Share This:

Word from our Sponsor

This edition of the SOC case files showcases how an incident was detected, contained, and mitigated in about a minute. The SOC is part of Barracuda Managed XDR, an extended visibility, detection, and response (XDR) service. It provides customers with round-the-clock human and AI-led threat detection, analysis, incident response, and mitigation services to protect against complex threats.

Incident summary

  • A U.S.-based managed services provider (MSP) was targeted by a well-equipped threat actor shortly before the Thanksgiving holiday.
  • The attackers connected a malicious external drive loaded with advanced hacking tools to a single workstation.
  • In just over a minute the threat was mitigated. The SOC identified the unauthorized tools, quarantined them, and isolated the endpoint.

How the attack unfolded

The attack took place the day before Thanksgiving, a major U.S. holiday

  • On the morning of November 27, the SOC’s automated systems spotted an array of advanced hacking tools appearing one after another in quick succession on a single workstation in a monitored MSP’s network.
  • The tools were all being loaded into the same Windows folder from an unauthorized external drive connected to the workstation.

The main attack attempt

  • The core of the attempted attack involved four known hacking tools.
  • The first of these was an executable called SharpUp. A tool used by attackers to try to escalate their privileges in a compromised account.
  • The second was a malicious file called LaZagne. This password-stealing tool was included by attackers in case they couldn’t escalate privileges using SharpUp. They could then use LaZagne to try to obtain credentials for existing accounts with higher privileges.
  • Threat intelligence reports indicate that LaZagne has been leveraged in recent attacks by sophisticated threat actors, including China-based advanced persistent threats (APTs).
  • The third threat was Mimikatz, a very common tool used by threat actors for numerous tasks including extracting sensitive information and lateral movement.
  • The fourth tool found by the SOC analysts was the THOR APT Scanner. This tool is used by security professionals to detect malicious activity but can also be exploited by attackers for tasks like bulk theft of usernames and passwords.

Threat response and mitigation

  • XDR Endpoint Security’s SentinelOne agent successfully detected the four hacking tools, marked them as threats, and mitigated them accordingly.
  • The Storyline Active Response (STAR) custom rules developed by Barracuda’s SOC engineers effectively detected the presence of Mimikatz and took automated response action to isolate the compromised endpoint.
  • Isolating the endpoint and terminating connectivity contained the threat, preventing any malicious processes.
  • The SOC team analyzed the events, issued an alert, and contacted the MSP directly. They included a detailed summary of the detections and corresponding response actions.
  • The SOC provided critical security recommendations to help the MSP strengthen the protection of their environment, including restricting access for external drives.

The SOC case files

Key learnings

  • Threat actors are notorious for carrying out attacks around major holidays — times when traditional security teams may be understaffed, and organizations may be less vigilant overall.
  • Managed services providers are a growing target for threat actors who understand that if they can successfully breach an MSP, they can expand the scope of the attack to the organizations whose IT infrastructure is managed by the MSP.
  • Having a SOC that operates 24/7/365, such as the Barracuda Managed XDR SOC team, to provide continuous, ongoing threat detection and response capabilities is crucial.

The main tools and techniques used in the attack

Known indicators of compromise (IOCs) observed in this attack

  • SharpUp SHA1: 4791564cfaecd815ffb2f15fd8c85a473c239e31
  • LaZagne SHA1: 0e62d10ff194e84ed8c6bd71620f56ef9e557072
  • Mimikatz SHA1: d1f7832035c3e8a73cc78afd28cfd7f4cece6d20
  • THOR APT SHA1: 5c154853c6c31e3bbee2876fe4ed018cebaca86f

Barracuda Managed XDR features like threat intelligence, automated threat response, and the integration of wider solutions such as XDR Server Security, XDR Network Security, and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.

For further information: Barracuda Managed XDR and SOC.

This article was originally published at Barracuda Blog.

Photo: Andrii Yalanskyi / Shutterstock

 


Share This:
Eric Russo

Posted by Eric Russo

Eric Russo is Director of SOC Defensive Security at Barracuda.

Leave a reply

Your email address will not be published. Required fields are marked *