Incident Score: Analysis & Impact (UNIVYN1780316844)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating proxied RDP connections used by attackers and Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating flask-based file receiver exfiltrated data via victims’ public websites. Under the Execution tactic, the analysis identified Command and Scripting Interpreter (T1059) with high confidence (90%), supported by evidence indicating custom Python script (main.py) dropped 58 SQL Server databases and Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (70%), supported by evidence indicating hands-on keyboard techniques used for destruction. Under the Persistence tactic, the analysis identified Create Account (T1136) with moderate confidence (50%), supported by evidence indicating state-backed campaign with likely persistence mechanisms. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating proxied RDP connections imply privileged access. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with high confidence (90%), supported by evidence indicating secure deletion tools (WipeFile) overwrote web hosting directories, Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating wiped IT systems, backups, and recovery infrastructure, and Masquerading (T1036) with moderate to high confidence (70%), supported by evidence indicating renamed storage partitions to Minab as a calling card. Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate confidence (60%), supported by evidence indicating proxied RDP connections suggest credential harvesting. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with high confidence (90%), supported by evidence indicating fileFiend tool scanned drives and network shares for files. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating fileFiend scanned drives/network shares for exfiltration. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating flask-based file receiver used victims’ public websites for exfil and Protocol Tunneling (T1572) with moderate to high confidence (70%), supported by evidence indicating go-based tunnelers used in attackers’ toolkit. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating fileFiend sent files to hardcoded C2 servers and Exfiltration Over Alternative Protocol (T1048) with moderate to high confidence (80%), supported by evidence indicating flask-based file receiver exfiltrated via public websites. Under the Impact tactic, the analysis identified Data Destruction (T1485) with high confidence (100%), supported by evidence indicating wiped IT systems, backups, and recovery infrastructure, Data Encrypted for Impact (T1486) with moderate to high confidence (70%), supported by evidence indicating destructive encryption implied by permanent data loss, and Data Manipulation: Stored Data Manipulation (T1565.001) with moderate to high confidence (80%), supported by evidence indicating renamed storage partitions to Minab. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.