Incident Score: Analysis & Impact (US-1765249605)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (95%), with evidence including exploitation of Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730), and exploitation of internet-facing infrastructure and VPNs via SQL injection, External Remote Services (T1133) with high confidence (90%), supported by evidence indicating exploiting corporate VPNs via public vulnerabilities, Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating spear-phishing (credential theft and malware delivery), Brute Force: Password Spraying (T1110.003) with high confidence (90%), supported by evidence indicating password spraying and brute-force attacks, and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), supported by evidence indicating compromising accounts with access to aid shipment details. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (80%), supported by evidence indicating exploitation of WinRAR vulnerability (CVE-2023-38831) and Command and Scripting Interpreter (T1059) with moderate to high confidence (75%), supported by evidence indicating use of native tools (PsExec, Impacket) for lateral movement. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with high confidence (90%), supported by evidence indicating enrolled hijacked accounts in MFA to maintain persistent access and Create Account: Cloud Account (T1136.003) with moderate to high confidence (70%), supported by evidence indicating compromised accounts with access to sensitive data. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (85%), supported by evidence indicating exploitation of Outlook NTLM relay (CVE-2023-23397) and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating use of compromised accounts for lateral movement. Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with moderate to high confidence (85%), supported by evidence indicating use of open-source utilities (Certipy, ADExplorer) for stealth, Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating use of hijacked accounts to blend in with normal activity, Hide Artifacts: Hidden Files and Directories (T1564.001) with moderate to high confidence (75%), supported by evidence indicating living-off-the-land (LOtL) techniques to avoid detection, and Proxy: External Proxy (T1090.002) with high confidence (90%), supported by evidence indicating routed communications through compromised SOHO devices near targets. Under the Credential Access tactic, the analysis identified Brute Force: Password Spraying (T1110.003) with high confidence (95%), supported by evidence indicating password spraying and brute-force attacks, Credentials from Password Stores (T1555) with moderate to high confidence (80%), supported by evidence indicating exploitation of Outlook NTLM relay (CVE-2023-23397), and Adversary-in-the-Middle (T1557) with moderate to high confidence (75%), supported by evidence indicating exploitation of NTLM relay vulnerabilities. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (85%), supported by evidence indicating compromised Office 365 user lists and Active Directory information and Network Service Discovery (T1046) with moderate to high confidence (80%), supported by evidence indicating use of ADExplorer for network reconnaissance. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with high confidence (90%), supported by evidence indicating use of RDP for lateral movement and Lateral Tool Transfer (T1570) with moderate to high confidence (85%), supported by evidence indicating use of PsExec and Impacket for lateral movement. Under the Collection tactic, the analysis identified Email Collection: Remote Email Collection (T1114.002) with high confidence (90%), supported by evidence indicating compromised email accounts and Office 365 user lists, Data from Local System (T1005) with moderate to high confidence (85%), supported by evidence indicating theft of sender/recipient info, cargo contents, travel routes, and Archive Collected Data: Archive via Utility (T1560.001) with moderate to high confidence (75%), supported by evidence indicating data exfiltration methods tailored to victim environments. Under the Command and Control tactic, the analysis identified Proxy: External Proxy (T1090.002) with high confidence (90%), supported by evidence indicating routed communications through compromised SOHO devices and Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating use of Headlace and Masepie backdoors. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (95%), supported by evidence indicating data exfiltration leveraging LOtL techniques and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (70%), supported by evidence indicating data exfiltration methods tailored to victim environments. Under the Impact tactic, the analysis identified Defacement: Internal Defacement (T1491.001) with moderate to high confidence (70%), supported by evidence indicating potential disruption of aid efforts through cyber means and Data Manipulation: Stored Data Manipulation (T1565.001) with moderate confidence (65%), supported by evidence indicating aim to disrupt aid efforts to Ukraine. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.