The Incident Response activities carried out by our Team in the last period confirm the growing trend in the number of cyber attacks against Italian companies. What should make us reflect (beyond the numbers and the damage caused) is the technical evolution and increase in complexity of the latter.

In fact, we notice greater interaction of the attacker during the stages of compromising company systems. Ransomware and the resulting data encryption represents only the latest step taken by criminals within the affected company. Today we talk about “Human-operated ransomware” and “Big Game Hunting“.

This type of cyber attack often begins with the compromise of an employee’s workstation (via email) and the use of Trojans and Spyware.

In other cases, the first system to be affected is a perimeter server through the exploitation of vulnerabilities (often RDP and SMB).

From a Workstation to Servers

The compromise of an employee’s workstation should not be underestimated. Threat actors are increasingly moving from the employee’s desk to the rest of the infrastructure and systems. The criminals’ objective is represented by the compromise of the internal servers of the company network (typically the Domain Controllers, Web Servers and Mail Servers), an objective achieved through Lateral Movement and Privilege Escalation activities.

Lateral movement consists of the series of steps performed by the attacker to access other systems in the same computer network.

Would you be able to identify behaviors and tolls of this kind?

Some offensive tools often used by criminals (and penetration testers):

Initial Compromise and Post-Exploitation Tools:

  • Meterpreter
  • Powershell Empire
  • Covenant

Lateral Movement (ID: TA0008):

  • WMI
  • Powershell
  • PsExec
  • SMB tunnels

Credential Dumping (ID: T1003)

  • Mimikatz
  • Lazagne
  • Dump lsass
Escalation and compromise of infrastructure servers

How to defend? Cyber Defence Activities

It is essential to “respond” to this type of offensive maneuver with specialized defensive activities.
There are systems defense tools that allow, in addition to automatic protection, specialized analysts to carry out detection, analysis and response activities to IT incidents.

Carrying out Cyber Defense activities means protecting and defending the infrastructure at 360°, carrying out activities of:

  • Security Monitoring
  • Malware Analysis
  • Threat Hunting
  • Incident Response

Per maggiori dettagli: 👉CONTATTI

According to a statement issued by the company, the total cost for dealing with the outbreak will land somewhere in the $200 to $300 million range. NotPetya-related costs contributed to a $264 million quarterly loss despite revenues rising from $8.7 billion to $9.6 billion year-over-year.

Related articles