Incident Score: Analysis & Impact (KRI1768390561)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating exploitation of vulnerabilities in SimpleHelp RMM software (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) and Phishing: Spearphishing Attachment (T1566.001) with lower confidence (30%), supported by evidence indicating victims contacted via unique email addresses for extortion. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (80%), supported by evidence indicating eSXi variant includes command-line flags for targeted encryption and Exploitation for Client Execution (T1203) with high confidence (90%), supported by evidence indicating exploitation of SimpleHelp RMM flaws to execute arbitrary code. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with high confidence (90%), supported by evidence indicating cVE-2024-57727/28/26 chained to gain administrator privileges. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information: Software Packing (T1027.002) with moderate to high confidence (80%), supported by evidence indicating ransomware recompiled for each attack to evade detection and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating eSXi variant shuts down VMs and encrypts files. Under the Credential Access tactic, the analysis identified Brute Force: Password Guessing (T1110.001) with moderate confidence (50%), supported by evidence indicating initial access brokers may use brute force for RMM access. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating eSXi variant targets VM-related files for encryption. Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with moderate to high confidence (80%), supported by evidence indicating exploitation of SimpleHelp RMM for lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating data exfiltration as part of double-extortion tactics. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (70%), supported by evidence indicating likely use of C2 channels for ransomware deployment. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating sensitive data exfiltrated for extortion (900 victims). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), supported by evidence indicating encryption of Windows/ESXi systems and VMs (double-extortion) and Inhibit System Recovery (T1490) with moderate to high confidence (80%), supported by evidence indicating eSXi variant shuts down VMs before encryption. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.