"In one organization, the adversary moved from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc Demon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting the end goal was data exfiltration, ransomware, or both."
"It's worth noting that the modus operandi is consistent with email bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent following a public leak of its internal chat logs last year, the continued presence of the group's playbook suggests two possible scenarios."
"The attack chain begins with a spam campaign aiming to overwhelm a target's inboxes with junk emails. In the next step, the threat actors, masquerading as IT support, contact the recipients and trick them into granting remote access to their machines either via a Quick Assist session or by installing tools like AnyDesk."
Huntress identified a campaign where attackers used email spam followed by phone calls impersonating IT support to gain remote access to victim machines. Once access was obtained, attackers deployed Havoc C2 framework and legitimate RMM tools for persistence. In one case, adversaries compromised nine additional endpoints within eleven hours, suggesting data exfiltration or ransomware as the objective. The attack methodology mirrors previous Black Basta ransomware operations, indicating either former affiliates have joined other groups or rival actors have adopted similar social engineering tactics. The attack chain begins with email bombing, followed by phone contact impersonating IT support, tricking users into granting remote access via Quick Assist or AnyDesk.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]