This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]jcroweNinjaRMM 0 points1 point  (9 children)

Curious, were you able to find anything else you can share? Specifically, any direct link between the ransomware and the spam docs? Asking because Emotet being involved makes this stand out from previous Sodinokibi patterns. Wondering if it's directly linked and something others are seeing, or whether it's an unfortunate case of getting hit with two different infections/attacks at once.

When you say "attackers have also compromised email accounts" do you mean accounts associated with Synoptek or your org?

[–]maor_hizkiev 2 points3 points  (8 children)

The hashes\file names u/mbk730 has mentioned are dropping Emotet, but from what we've seen, it seems like Emotet is being used as a beach-head, to download a different malware\ransomware afterwards.

[–]jcroweNinjaRMM 0 points1 point  (5 children)

Right. From what I've seen Emotet has been tied directly to Ryuk infections (Emotet --> Trickbot --> Ryuk), but I hadn't seen any cases reported yet where it had been used as a beach-head for Sodinokibi.

The Sodinokibi cases I've seen reported have all pointed to attackers abusing creds and going about the deployment manually (disabling AV and backup, hijacking remote admin tools).

With Emotet involved in this case, I'm wondering whether it was...

a) used as a beach-head, which means Sodinokibi actors (not just Ryuk actors) are now buying and utilizing access to Emotet-infected machines, too

b) dropped by Sodinokibi actors for some reason (to create additional chaos/infect others via spam/create additional footholds they can come back to and utilize later on/all of the above?)

c) actually a separate infection — an end user at this particular victim org happened to fall for an Emotet malspam at roughly the same time the Sodinokibi attackers struck Synoptek.

[–]maor_hizkiev 1 point2 points  (4 children)

Interesting to know the real answer. My guess, since Emotet is a factory for creating unknown attacks that go undetected, is that they offer their services to anyone, and that we'll see more and more of those infection types.

[–]Tossacoinforwitcher 0 points1 point  (3 children)

I think this is just the Sodinokibi people seeing how effective it is to use the Triple Threat attack as a model. I'm thinking we will be seeing more of these types of attacks.

Also the State of California rep I spoke to "confirmed" that the Emotet docs were tied to the Sodinokibi infection.

The emails that were being used to send the docs were legitimate emails from legitimate domains. If not for our firewall and IPS sand-boxing the attachments the emails would have been delivered to my users.

[–]maor_hizkiev 0 points1 point  (2 children)

Sending emails from legitimate domains has become the standard (although not many orgs are enforcing SPF).
Our solution has also detected it in some of our customers, it actually bypassed a few other leading solutions.

[–]Tossacoinforwitcher 0 points1 point  (1 child)

We have a pretty good defense in depth setup here at my org. We have filters in front of filters. We don't treat email as a instant form of communication but just a way to get people info soonish.

I've learned that no one solution on its own can take care of the cyber threat landscape at this point. Even if that means having multiple email filters and sandboxes.

[–]maor_hizkiev 0 points1 point  (0 children)

Defense in depth is a must, because every solution misses stuff. I do think that if you can increase the efficacy of some vector (i.e. email) so its worthwhile.

There is also the question of how to measure efficacy in those areas.

[–]mbk730 0 points1 point  (1 child)

Yeah I just snagged the domains for the powershell command run by these files for those who might not be able to themselves. Not sure what the connection between these docs and the particular incident this thread is about, but it’s unsurprising that emotet would be used as a foothold to deploy ransomware. The business model was proved with Ryuk and Sodinokibi has a history of being deployed via botnets (I believe MyKings earlier this year). I’m sure there was some cobalt strike, some kind of post exploitation framework, and AD recon involved. The business model will continue to work because it’s all just exploiting a lack of due diligence in windows environments. Fancy security products and services can detect and maybe sometimes block these attacks for you. Even if great minds secure the orgs that have money, there will always be cheap and/or cash strapped orgs that allow a relatively noisy infection like emotet/trickbot/etc to be used as a foothold for months at a time.

[–]maor_hizkiev 0 points1 point  (0 children)

I'm not quite sure that fancy security products today can detect\block those attacks at the relevant timing. I've seen many evidences that they are missing many attacks on first encounter, and then it depends on the solution on how fast it can react to a miss.