct victims on how to pay the ransom. (T1486 - Data Encrypted for Impact)\u003c/li\u003e\n\u003cli\u003eThe organization experiences data loss, financial damage, and reputational harm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful ransomware attacks can lead to significant data loss, financial costs associated with ransom payments, recovery efforts, and reputational damage. Organizations may experience business disruption, regulatory fines, and legal liabilities. The Akira ransomware group, referenced in the original rule\u0026rsquo;s documentation, has been known to target various sectors, demanding substantial ransoms from victims. The widespread distribution of ransom notes indicates an advanced stage of the ransomware attack, necessitating immediate containment to prevent further data encryption and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Ransomware Note File Dropped via SMB\u003c/code\u003e to your SIEM to detect suspicious file creation activity indicative of ransomware deployment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend for enhanced endpoint detection and response capabilities, as recommended in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eMonitor incoming network connections to port 445 (SMB) on critical assets, as suggested in the rule\u0026rsquo;s triage analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate file names with unusual extensions to identify potential ransom notes, as mentioned in the triage analysis.\u003c/li\u003e\n\u003cli\u003eIsolate any hosts identified as creating multiple note files over SMB to prevent further lateral movement and data encryption, as described in the rule\u0026rsquo;s response and remediation steps.\u003c/li\u003e\n\u003cli\u003eReview and enforce network segmentation policies to limit lateral movement and reduce the impact of potential ransomware attacks (TA0008).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-potential-ransomware-smb/","summary":"This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.","title":"Potential Ransomware Behavior - Note Files Dropped via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-22-potential-ransomware-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ransomware","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers, particularly ransomware groups, often disable or manipulate event logs to cover their tracks and hinder forensic investigations. This activity typically occurs post-compromise as part of an attacker\u0026rsquo;s defense evasion strategy. The use of \u003ccode\u003ewevtutil.exe\u003c/code\u003e, a legitimate Windows command-line utility, makes this technique challenging to detect without specific monitoring. Ransomware actors disable logging to operate undetected, making it difficult for security teams to trace malicious activities and respond effectively. This can prolong the dwell time of the attacker within the environment and increase the potential for widespread damage, data exfiltration, or system encryption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through typical methods like phishing or exploiting public-facing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the compromised system, achieving initial foothold.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation techniques are employed to gain elevated permissions (e.g., using exploits, token manipulation).\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewevtutil.exe\u003c/code\u003e with specific commands to disable or clear event logs. Example commands include \u003ccode\u003ewevtutil.exe sl \u0026lt;logname\u0026gt; false\u003c/code\u003e or \u003ccode\u003ewevtutil.exe set-log \u0026lt;logname\u0026gt; /enabled:false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker disables specific event channels to remove evidence of their activity.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established to maintain access across reboots (e.g., creating scheduled tasks, modifying registry keys).\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to compromise additional systems within the network using tools like PsExec or SMB shares.\u003c/li\u003e\n\u003cli\u003eThe final objective, such as ransomware deployment or data exfiltration, is executed, with logging disabled to minimize the chances of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of event logs allows attackers to operate undetected, hindering forensic investigations and incident response efforts. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage to affected organizations. Ransomware groups frequently use this technique to maximize the impact of their attacks, resulting in data encryption, exfiltration, and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to detect the execution of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect specific command-line arguments used to disable event logs.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (4688) for process creation events of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with arguments related to disabling or clearing logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewevtutil.exe\u003c/code\u003e is executed with parameters like \u003ccode\u003esl\u003c/code\u003e or \u003ccode\u003eset-log\u003c/code\u003e and \u003ccode\u003e/e:false\u003c/code\u003e or \u003ccode\u003e/enabled:false\u003c/code\u003e in the command line, as highlighted in the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T16:30:00Z","date_published":"2024-01-04T16:30:00Z","id":"/briefs/2024-01-disable-logs-wevtutil/","summary":"The execution of `wevtutil.exe` with parameters to disable event logs is a tactic commonly employed by ransomware to evade detection and hinder forensic investigations, leading to a significant reduction in visibility for defenders.","title":"Detection of Wevtutil.exe Used to Disable Event Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-logs-wevtutil/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Backup Exec","Veeam","Microsoft Power BI Enterprise Gateway","Trend Micro"],"_cs_severities":["medium"],"_cs_tags":["impact","backup deletion","ransomware"],"_cs_type":"advisory","_cs_vendors":["Elastic","Veritas","Veeam","Trend Micro","Microsoft"],"content_html":"\u003cp\u003eThis rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro\u0026rsquo;s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify backup file locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-backup related process (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to delete backup files.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veeam backup files with extensions \u003ccode\u003eVBK\u003c/code\u003e, \u003ccode\u003eVIB\u003c/code\u003e, and \u003ccode\u003eVBM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker targets Veritas Backup Exec files with the \u003ccode\u003eBKF\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe deletion events are logged by the endpoint detection system.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.\u003c/li\u003e\n\u003cli\u003eSuccessful deletion of backups impairs the victim\u0026rsquo;s ability to recover from ransomware or other destructive attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of backup files can severely impact an organization\u0026rsquo;s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker\u0026rsquo;s leverage and potential financial gain. The rule\u0026rsquo;s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veeam Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnexpected Veritas Backup File Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.\u003c/li\u003e\n\u003cli\u003eEnable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-03-backup-deletion/","summary":"This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.","title":"Third-party Backup Files Deleted via Unexpected Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-backup-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2023-27351"}],"_cs_exploited":true,"_cs_products":["NG/MF"],"_cs_severities":["critical"],"_cs_tags":["papercut","authentication-bypass","ransomware","cve-2023-27351"],"_cs_type":"threat","_cs_vendors":["PaperCut"],"content_html":"\u003cp\u003eCVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.\u003c/li\u003e\n\u003cli\u003eRansomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for the decryption key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-papercut-auth-bypass/","summary":"CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.","title":"PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-papercut-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Ransomware","version":"https://jsonfeed.org/version/1.1"}