Hacker News new | ask | show | jobs
by ianhawes 2504 days ago
Interesting to me that the attackers were well equipped in their phish and 0days, but then opted to drop fairly detectable RATs.
3 comments
staticassertion 2504 days ago
Yeah, they could have moved processes before execing the shell. Detecting "Firefox + Shell" is quite easy and standard, even in existing SIEMs.

Detecting "arbitrary program + shell" is at least moderately more difficult.

It's the attacker's dilemma though. They only need to trip one alarm to trigger IR.

link
notathing 2504 days ago
The biggest fail here was that 32 bit program warning, which probably alerted the employee.

Notice that they didn't actually have an alert for Firefox+Shell, they detected that later by inspecting the audit logs.

link
staticassertion 2503 days ago
> We detected the attacker at this stage, based on a number of behaviors (e.g. Firefox shouldn’t spawn a shell).

They explicitly state it was one of the behaviors they detected as suspicious.

link
repolfx 2503 days ago
Very likely that they bought the exploit and did the rest themselves, so, their skill at phishing, exploiting and RATing won't be correlated.
link
dead_mall 2503 days ago
I was thinking the same thing. The RAT they used is well known in underground skiddie forums; it's known for being expensive and shitty.
link