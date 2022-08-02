Infosecurity Group Websites
Latest
News

LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload

A Sentinel One investigation revealed threat actors (TA) have been abusing the Windows Defender command line tool to decrypt and load Cobalt Strike payloads.

The cybersecurity experts detailed their findings in an advisory last week, in which they said the TA managed to carry out the attacks after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

The attackers reportedly modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code.

“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools,” the Sentinel One team wrote.

These reportedly included Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike. According to the security researchers, the threat actors downloaded a malicious DLL, the encrypted payload and the legitimate tool all from their controlled C2.

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” Sentinel One wrote.

Consequently, the security researchers warned that organizations should give careful scrutiny to any tools the organization or the organization’s security software has made exceptions for. 

“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” Sentinel One wrote.

For context, LockBit 3.0 is the latest iteration of the prolific LockBit Ransomware as a Service (RaaS) family, which recently ramped up attacks on two public sector entities.

More generally, RaaS has grown considerably since the beginning of the COVID-19 pandemic, mostly due to the shift to remote work and the consequent lack of security of home networks and misconfigured VPNs.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

New PrintNightmare Patch Can Be Bypassed, Say Researchers

2
News

Cybercrime Costs Organizations Nearly $1.79 Million Per Minute

3
News

CTOs Keeping Quiet on Breaches to Avoid Cyber Blame Game

4
News

Over 170 Scam Cryptomining Apps Charge for Non-Existent Services

5
News

Most Insider Data Breaches Aren't Malicious

6
News

Kremlin Hackers Reportedly Breached Republican National Committee

1
News

LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload

2
News

Google Patches Critical Android Bluetooth Flaw in August Security Bulletin

3
News

Dark Web Research Suggests 87% of Ransomware brands Exploit Malicious Macros

4
Opinion

Are We Doing Enough to Protect Our NHS?

5
News

US Indicts Russian Accused of Promoting California’s Secession

6
News

Thousands of Apps Leaking Twitter API Keys

1
Webinar

Overcoming 'Shadow IT' Need and Risk

2
Webinar

How to Rethink End-User Protection and Eliminate Phishing and Ransomware

3
Webinar

Machine ID Management and Digital Transformation: Building a Secure Future

4
Webinar

New Strategies for Managing Machine Identities

5
Webinar

Third-Party Vulnerabilities: Demystifying the Unknown

6
Webinar

Defining the Zero Trust and SASE Relationship

1
Digital Edition

Infosecurity Magazine, Digital Edition, Q1, 2022, Volume 19, Issue 1

2
Webinar

Hackers Are Striking Gold with Your Employees' PII

3
Podcast

IntoSecurity Chats, Episode 8: Brian Honan, brought to you by HP

4
News Feature

As Nation-State and Cybercrime Threats Conflate, Should CISOs Be Worried?

5
Editorial

Editorial: Only the Good Die Young (Q1 2022 Issue)

6
Webinar

The Journey Beyond the Endpoint