Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

A Threat Actor's Playbook: Behind the Scenes of Akira Ransomware

By: Adlumin Threat Research and MDR Teams

Adlumin’s Threat Bulletin Series

A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware is a part of Adlumin’s Threat Bulletin Series content series.

In the world of cybercrime, a new player continues to rise: Akira Ransomware. With historical evidence pointing towards nation-state sponsorship, particularly from Chinese Advanced Persistent Threat (APT) groups, this insidious malware has been targeting businesses in the supply chain. However, what sets Akira apart is its focus on smaller tech companies and startups, which are often backed by wealthy investors and at the forefront of technological innovation.


  • Historical attack indicators point to nation-state-sponsored groups such as Chinese Advanced Persistent Threat (APT) groups using the new Akira ransomware to target businesses in the supply chain.
  • Adlumin has observed that Akira ransomware has been used against smaller tech companies/startups since it debuted in March.  These firms tend to develop innovative solutions using the latest technology and often have the backing of wealthy investors – all valuable information in the dark web.
  • Some of the IP addresses involved in an attack that Adlumin recently investigated were registered to Alibaba Cloud, a subsidiary of Alibaba Group, making the connection to Chinese APTs stronger.
  • Akira ransomware gains access through various attack vectors, including phishing campaigns and exploiting vulnerabilities in remote monitoring and management software (RMM). Notably, the actors behind these attacks also target vulnerabilities in VPN products, again hinting at potential involvement from Chinese APTs who have historically leveraged exploitation through VPNs.
  • Akira ransomware utilizes various tools and techniques, including the use of distinct tools during operation and the encryption mechanisms used to generate and safeguard encryption keys.

Disrupting the Technology Sector 

With the recent targeting of yet another American technology startup in a cyberattack last week, cybersecurity analysts at Adlumin are now considering a crucial question: Could nation-state-sponsored groups potentially be utilizing the Akira ransomware to disrupt the supply chain?

Newcomer malware, Akira ransomware, continues to impact mid-market entities in the utility, construction, manufacturing, education, and transportation sectors, not just in the U.S. but also in countries like Sweden, Australia, Argentina, Japan, and others.

The threat actors behind these attacks have been increasingly targeting smaller tech companies and software makers of IT solutions aimed at educators, office administrators, consultants, entrepreneurs, and even hobbyists.

Akira ransomware attack victims in the IT sector include Cequint, Wilcom, GC&E, WTI Western Telematic, Computer Information Concepts, and Optimum Technology.

The recent Akira ransomware incident examined by Adlumin’s Managed Detection and Response (MDR) analysts also targeted a firm within the IT industry. The malicious actors employed typical tactics, techniques, and procedures (TTPs) like brute force attacks, lateral movement, and credential theft. Nevertheless, indications suggest the potential involvement of a significantly larger entity in these breaches. This assumption stems from the historical behavior of advanced persistent threats (APTs), which often disrupt the supply chain by targeting small enterprises.

Vectors and Exploitation 

Akira ransomware made its debut in the malware landscape in March 2023. Since then, threat actors have been using methods like phishing campaigns, exploiting vulnerabilities in remote monitoring and management software (RMM), remote desktop protocol (RDP), and tools like RustDesk for remote access. There have also been recent news reports about threat actors using vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products as additional ways of carrying out attacks.

Adlumin MDR analysts theorize that threat actors behind last week’s attack infiltrated the victim’s network through their VPN due to the numerous VPN events detected by the Adlumin Security Operations Platform in the initial stages of the attack.

Analysts also found that numerous IP addresses used by the threat actors in the attack were registered to Alibaba Cloud, a subsidiary of the Chinese conglomerate Alibaba Group. Researchers at RSA have previously found that Chinese APTs frequently use VPNs and VPN tunneling as a tactic for exploitation and to hide their tracks and exfiltrate data. Furthermore, upon review of network data logs, numerous destination ports during the attack were to servers in China. However, other destinations included servers in Singapore, Paris, Russia, and even cities within the U.S., such as Los Angeles.

Lateral Movement 

Once in the networks, the malicious actors initiated lateral movement — compromising hosts running Windows Servers 2012, 2016, and 2019.

Akira ransomware distinguishes itself by its ability to exploit vulnerabilities in Linux systems, marking a departure from conventional ransomware. Research indicates that attacks on Linux machines surged by 75 percent in 2022.

Notably, two endpoints running Ubuntu Bionic Beaver 18.04.6 LTS and Ubuntu 18.04.03 LTS were indeed targets of the attack.

Data Deletion and Exfiltration

Threat actors escalated tactics using PowerShell commands to delete shadow copies with “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject.”

Threat actors then moved to file encryption. MDR analysts identified encrypted files marked with the “.akira” extension, such as “foo.doc.akira.” Additionally, an accompanying ransom note named “akira_readme.txt” was discovered.

Adlumin MDR analysts suggested that the data theft might have occurred using DNS, a method commonly employed by APTs to minimize detection. This technique involves breaking down the stolen data into smaller encrypted chunks, which are then sent to external servers using UDP instead of TCP. The exact amount of data taken in the attack is still unknown, and the investigation is ongoing.

Akira Ransomware Analysis 

The following is an analysis of the Akira Ransomware from Adlumin’s Threat Research Team with supportive information from other sources (listed at the end of this section).

Attack Process: The incursion initiates when an instance of the Akira ransomware is activated. Upon execution, the ransomware eliminates Windows shadow volume copies on the targeted device. Subsequently, the ransomware encrypts specific file types with predetermined extensions. It modifies each encrypted file’s name by adding the ‘.akira’ extension during this encryption procedure.

During encryption, the ransomware halts active Windows services using the Windows Restart Manager API to ensure an uninterrupted encryption process. It focuses on encrypting files within various hard drive directories, excluding certain folders like program data, recycle bin, boot, system volume information, and Windows folders.

Notably, Windows system files with extensions such as .sys, .msi, .dll, .lnk, and .exe remain untouched to maintain system stability. In most infiltration cases, unauthorized parties exploit compromised credentials to gain initial entry to the victim’s environment.

It is noteworthy that a significant number of victim organizations did not enable multi-factor authentication (MFA) for their VPNs. The source of the compromised credentials is uncertain, but it is plausible that threat actors acquired access or credentials from illicit sources on the dark web.

Toolset: Upon obtaining initial access, the Akira ransomware employs a distinct variety of tools, including PCHunter, Advanced IP Scanner, AdFind, SharpHound, MASSCAN, Mimikatz, LaZagne, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, WinRar, WinSCP, Rclone, FileZilla, and PsExec.

During operation, the ransomware generates a symmetric encryption key using the CryptGenRandom() function, a Windows CryptoAPI random number generator. The symmetric key undergoes further encryption using the RSA-4096 cipher and is appended to the end of the encrypted file. The specific public key used is hardcoded within the ransomware’s binary code and varies across different instances.

Malware Analysis Supportive Sources:


There could be many reasons why APTs may be going after smaller, lesser well-known IT companies. Among these is the prospect of acquiring intellectual property, particularly considering that these startups may be developing new technology that holds significant value in the dark web.

Perhaps threat actors are looking for information on how these companies are funded, including names of investors who could potentially become targets of future spear and whale phishing campaigns.

Whatever the case may be, adversaries are finding that these IT firms have weaker network security than tech giants and thus become easy targets for their aggressive attacks.

Akira Ransomware Indicators of Compromise (IOCs) 


  • 431d61e95586c03461552d134ca54d16
  • af95fbcf9da33352655f3c2bab3397e2
  • c7ae7f5becb7cf94aa107ddc1caf4b03
  • d25890a2e967a17ff3dad8a70bfdd832
  • e44eb48c7f72ffac5af3c7a37bf80587
  • 302f76897e4e5c8c98a52a38c4c98443
  • 9180ea8ba0cdfe0a769089977ed8396a68761b40
  • 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Summer 2023: Uncovering Cyber Threats in Education

By: Brittany Demendi, Corporate Communications Manager

With classes now back in session, the education sector continues to face unique cybersecurity challenges due to its diverse user base, limited IT resources, and increasing adoption of Chromebook and other devices.  

Adlumin’s Threat Research Team uncovers double extortion ransomware as one of the leading threats against educational institutions. This type of attack focuses on hackers encrypting data and threatening to leak it. Threats like this put educational institutions at risk of emotional distress, privacy loss, and legal consequences.  

To better understand the cybersecurity challenges and emerging threats facing the education sector, download Cyber Threat Insights: Education Edition. This report provides valuable insights into the risks faced by educational institutions and emphasizes the importance of investing in proper cybersecurity measures to protect sensitive data and safeguard against cyberattacks.  

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network by learning more about the challenges and solutions in the education sector. 

PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers

By: Kevin O’Connor, Director of Threat Research

Key Takeaways

  • The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.
  • Cybercriminals are directing their efforts towards the managed service providers (MSPs) of these enterprises, utilizing techniques such as remote monitoring and management (RMM) software as vectors or entry points into the targeted systems, which provides complete administrative access.
  • Additional attack vectors are Fortinet firewalls with 3–5-year-old vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
  • PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.
  • This article examines the tactics, techniques, and procedures (TTPs) of threat actors utilizing PlayCrypt, as mapped in the MITRE ATT&CK framework, and observed during an attack and subsequent investigation by the Adlumin MDR and Incident Response Teams.

Initial Access

Last month, in the wee hours of the night, a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing the majority of its defenses.

RMM software serves as the central nervous system of modern-day service providers. It gives users unfettered, privileged access to networks so operators can deliver seamless support and IT operation functions to a distributed cohort of customers.

But the PlayCrypt ransomware group can utilize the same remote access capability to wreak havoc on mid-market firms.

The ransomware debuted in June 2022 and is strongly affiliated with the Balloonfly malware group. It employs double-extortion tactics, stealing victim data before encrypting their networks.

Recently, PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

Aside from hackers using remote desktop protocol servers as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.

In the incident involving PlayCrypt ransomware, Adlumin analysts believe there were at least two potential methods of intrusion. The first possibility is that the hackers gained access through compromised remote desktop software credentials. The second is that they may have exploited a vulnerability in the software itself.


Once inside the victim’s network, attackers can move quickly to deploy more exploits to gain a solid foothold on the system. These exploits include PowerShell scripts, Microsoft Server Remote Code Execution, and batch files.

Defense Evasion

When exploits have given threat actors root access, they begin creating admin-privileged accounts that can be used to disable security tools. For example, the Adlumin MDR team noticed that hackers utilized the Windows registry to shut down Windows Defender after creating a privileged account.

Adversaries can also replicate the traffic patterns of legitimate users, thereby making it complicated for network security tools to discern between malicious and normal activities.

During the defense evasion stage, threat actors can also delete signs that they are in the system to throw off cybersecurity teams.

Credential Access

To evade detection, threat actors incorporate the use of tools such as Mimikatz to extract credentials. These compromised usernames and passwords are subsequently exploited to escalate privileges, execute lateral movement across the network, and facilitate data exfiltration.

Halting The Attack

The AI-powered Adlumin Security Operations platform was successful in detecting and stopping malicious activity when PlayCrypt ransomware was used. The platform uses automated Security Orchestration Automation and Response (SOAR) actions to isolate impacted endpoints, disable suspicious accounts, reset passwords, initiate scans, and more. As a result of the detections and SOAR actions taken, the MDR team immediately received notifications and started to investigate further and take additional mitigation actions.

During the incident, the MDR team discovered and stopped data exfiltration processes through the FTP port that the hacker had initiated. The team also found malware executables hidden in temporary and system folders.

Command and control (C2) systems activity was also detected. This information allowed an analyst to gather information on the hacker’s location through IP and geolocation.

Finally, analysts found that the hacker(s) also deleted volume shadow copies to prevent the customer from restoring from backups.

Incident Response

Adlumin Incident Response (IR) team joined the investigation to take a deeper dive into the threat actor’s TTPs and examined the malware used through reverse engineering.

The IR team found that PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.

Once in a network, threat actors utilize “lolbins” binaries in the ransomware attacks. They distribute executables through Group Policy Objects, employing scheduled tasks, PsExec, or WMIC. Upon achieving full network access, they encrypt files with the “.play” extension.


  • Adlumin recommends that customers choose MSPs with strong security records and know-how for identifying and handling data breaches.
  • As for MSPs, we recommend the use of stronger credentials and the implementation of multi-factor authentication to prevent threat actors from taking advantage of RMM software.

The Adlumin Advantage

The combination of automated SOAR actions implemented by the Adlumin’s Security Operations Platform and the rapid response of the MDR and Incident Response teams successfully thwarted the attacker’s advances. Had the hacker been successful, they would have held all the customer’s sensitive data hostage through encryption, demanding a ransom.

With the threat neutralized, Adlumin strengthened its defenses, armed with valuable insights from the reversed-engineered PlayCrypt ransomware samples. The IOCs uncovered during the investigation now serve as a robust shield against future attacks, ensuring the protection of customer data and upholding their commitment to cybersecurity excellence.

Inside Incident Response: A Cybersecurity Expert's Take

By: Krystal Rennie, Director of Corporate Communications

In today’s rapidly evolving digital landscape, cyber threats can be identified around every corner, leaving the role of a threat research team to be non-negotiable. Through continuous monitoring, proactive analysis, and timely dissemination of threat intelligence, threat research teams are tasked with fortifying defenses and empowering organizations to stay one step ahead of cyber adversaries.  

In this blog post, we sit down with the Adlumin Threat Research team’s Director, Kevin O’Connor to discuss their pivotal role, shed light on Incident Response, and how the team’s insights are essential in the ongoing battle against cyberthreats. 

Kevin, please tell us more about your team’s role. 

The threat research team works to proactively identify threats that may have bypassed security controls. Another way to think about it is we look for new threats that have yet to be detected. Since they have yet to be detected, there are no rules to protect against these threats, like a specific new type of malware. The Adlumin Threat Research team looks specifically for these undetected threats so we can build defenses to identify those threats in the future.  

We’re also responsible for incident response for our customers. We work with customers when a breach has affected stored data or multiple systems and hasn’t been contained.  The team works with our customers to do complete, end-to-end incident response, identify the root cause, and eliminate the threat.  

Talk to us about the difference between investigation and incident response. 

An investigation analyzes a specific event that might have been triggered by a Managed Detection and Response (MDR) team or MDR software. An investigation looks at a particular event to see if it is malicious in nature, its disposition, and contain the threat from spreading.  

Incident response is the step that comes after an investigation, it includes a deeper dive into the events, additional analysis, potential reverse engineering, and most importantly, eradicating the threat. Then incident response determines the breach’s root cause and overall impact on the business and its assets. It focuses on discovering how the threat got into your network, how long it was there, what it did, and how it bypassed the defenses.  

What are the most common ways that attackers get in and what can customers do to protect themselves?

The most popular way attackers get in is through phishing or spear phishing emails.  

It’s the user who falls victim to these attempts and clicks the malicious link in their inbox that either leads them to a fake login site where they put in their credentials. The attacker can now access the e-mail account and associated productivity tools like OneDrive, Sharepoint and Word, where they can access files or add a malicious file. Or when users open infected attachments sent to them via email, the typical Word Document or PDF with malware is added to kick off the attack. The other half of it is being redirected to sites that then do browser-based exploitation; the attacker exploits your web connection to an accessed link to be able to put malware down on your device, I think those are the two paths within. The human interface between you and the computer results in a lot of exploitation.  

What adversary trends do you think we’ll see in the next year? 

I expect to see more examples of supply chain breaches that lead to compromise.  We saw it earlier with the MOVEit vulnerability, during SolarWinds, and even before that there’s been many examples of commercial software being used to attack the products customers. More advanced malware attackers look at supply chain compromises to enable attacks, especially widespread and against hardened targets.   

What are easy ways to quickly identify if you are being attacked vs being breached? 

It’s important to realize that most organizations are being attacked daily. Those daily attacks might be script kitties, but when we pull up any specific customer and look at their external network perimeter, we see attempts to get into any open services all the time, so the attacks are constant. 

In an attack, you’ll often see many signs of failed entry or exploitation attempts against the customer. So, if you think about an account inside of a customer, let’s say, the billing department, with access to all sorts of financial systems and billing data. And we see repeated phishing emails, maybe all using the same tactic, techniques, and procedure, to get that initial exploitation onto the victim’s machine – that might constitute an attack on your environment. 

Whereas, seeing things like excess connections from a specific host or something trying to reach back to your network is typically a sign of a breach. Other signs are actions taken on the network’s assets, like programs being installed, data being exfiltrated, or settings like security relevant logging being changed.  

What key items should be included in an Incident Response when a breach occurs? 

One of the most important parts that should be included in an Incident Response report is scope. With large-scale breaches, it can quickly reach numerous endpoints within your environment. You’ll need to know what network assets were compromised, what data was compromised, and what access the compromised users/systems have to the data. A timeline of infection and a timeline of exactly what was done, when, and how to contain it is also critical. 

Another key part of the IR report is the root cause analysis that explains how the attackers got into your system so you can close the door and lock it. Time is spent to eradicate the threat and if you don’t close that door the adversary could come back the next day and do the same thing over and over again. Plus, another attacker could also find the same door and exploit it. 

What do you enjoy most about your role?  

I enjoy finding new threats that haven’t been detected before. I love finding a new piece of malware that hasn’t been identified yet. It’s like when a scientist discovers a new animal in the wild. They found a new species of bird or beetle or whatever and get to document exactly how it works, what it does, and how it fits into the ecosystem. There’s a lot of technical investigation involved.  

For example, when we uncovered “PowerDrop,” a malicious PowerShell script that has set its sights on the U.S. aerospace industry, we discovered the malicious malware used advanced techniques to evade detection such as deception, encoding, and encryption. The malware runs remote commands against victim networks after gaining initial access, execution, and persistence into servers.

It’s a big puzzle that you put together, especially when you’re doing reverse engineering, it’s almost like an art and I enjoy it a lot.  

Incident Response and the Adlumin Advantage 

Most IR response firms use third-party tools and deploy it all over the environment to collect information and logs. A core capability of the Adlumin platform is we have insight into all the logs and events for the past three months or more for our customers, so we don’t have to deploy additional technology.  

The events are constantly being saved to a secure source, where attackers can’t really modify them. This is important because if you gather log sources after the attacker has disturbed the environment, the logs may have been poisoned. So, it’s hard to determine the truth. 

Since our agent is already collecting logs and events, even before an incident happens, a lot of the data is already safely stored and logged, which means we can cut down on incident response times and gives customers some savings while giving us an advantage in responding and catching attacks. 

To learn more about Adlumin’s Incident Response offering, download our datasheet today or contact one of our cybersecurity experts for demo.  

Unraveling Cyber Defense Model Secrets: DCSync Attacks

By: Joshua Beach, Detection Engineer and Andrew Chapin, Threat Researcher

Welcome to the Unraveling Cyber Defense Model Secrets series where we shine a light on Adlumin’s Data Science team and explore the team’s latest detections and learn how to navigate the cyberattack landscape.

DCSync Attacks are hard to protect and used often by cybercriminals who aim to takeover your network. In this blog, we’ll walk you through the methodology, detection and  more, let’s begin:

Domain control is a common intermediate goal in many cyber attack scenarios including Advanced Persistent Threat (APT), Inside Threat, and Ransomware. Executing a Domain Controller Sync (DCSync) attack is a popular method for achieving domain control. Often reliant on the exploit tool Mimikatz, DCSync can also be performed with manual methods.


A DCSync attack targets Windows Active Directory (AD).

In this type of attack, a threat actor targets a feature in AD called the domain controller (DC) which allows different parts of the network to share and synchronize data.

The domain controller is a high value target because it stores a secured database that contains sensitive information, such as user account records with usernames and password hashes.

During a DCSync attack, the threat actor attempts to trick the domain controller into sharing the user account information by utilizing the Directory Replication Service Remote (DRSR) protocol. This allows the threat actor to pretend to be another trusted domain controller that is part of the network.

A successful DCSync attack, allows an attacker to steal sensitive account records in the database. The attacker will then try to crack the password hashes and gain unauthorized access to user accounts (including to network admin or super-admin accounts) and gain more control over the network.


Adlumin has created a detection for DCSync Attacks that can recognize and alert on the methodology used by threat actors described above. This allows for quick mitigation and remediation for clients.

The starting point is to review Directory Replication Service Remote (DRSR) related logs found in the Windows security log. Specifically, events with ID 4662.

Then, logs are filtered to focus on entries where the requesting user possesses the necessary credentials to make domain requests. The logs are examined to identify any suspicious or unauthorized domain requests that may indicate a DCSync attack.

The challenge is to sift through benign activity in this subset of DRSR logs.

The DRSR protocol is primarily used within networks to provide redundancy for multiple domain controllers. Thus, DC to DC replication is considered normal, while DC to host replication is not.

Adlumin will flag any DCSync requests from non-DC hosts as potential malicious activity. A security team can then quickly identify and respond to any potential threats against the domain controllers running on the network.

Remediation View: 

The Problem

The DCSync attack methodology takes advantage of the Directory Replication Service Remote (DRSR) protocol to obtain sensitive information from a domain controller. This functionality is not a bug, but rather is intended activity to provide user friendly redundancy in a multi-DC network.

This technique involves an adversary masquerading as a domain controller (DC) and convincing the authentic DC to synchronize its database to the new rogue DC by issuing a replication request. The results of a successful DCSync attack will provide the adversary with password hashes of the targeted users. In most cases, this will include all users.

The Algorithm

By using the associated logs resulting from actual DCSync attacks, Adlumin is able to filter on their defining characteristics to build detections. A few of these factors include user replication rights, if the requesting machine is a DC or not, and access rights. This rule-based detection scans every 6 hours for any new cases of this occurrence and will alert you for further investigation.

User Actions

When encountering an alert indicating a domain user attempting DCSync requests, the objective is to determine if the alert is an active threat or a false positive. But how?

Let’s remember that attackers rarely perform actions in isolation. Threat actors tend to chain together several steps. Therefore, we can check for other actions in tandem with the DCSync request.

Below is a list of items to check:

Verify User Account and Behavior

Verify authorized creation of the user account and if the DCSync behavior is normal for your network. This detection alerts on DCSync related behavior, but some organizations have been found to back up their domain controller data to non domain controllers. If this behavior is normal and accepted within your network, disregard this alert.

Domain Controller Syncing
Ensure that the host machine of the suspected DCSync attack is NOT a domain controller. Failure to identify it as such may result in a false positive. DCSync activity between Domain controllers is generally benign.

Enumeration of Permissions
The attacker will often check which accounts have the required permissions to perform the DCSync attack before performing the attack. Here is an example command:

Exploit Command
To perform the attack a program must be executed to make the request to the other domain controller. We can check process execution on the machine that was the origin of the attack and search for any suspicious process execution that occurred at the time of the DCSync attack.

Text BoxHere are some example commands:

If the attacker has compromised a domain admin account, they may get the permissions required to perform the DCSync attack to another account.
Text BoxHere is an example command:

Network Traffic
The most effective way to discover and identify a DCSync attack is through network monitoring. Confirming whether the attack originated from a DC IP address on your network is much faster and less prone to false positives.

Here are some example Suricata signatures:

  1. Quarantine the DCSync user.
  2. Identify which credentials were compromised.
  3. Reset the credentials.

To make DCSync attacks more difficult, be sure to carefully control the following privileges in Active Directory:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Decoding PowerDrop Vulnerability: AI and ML in Adlumin's Threat Hunting

Event details:

Thursday, July 27, 2023
2:00 PM EST


Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

In the ever-evolving landscape of cybersecurity threats, organizations face the constant challenge of detecting and mitigating sophisticated attacks in a timely manner. Implementing automation and machine learning into a threat hunting strategy is key, but what does that look like in practice?

Join Adlumin’s Director of Threat Research, Kevin O’Connor, as he demonstrates how his team discovered and remediated PowerDrop, an insidious PowerShell script for command and control attacks targeting the U.S. aerospace defense industry.

During Kevin’s live demo, you will learn:

  • How Adlumin’s Threat Research Team used Artificial Intelligence (AI) and Machine Learning (ML) to detect and remediate PowerDrop
  • Daily threat hunting methodologies employed by O’Connor and his team
  • Exploring the advantages of AI and ML in the field of threat hunting

As a thank you for joining our webinar, we’ll send you our new overview guide, The Executive’s Overview to Proactive Cybersecurity: Harnessing the Power of Security Operations. Additionally – one lucky attendee will receive a $200 Amazon gift card.

Navigating the MOVEit Vulnerability: How to Protect Your Organization

MOVEit or lose it: The vulnerability has been taking the industry by storm over the last few weeks. The vulnerability was found in the software, MOVEit Transfer and MOVEit Cloud. The tool is used to securely transfer files and encrypt data as it travels from one organization to another. The exploitation of this flaw could lead to escalated privileges and potential unauthorized access to the environment and then to servers and networks.

The flaw was first made public on June 2, but according to Microsoft, it was first observed on May 27, 2023. A second vulnerability was disclosed on June 15 and patched on June 16. The newest victims include several large financial institutions, educational institutions, SkillSoft and Norton LifeLock.

The Threat Actor Behind the Attacks

According to Microsoft, Lace Tempest is the cyber gang behind the exploitation of MOVEit software. The group is known for its use of Cl0p ransomware malware to attack banking, retail, education, transportation, manufacturing, engineering, automotive, energy, aerospace, telecommunications, professional and legal services, and other sectors.

The Cl0p ransomware gang has claimed responsibility for discovery and use of the associated vulnerabilities in zero-day exploit attacks against hundreds of companies using the publicly facing vulnerable MOVEit software and claims to have begun their operations May 27th, days before the first vulnerability was reported to NIST. 

Adlumin’s Threat Research finds this a rare example but increasingly common example of a severe zero-day vulnerability first being discovered and used by Ransomware-as-a-Service gangs along with gangs increasing migration to data extortion or double extortion as a tactic.

Below are the affected software versions:

  • MOVEit Transfer 2023.0.0 (15.0) 
  • MOVEit Transfer 2022.1.x (14.1) 
  • MOVEit Transfer 2022.0.x (14.0) 
  • MOVEit Transfer 2021.1.x (13.1) 
  • MOVEit Transfer 2021.0.x (13.0) 
  • MOVEit Transfer 2020.1.x (12.1) 
  • MOVEit Transfer 2020.0.x (12.0) or older. 
  • MOVEit Cloud

Block MOVEit through Patching

Progress Software has released patches for the three identified vulnerabilities so far, including for a vulnerability where exploitation has not yet been observed:

  • CVE-2023-35708 
  • CVE-2023-35036 
  • CVE-2023-34362

If you are using any of the above versions, Adlumin recommends that you patch immediately.

How to Protect Your IT Environment

Adlumin’s Threat Research team has looked for indicators of compromise across our customer data. One strong indicator is the existence of the file “human2.aspx” in the folder C:\MOVEitTransfer\wwwroot.

Below are the known IOCs to lookout for:

Web Shell

  • LEMURLOOT Web Shell

*We received these IOCs from a third-party source.

The Adlumin Approach

Adlumin has hunted for the indicators of compromise that have been reported publicly so far across all of our customers’ environments. We have also developed additional detections to monitor follow-on activity by the threat actor. Adlumin’s Threat Research Team will continue to monitor the threat, including the Cl0ps darknet leak site, and will notify customers accordingly.