Ransomware — CraftedSignal Threat Feed

Trigona Ransomware Employing Custom Data Exfiltration Tool

hello@craftedsignal.io — Thu, 23 Apr 2026 19:02:17 +0000

Trigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named “uploader_client.exe” to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.

Attack Chain

Initial compromise of the target system through unspecified means.
Installation of the Huorong Network Security Suite tool HRSword as a kernel driver service.
Deployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.
Execution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.
Deployment of AnyDesk for direct remote access to the breached systems.
Execution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.
Use of the custom “uploader_client.exe” to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.
Final stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.

Impact

Successful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.

Recommendation

Monitor process creation events for the execution of “uploader_client.exe” with command-line arguments indicative of data exfiltration (see Sigma rule below).
Implement network monitoring to detect connections to unusual or hardcoded server addresses used by the “uploader_client.exe” exfiltration tool (see IOC table).
Deploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.
Monitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.
Review AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.
Enable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.

Payouts King Ransomware Abusing QEMU VMs for Defense Evasion

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

The Payouts King ransomware, associated with the GOLD ENCOUNTER threat group, is utilizing QEMU, an open-source CPU emulator, to run hidden Alpine Linux virtual machines (VMs) on compromised Windows systems, effectively bypassing endpoint security solutions. This technique allows attackers to execute malicious payloads, store sensitive data, and create covert remote access tunnels over SSH without being detected by host-based security tools. Observed since November 2025 (tracked as STAC4713), this campaign initially exploited exposed SonicWall VPNs and the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent attacks have leveraged exposed Cisco SSL VPNs and Microsoft Teams phishing campaigns to deliver payloads. The attackers are likely tied to former BlackBasta affiliates based on similar initial access methods. This tactic enables persistence, elevated privileges, and data exfiltration while evading detection.

Attack Chain

Initial Access: Attackers gain initial access through exposed SonicWall VPNs, Cisco SSL VPNs, or by exploiting the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). Alternatively, they use Microsoft Teams phishing, tricking employees into downloading and executing malicious files via QuickAssist.
Payload Delivery: In some instances, a legitimate ADNotificationManager.exe binary is used to sideload a Havoc C2 payload (vcruntime140_1.dll).
QEMU Deployment: A scheduled task named ‘TPMProfiler’ is created to launch a hidden QEMU VM as SYSTEM, utilizing virtual disk files disguised as databases and DLL files.
VM Configuration: The QEMU VM runs Alpine Linux (version 3.22.0), containing attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.
Reverse SSH Tunnel: Port forwarding is set up to establish a reverse SSH tunnel, providing covert access to the infected host.
Credential Access: Attackers use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories.
Data Exfiltration: Rclone is leveraged to exfiltrate data to a remote SFTP location or other exfiltration methods, such as FTP, are used.
Encryption and Extortion: The Payouts King ransomware encrypts systems using AES-256 (CTR) with RSA-4096 with intermittent encryption for larger files. Ransom notes are dropped, directing victims to leak sites on the dark web.

Impact

Successful Payouts King ransomware attacks can result in significant data loss, system downtime, and financial repercussions for victim organizations. The use of QEMU VMs provides an additional layer of stealth, making detection and remediation more challenging. Targeted sectors are not specified in this report, but the use of exposed VPNs and phishing suggests a broad targeting scope. The ransom demands and potential data leaks on the dark web further compound the damage.

Recommendation

Monitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges, as these are key indicators of compromise (see Overview).
Implement network monitoring to detect unusual SSH port forwarding and outbound SSH tunnels on non-standard ports, which could indicate a reverse SSH tunnel (see Attack Chain).
Deploy the Sigma rule “Detect ADNotificationManager Sideloading Havoc C2” to identify instances where ADNotificationManager.exe is used to sideload the Havoc C2 payload (vcruntime140_1.dll) (see Rules).
Review and patch CVE-2025-26399 in SolarWinds Web Help Desk and apply necessary security measures for exposed SonicWall and Cisco SSL VPNs to prevent initial access (see Attack Chain).
Monitor for processes creating shadow copies (vssuirun.exe) followed by unusual file access patterns (NTDS.dit, SAM, SYSTEM hives) via SMB, indicative of credential theft (see Attack Chain).

SaaS Notification Pipeline Phishing and Medusa Ransomware Exploitation

hello@craftedsignal.io — Thu, 09 Apr 2026 18:00:20 +0000

This threat brief highlights two significant attack vectors observed by Cisco Talos. First, threat actors are exploiting legitimate SaaS notification pipelines (e.g., GitHub, Jira) to deliver phishing and spam, bypassing traditional email security measures by using a “Platform-as-a-Proxy” (PaaP) technique. This abuses the implicit trust placed in system-generated notifications from trusted enterprise tools, primarily targeting credential harvesting. Second, the Storm-1175 group is actively deploying Medusa ransomware, rapidly exploiting n-day vulnerabilities, including CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of BeyondTrust Privileged Remote Access. Defenders must adapt to these evolving tactics, as they bypass standard perimeter defenses and require more nuanced detection strategies.

Attack Chain

Attacker compromises a legitimate SaaS account (e.g., GitHub, Jira) or creates a malicious project.
Attacker configures the SaaS platform to send notifications (e.g., project updates, issue assignments).
The SaaS platform generates an email notification, appearing to originate from a trusted source.
The email bypasses traditional email security checks (SPF, DKIM, DMARC) due to its legitimate source.
The email contains a malicious link or attachment designed to harvest credentials or deliver malware.
The user clicks the link, leading to a phishing page or malware download.
If the user enters credentials, the attacker gains access to their account.
The attacker uses the compromised account for further malicious activities or lateral movement.

Impact

Successful exploitation of SaaS notification pipelines can lead to widespread credential compromise, potentially affecting numerous users within an organization. The “automation fatigue” associated with these notifications increases the likelihood of users falling victim to phishing attacks. Regarding Medusa ransomware, organizations face data encryption, system downtime, and potential financial losses from ransom demands, as Storm-1175 rapidly exploits vulnerabilities like CVE-2026-1731. The impact includes significant disruption to business operations and potential data breaches.

Recommendation

Ingest SaaS API logs into your SIEM to detect anomalous activities, such as suspicious project creation or mass invitations (see Overview).
Implement instance-level verification and cross-reference notifications against internal SaaS directories to detect PaaP attacks (see Overview).
Apply semantic intent analysis to identify notifications that deviate from a platform’s established functional baseline (see Overview).
Patch CVE-2026-1731 on all BeyondTrust Remote Support instances immediately to prevent Medusa ransomware deployment (see Overview).
Deploy the Sigma rule to detect Coinminer malware via SHA256 hash (see Rules).
Monitor network connections for VID001.exe to identify potential Coinminer infections (see IOCs).

Qilin Ransomware EDR Killer Infection Chain

hello@craftedsignal.io — Thu, 02 Apr 2026 10:00:56 +0000

The Qilin ransomware group is actively deploying a sophisticated EDR killer as part of their attack chain. The initial stage involves a malicious “msimg32.dll” that is likely side-loaded by a legitimate application. This DLL version triggers its malicious logic from within its DllMain function, leading to immediate execution upon loading. The EDR killer employs advanced evasion techniques, including neutralizing user-mode hooks, suppressing Event Tracing for Windows (ETW) event generation, and utilizing structured exception handling (SEH) and vectored exception handling (VEH) to obfuscate control flow. Once active, the EDR killer component loads helper drivers to access physical memory and terminate EDR processes. This allows the malware to disable over 300 different EDR drivers across a wide range of vendors, hindering incident response and enabling further malicious activity.

Attack Chain

A legitimate application loads the malicious “msimg32.dll”, likely through DLL side-loading, triggering execution from within the DllMain function.
The DLL allocates a heap buffer in process memory acting as a slot-policy table based on ntdll.dll’s OptionalHeader.SizeOfCode, dividing the code region into 16-byte slots.
The malware iterates over the export table of “ntdll.dll” to resolve virtual addresses of syscall stubs, specifically targeting those starting with “Nt”.
Based on resolved addresses, the malware marks corresponding entries in the slot-policy table with default or special policies, specifically targeting NtTraceEvent, NtTraceControl, and NtAlpcSendWaitReceivePort.
The malware dynamically resolves ntdll!LdrProtectMrdata and invokes it to change the protection of the .mrdata section to writable.
The loader overwrites the dispatcher slot within the .mrdata section with its own custom exception handler to intercept and modify exception handling.
The custom exception handler manages breakpoint exceptions (0xCC), potentially as an anti-emulation technique.
The EDR killer component loads helper drivers, “rwdrv.sys” for physical memory access and “hlpdrv.sys” to terminate EDR processes, after unregistering monitoring callbacks to prevent interference.

Impact

Successful execution of the Qilin EDR killer can disable over 300 different EDR drivers, severely impairing the ability of security teams to detect and respond to threats. This can lead to increased dwell time for ransomware and other malicious activities, resulting in significant data breaches, financial losses, and reputational damage. With telemetry collection disabled, defenders lose visibility into process, memory, and network activity, making it difficult to investigate and contain the attack.

Recommendation

Monitor for DLLs loaded from non-standard locations, specifically “msimg32.dll,” using process creation logs to detect potential DLL side-loading attempts (rules in this brief).
Implement the Sigma rules provided in this brief to detect the modification of exception handler dispatchers, which is a key component of the EDR killer’s evasion techniques.
Monitor for the loading of unsigned or untrusted drivers like “rwdrv.sys” and “hlpdrv.sys” using driver load events, as these are used to gain system privileges and terminate EDR processes.
Enable Sysmon process creation logging to capture detailed information about process execution, including command-line arguments and parent processes, to aid in the detection of malicious DLL loading.
Analyze process memory for evidence of user-mode hooks being neutralized or ETW event generation being suppressed. This requires more advanced memory forensics capabilities.

M-Trends 2026: Evolving Threat Landscape

hello@craftedsignal.io — Wed, 25 Mar 2026 10:45:30 +0000

The Mandiant M-Trends 2026 report analyzes over 500,000 hours of incident investigations, revealing significant shifts in the cyber threat landscape. Cybercriminal groups are optimizing for immediate impact and recovery denial, while cyber espionage groups and insider threats prioritize extreme persistence, leveraging unmonitored edge devices and native network functionalities to evade detection. Voice phishing has surged, replacing email as a primary initial access vector, particularly targeting SaaS environments. The time between initial access and the hand-off to secondary actors deploying ransomware has collapsed dramatically. Targeted industries include the high-tech sector (17%) and the financial sector (14.6%). Ransomware groups are now actively targeting backup infrastructure, identity services, and virtualization management planes to ensure recovery is impossible without paying a ransom. Espionage groups are exploiting zero-day vulnerabilities in edge devices for long-term persistence.

Attack Chain

Initial Access: Attackers use voice phishing (vishing) to target IT help desks, bypassing MFA and gaining initial access to SaaS environments. Malicious advertisements or the ClickFix social engineering technique are also used to gain a foothold.
Privilege Escalation: Exploitation of misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation.
Credential Access: Harvesting long-lived OAuth tokens and session cookies to bypass standard defenses. Stealing hard-coded keys and personal access tokens from compromised third-party SaaS vendors. Leveraging native packet-capturing functionality on network appliances to intercept sensitive data and plaintext credentials.
Lateral Movement: Using stolen credentials and tokens to pivot into downstream customer environments. Exploiting the “Tier-0” nature of hypervisors to bypass guest-level defenses.
Defense Evasion: Deploying custom, in-memory malware like BRICKSTORM directly onto network appliances to establish deep persistence that survives standard remediation efforts. Targeting edge and core network devices lacking EDR telemetry.
Impact: Encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. Deleting backup objects from cloud storage.
Exfiltration: Large-scale data theft from SaaS environments.

Impact

M-Trends 2026 highlights that ransomware groups are actively destroying the ability to recover data, impacting organizations across more than 16 industry verticals. The high-tech and financial sectors are particularly targeted. The collapse of the hand-off window from hours to seconds means organizations have less time to respond to initial intrusions before ransomware is deployed. The increasing dwell time of threats like BRICKSTORM, reaching nearly 400 days, leaves organizations blind to the full scope of the intrusion due to standard log retention policies.

Recommendation

Deploy the Sigma rule for detecting PowerShell commands from uncommon locations to identify potential malicious activity related to post-compromise actions (reference: Sigma rule “Detect PowerShell from Uncommon Location”).
Implement network monitoring on edge devices and VPNs to detect unauthorized packet capturing and credential interception attempts (reference: overview section about edge devices).
Review and harden Active Directory Certificate Services configurations to prevent the exploitation of misconfigured templates (reference: attack chain step 2).
Monitor for modifications to cloud storage backup objects, especially deletion attempts, to detect ransomware groups attempting to destroy recovery capabilities (reference: attack chain step 6).
Increase log retention policies beyond 90 days to improve visibility into long-term persistent threats like BRICKSTORM (reference: Overview section).

Interlock Ransomware Campaign Targeting Enterprise Firewalls

hello@craftedsignal.io — Thu, 19 Mar 2026 05:33:30 +0000

The Interlock ransomware campaign specifically targets enterprise firewalls. The campaign’s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.

Attack Chain

Initial Access: The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall’s management interface or VPN services.
Firewall Compromise: The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.
Lateral Movement: The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like ssh or PsExec may be used.
Discovery: The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.
Privilege Escalation: The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.
Data Encryption: The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.
Ransom Demand: After encryption, the attacker delivers a ransom note demanding payment for decryption keys.
Exfiltration (Possible): Depending on the attacker’s goals, data exfiltration may occur prior to encryption.

Impact

A successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.

Recommendation

Enable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.
Implement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.
Regularly patch and update firewall firmware to address known vulnerabilities.
Deploy the Sigma rules provided in this brief to your SIEM and tune for your environment.

Warlock Group Deploys Web Shells, Tunnels, and Ransomware

hello@craftedsignal.io — Thu, 19 Mar 2026 05:26:28 +0000

This brief describes a Warlock attack, as detailed in a Trend Micro analysis, involving the use of web shells, tunneling, and ransomware deployment. The Warlock group compromises systems by leveraging web shells for initial access and establishing tunnels for persistent access and command and control. This access is then used to deploy ransomware, encrypting critical data and demanding ransom payments from victims. The specific ransomware family and web shell variants employed are not detailed in the provided context, but the overall attack flow is consistent with financially motivated cybercrime operations. Defenders should prioritize detection of web shell activity, unauthorized tunneling, and ransomware execution to mitigate the risk of compromise by the Warlock group.

Attack Chain

Initial Access: The attacker gains access to the target system by exploiting vulnerabilities to deploy a web shell (details of the vulnerability are not provided).
Web Shell Execution: The attacker executes commands through the web shell to perform reconnaissance and identify valuable targets within the network.
Tunnel Establishment: A tunnel is established to maintain persistent access and bypass security controls (specific tunneling technology not provided).
Lateral Movement: The attacker leverages the established tunnel to move laterally within the network, compromising additional systems.
Credential Access: The attacker attempts to harvest credentials to gain elevated privileges and access to critical resources (specific tools/techniques not provided).
Ransomware Deployment: The attacker deploys ransomware across the network, encrypting files and rendering systems unusable.
Ransom Demand: A ransom note is left on the compromised systems, demanding payment for decryption keys.
Data Exfiltration (Possible): Prior to encryption, the attacker may exfiltrate sensitive data to further pressure victims into paying the ransom (not explicitly stated, but a common practice).

Impact

The Warlock attack results in significant disruption to victim organizations through ransomware deployment. Systems are rendered unusable due to encryption, potentially leading to operational downtime and financial losses. If data exfiltration occurs, the confidentiality of sensitive information is also compromised, increasing the potential for reputational damage and legal liabilities. The lack of specific victim counts and sector targeting data in the provided context limits a comprehensive impact assessment.

Recommendation

Deploy a web shell detection rule (see below) to identify suspicious web shell activity on web servers based on process creation.
Implement a network monitoring rule (see below) to detect unusual tunneling activity based on network connections from web servers.
Enable file integrity monitoring to detect unauthorized modifications to web server files that could indicate web shell installation (reference file_event log source).

Active Exploitation of Apache ActiveMQ RCE Vulnerability (CVE-2023-46604)

hello@craftedsignal.io — Wed, 25 Feb 2026 09:22:01 +0000

CVE-2023-46604 is a critical remote code execution (RCE) vulnerability affecting Apache ActiveMQ message brokers. This vulnerability allows a remote attacker with network access to the ActiveMQ broker to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. The vulnerability affects Apache ActiveMQ versions 5.16.0 before 5.16.7, 5.17.0 before 5.17.6, 5.18.0 before 5.18.3, and before 5.15.16, as well as corresponding versions of the Legacy OpenWire…

Potential Veeam Credential Access via SQL Commands

hello@craftedsignal.io — Wed, 03 Jul 2024 12:00:00 +0000

Attackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like sqlcmd.exe or PowerShell commands (e.g., Invoke-Sqlcmd) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.

Attack Chain

Initial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.
The attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.
The attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.
The attacker executes sqlcmd.exe or uses PowerShell commands (e.g., Invoke-Sqlcmd) to query the [VeeamBackup].[dbo].[Credentials] table.
The attacker retrieves the encrypted Veeam credentials from the database.
The attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.
The attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.
The attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.

Impact

Successful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.

Recommendation

Enable Sysmon process creation logging to capture command-line activity, specifically sqlcmd.exe and PowerShell.
Deploy the Sigma rule “Potential Veeam Credential Access Command” to detect suspicious command executions targeting Veeam credentials in MSSQL databases.
Review and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.
Monitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.
Implement multi-factor authentication for all accounts with access to Veeam infrastructure.
Regularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.

JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

CVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.

Attack Chain

The attacker identifies a vulnerable TeamCity server exposed to the internet.
The attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., ../../) within a URL parameter related to administrative functions.
The TeamCity server processes the crafted request without proper sanitization of the file path.
The relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.
The attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.
The attacker escalates privileges, gaining full control over the TeamCity server.
The attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.

Impact

Successful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity’s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.

Recommendation

Apply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (https://www.jetbrains.com/privacy-security/issues-fixed/).
Deploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.
Follow CISA’s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.

Potential Ransomware Behavior - Note Files Dropped via SMB

hello@craftedsignal.io — Mon, 22 Jan 2024 12:00:00 +0000

This detection identifies potential ransomware activity through the rapid creation of ransom notes via SMB shares. The rule focuses on file creation events originating from the SYSTEM account (PID 4), targeting common ransom note file extensions like .txt, .html, .pdf, and image files. This activity suggests an attacker has achieved lateral movement and is deploying ransom notes across multiple systems. The rule aggregates events within a 60-second window to reduce false positives and focus on high-frequency creation patterns indicative of automated ransomware deployment. Successful detection can help defenders quickly identify and contain ransomware outbreaks before widespread encryption occurs. The original Elastic detection rule was published on 2024-05-03 and updated on 2026-05-04.

Attack Chain

The attacker gains initial access to a system through an exploit or compromised credentials.
The attacker moves laterally to other systems on the network using valid accounts or exploits. (T1021.002 - SMB/Windows Admin Shares)
The attacker uses a tool to remotely create files over SMB. (T1021.002 - SMB/Windows Admin Shares)
The SYSTEM account (PID 4) on a compromised host is used to create multiple files with the same name but different paths (C:*) over SMB.
The created files have file extensions commonly associated with ransom notes: .txt, .htm, .html, .hta, .pdf, .jpg, .bmp, .png.
The files are dropped into at least 3 unique paths within a short time frame (60 seconds).
The attacker encrypts data and leaves the ransom notes to instruct victims on how to pay the ransom. (T1486 - Data Encrypted for Impact)
The organization experiences data loss, financial damage, and reputational harm.

Impact

Successful ransomware attacks can lead to significant data loss, financial costs associated with ransom payments, recovery efforts, and reputational damage. Organizations may experience business disruption, regulatory fines, and legal liabilities. The Akira ransomware group, referenced in the original rule’s documentation, has been known to target various sectors, demanding substantial ransoms from victims. The widespread distribution of ransom notes indicates an advanced stage of the ransomware attack, necessitating immediate containment to prevent further data encryption and system compromise.

Recommendation

Deploy the Sigma rule Potential Ransomware Note File Dropped via SMB to your SIEM to detect suspicious file creation activity indicative of ransomware deployment.
Enable Elastic Defend for enhanced endpoint detection and response capabilities, as recommended in the rule’s setup instructions.
Monitor incoming network connections to port 445 (SMB) on critical assets, as suggested in the rule’s triage analysis.
Investigate file names with unusual extensions to identify potential ransom notes, as mentioned in the triage analysis.
Isolate any hosts identified as creating multiple note files over SMB to prevent further lateral movement and data encryption, as described in the rule’s response and remediation steps.
Review and enforce network segmentation policies to limit lateral movement and reduce the impact of potential ransomware attacks (TA0008).

PowerShell Share Enumeration via ShareFinder or Native APIs

hello@craftedsignal.io — Tue, 09 Jan 2024 15:00:00 +0000

This detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.

Attack Chain

An attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.
The attacker executes a PowerShell script, either directly or through a fileless execution method.
The PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.
The script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).
The attacker analyzes the identified shares to determine those that are accessible and contain valuable data.
The attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.
Once access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.
The ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.

Impact

Successful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced “Stolen Images” campaign led to Conti ransomware deployment, and the “Hunting for corporate insurance policies” post highlights data exfiltration.

Recommendation

Enable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).
Deploy the Sigma rule “PowerShell Share Enumeration Script via Invoke-ShareFinder” to your SIEM and tune for your environment.
Deploy the Sigma rule “PowerShell Share Enumeration via NetShareEnum API” to detect share enumeration using native Windows APIs.
Investigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).
Review and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.

Detection of Wevtutil.exe Used to Disable Event Logs

hello@craftedsignal.io — Thu, 04 Jan 2024 16:30:00 +0000

Attackers, particularly ransomware groups, often disable or manipulate event logs to cover their tracks and hinder forensic investigations. This activity typically occurs post-compromise as part of an attacker’s defense evasion strategy. The use of wevtutil.exe, a legitimate Windows command-line utility, makes this technique challenging to detect without specific monitoring. Ransomware actors disable logging to operate undetected, making it difficult for security teams to trace malicious activities and respond effectively. This can prolong the dwell time of the attacker within the environment and increase the potential for widespread damage, data exfiltration, or system encryption.

Attack Chain

Initial access is gained through typical methods like phishing or exploiting public-facing vulnerabilities.
The attacker executes code on the compromised system, achieving initial foothold.
Privilege escalation techniques are employed to gain elevated permissions (e.g., using exploits, token manipulation).
The attacker uses wevtutil.exe with specific commands to disable or clear event logs. Example commands include wevtutil.exe sl false or wevtutil.exe set-log /enabled:false.
The attacker disables specific event channels to remove evidence of their activity.
Persistence mechanisms are established to maintain access across reboots (e.g., creating scheduled tasks, modifying registry keys).
Lateral movement is initiated to compromise additional systems within the network using tools like PsExec or SMB shares.
The final objective, such as ransomware deployment or data exfiltration, is executed, with logging disabled to minimize the chances of detection.

Impact

Successful disabling of event logs allows attackers to operate undetected, hindering forensic investigations and incident response efforts. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage to affected organizations. Ransomware groups frequently use this technique to maximize the impact of their attacks, resulting in data encryption, exfiltration, and significant financial losses.

Recommendation

Enable Sysmon process creation logging (Event ID 1) to detect the execution of wevtutil.exe with suspicious parameters.
Deploy the Sigma rules provided below to your SIEM to detect specific command-line arguments used to disable event logs.
Monitor Windows Event Log Security (4688) for process creation events of wevtutil.exe with arguments related to disabling or clearing logs.
Investigate any instances where wevtutil.exe is executed with parameters like sl or set-log and /e:false or /enabled:false in the command line, as highlighted in the provided Sigma rules.

Third-party Backup Files Deleted via Unexpected Process

hello@craftedsignal.io — Wed, 03 Jan 2024 18:12:00 +0000

This rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro’s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.

Attack Chain

Adversary gains initial access to the target Windows system.
The attacker performs reconnaissance to identify backup file locations.
The attacker uses a non-backup related process (e.g., cmd.exe, powershell.exe) to delete backup files.
The attacker targets Veeam backup files with extensions VBK, VIB, and VBM.
The attacker targets Veritas Backup Exec files with the BKF extension.
The deletion events are logged by the endpoint detection system.
The detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.
Successful deletion of backups impairs the victim’s ability to recover from ransomware or other destructive attacks.

Impact

Successful deletion of backup files can severely impact an organization’s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker’s leverage and potential financial gain. The rule’s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.

Recommendation

Deploy the Sigma rule Unexpected Veeam Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.
Deploy the Sigma rule Unexpected Veritas Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.
Investigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.
Enable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.
Review process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.

PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

CVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.

Attack Chain

Attacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.
The attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.
The crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.
Upon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.
The attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.
The attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.
Ransomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.
The attacker demands a ransom payment for the decryption key.

Impact

Successful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.

Recommendation

Apply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.
Deploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.
Follow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.