Carding 4 Carders
Professional
Experts identified a classic attack strategy and shared it with all organizations.
In a joint statement, the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) provided new information about tools used by attackers related to the AvosLocker cryptographer, which the FBI already made a report on a couple of weeks ago.
AvosLocker affiliates are known to use legitimate software and open source code to remotely administer systems and steal data from corporate networks.
The FBI recorded the use of custom PowerShell, web shells, and batch scripts to navigate the network, increase privileges, and disable security systems.
Among the tools mentioned in the updated message of the departments are the following:
Also in the hackers arsenal were Notepad++, RDP Scanner, 7-zip, and built-in Windows tools such as PsExec and Nltest .
Another common component of attacks is malware called "NetMonitor.exe". This component pretends to be a legitimate process and acts as a reverse proxy, allowing attackers to connect to a compromised network. Experts from the FBI even created a separate YARA rule for detecting NetMonitor on the network.
"AvosLocker affiliates have compromised organizations in many critical infrastructure sectors in the United States, affecting Windows , Linux, and VMware ESXi environments," the FBI and CISA experts report.
Agencies recommend that organizations implement advanced application control mechanisms, including whitelists, and prevent the use of portable versions of unauthorized utilities.
Best practices for protecting against threats also include limiting the use of the Remote Desktop Protocol( RDP), implementing multi-factor authentication (MFA), and applying the principle of least privilege. Organizations should disable command line and PowerShell script support for users who don't need them in the course of their work.
Regular software and code updates, the use of long passwords, storing them in a hashed format, and network segmentation also remain constant recommendations from security experts.
The current guide for AvosLocker complements the previous one provided to the FBI back in March last year . It noted that some AvosLocker ransomware attacks exploited vulnerabilities on local Microsoft Exchange servers.
In a joint statement, the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) provided new information about tools used by attackers related to the AvosLocker cryptographer, which the FBI already made a report on a couple of weeks ago.
AvosLocker affiliates are known to use legitimate software and open source code to remotely administer systems and steal data from corporate networks.
The FBI recorded the use of custom PowerShell, web shells, and batch scripts to navigate the network, increase privileges, and disable security systems.
Among the tools mentioned in the updated message of the departments are the following:
- remote administration programs: Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, Atera Agent;
- open source network tunneling utilities: Ligolo, Chisel;
- attacker emulation frameworks: Cobalt Strike and Sliver;
- data collection utilities: LaZagne and Mimikatz;
- tools for data exfiltration: FileZilla and Rclone.
Also in the hackers arsenal were Notepad++, RDP Scanner, 7-zip, and built-in Windows tools such as PsExec and Nltest .
Another common component of attacks is malware called "NetMonitor.exe". This component pretends to be a legitimate process and acts as a reverse proxy, allowing attackers to connect to a compromised network. Experts from the FBI even created a separate YARA rule for detecting NetMonitor on the network.
"AvosLocker affiliates have compromised organizations in many critical infrastructure sectors in the United States, affecting Windows , Linux, and VMware ESXi environments," the FBI and CISA experts report.
Agencies recommend that organizations implement advanced application control mechanisms, including whitelists, and prevent the use of portable versions of unauthorized utilities.
Best practices for protecting against threats also include limiting the use of the Remote Desktop Protocol( RDP), implementing multi-factor authentication (MFA), and applying the principle of least privilege. Organizations should disable command line and PowerShell script support for users who don't need them in the course of their work.
Regular software and code updates, the use of long passwords, storing them in a hashed format, and network segmentation also remain constant recommendations from security experts.
The current guide for AvosLocker complements the previous one provided to the FBI back in March last year . It noted that some AvosLocker ransomware attacks exploited vulnerabilities on local Microsoft Exchange servers.
