SITE Intelligence Group Breach Incident Score: Analysis & Impact (SIT4562145111925)

In this Rankiteo incident briefing, we review the SITE Intelligence Group breach identified under incident ID SIT4562145111925.

The analysis begins with a detailed overview of SITE Intelligence Group's information like the linkedin page: https://www.linkedin.com/company/site-intelligence-group, the number of followers: 9982, the industry type: Security and Investigations and the number of employees: 2 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 693 and after the incident was 582 with a difference of -111 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on SITE Intelligence Group and their customers.

A newly reported cybersecurity incident, "Kraken Ransomware Campaign with Benchmark-Driven Encryption", has drawn attention.

The Kraken ransomware campaign introduces a benchmark step that measures system performance to determine the scale of encryption.

The disruption is felt across the environment, affecting Windows systems, Linux systems and ESXi systems, and exposing True.

In response, and began remediation that includes log clearing, binary deletion and evidence elimination (by attackers).

The case underscores how Ongoing (public IoCs documented by Cisco Talos), teams are taking away lessons such as Limit exposure of internet-facing services (e.g., SMB), Enforce strong authentication and access controls and Maintain updated backups and test restoration processes, and recommending next steps like Deploy strong ransomware protection (e.g., behavioral detection, endpoint security), Ensure backups are immutable and offline and Implement network segmentation to isolate critical systems.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (95%), with evidence including exploiting vulnerable SMB services, and exposed SMB services in attack_vector/vulnerability_exploited, Valid Accounts: Domain Accounts (T1078.002) with high confidence (90%), with evidence including harvesting administrator credentials, and stolen or weak credentials in vulnerability_exploited, and Valid Accounts: Default Accounts (T1078.001) with moderate to high confidence (80%), supported by evidence indicating weak credentials implied by exposed SMB services. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: PowerShell (T1059.001) with moderate to high confidence (70%), supported by evidence indicating benchmarking system performance (commonly done via PowerShell scripts) and Command and Scripting Interpreter: Unix Shell (T1059.004) with moderate to high confidence (70%), supported by evidence indicating cleared shell history on Linux/ESXi systems. Under the Persistence tactic, the analysis identified Protocol Tunneling (T1572) with high confidence (95%), supported by evidence indicating persistence via Cloudflare tunnels, Remote Services: SSH (T1021.004) with high confidence (90%), supported by evidence indicating sSHFS for lateral movement/persistence, and Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (85%), supported by evidence indicating harvested admin credentials reused for RDP/SSH access. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating harvested administrator credentials used for lateral movement and Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), supported by evidence indicating exploiting vulnerable SMB services may include privilege escalation. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with high confidence (100%), with evidence including wiped logs, shell history, and the binary itself, and deletion of shadow copies/Recycle Bin, Data Destruction (T1485) with high confidence (95%), supported by evidence indicating deleted shadow copies, cleared Recycle Bin, disabled backup services, Impair Defenses: Disable or Modify Tools (T1562.001) with high confidence (90%), supported by evidence indicating disabled backup services, and Indicator Removal: Clear Windows Event Logs (T1070.001) with high confidence (90%), supported by evidence indicating wiped logs. Under the Credential Access tactic, the analysis identified OS Credential Dumping: LSASS Memory (T1003.001) with moderate to high confidence (85%), supported by evidence indicating harvested admin credentials (commonly via LSASS dumping) and Credentials from Password Stores (T1555) with moderate to high confidence (70%), supported by evidence indicating weak or stolen credentials exploited. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with high confidence (95%), supported by evidence indicating benchmarking system performance to optimize encryption and System Network Configuration Discovery (T1016) with moderate to high confidence (80%), supported by evidence indicating targeting network shares, SQL databases, virtual machines implies network mapping. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with high confidence (95%), supported by evidence indicating re-entered using Remote Desktop, Remote Services: SSH (T1021.004) with high confidence (90%), supported by evidence indicating sSHFS for lateral movement, and Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (85%), supported by evidence indicating use of stolen admin credentials for movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating targeted SQL databases, network shares, local drives for exfiltration/encryption. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), with evidence including sSHFS for lateral movement (often used for exfiltration), and data exfiltration such as true in incident_details and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating cloudflare tunnels for persistence (could double as exfiltration channel). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), with evidence including file encryption (.zpsc extension), and ransom note demanding $1M in Bitcoin, Data Destruction (T1485) with high confidence (95%), with evidence including deletion of shadow copies/backups, and termination of virtual machines, Inhibit System Recovery (T1490) with high confidence (95%), with evidence including disabled backup services, and deleted shadow copies/Recycle Bin, and Service Stop (T1489) with high confidence (90%), supported by evidence indicating halted active VMs to unlock disks for encryption. Under the Command and Control tactic, the analysis identified Protocol Tunneling (T1572) with high confidence (95%), supported by evidence indicating cloudflare tunnels for persistence (likely C2) and Proxy: Domain Fronting (T1090.004) with moderate to high confidence (80%), supported by evidence indicating cloudflare tunnels (often used for domain fronting). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.