Subscribe to DeepL Pro to translate larger documents.

Visit www.DeepL.com/pro for more information.

Techniques and tactics of

ki6erprestypnics
Solar JSOC CERT REPORT
rt-solar.ru
rt.ru
O6 report
THE REPORT IS based on investigations conducted by the Solar JSOC CERT team from
March 2022 to MARCH 2023. It PROVIDES general information about all types of
incidents
and data on6 the main techniques and tactics of intruders. A total of 40 INCIDENTS related to
penetration into the IT STRUCTURE of various companies and organizations were reported during
the reporting period.

We have identified 3 main TACTICS that ARE THE BASIS FOR MOST malicious activity detection rules in
various information protection tools.

Key targets of the attackers

38%
Expanding the structure for monetary
remuneration

38%
Hacktivism

20%
Infrastructure hacking for cyber espionage by APT
groups

4%
The rest

Sectoral affiliation of the affected organizations

51% 10% 10%

Public sector Industry Agriculture

10% 8% 5%
Telecom Trade and services Energy

3% 3%
NPO Finance

3
Key chi rs

72% 7 days 5 times

of paisa is connected the average number of the number of
with hackers infiltrating the hours it took for the haptivist atap has
infrastructure through hippers to reach their goal risen over the year
known vulnerabilities. of atapi

Initial access was gained through

54%
Exploit public facing application

8%
External Remote Services

4%
Phishing

4%
Supply chain compromise

30%
Others

4
Expansion of the
infrastructure for the purpose
of obtaining monetary
remuneration
Companies from a wide range of industries, including the PUBLIC sector, AGRICULTURE, RETAIL, higher
education, and CHARITABLE ORGANIZATIONS, HAVE faced attacks of this type.

Toolkit used by attackers to exploit systems within an infrastructure

Phobos VoidCrypt Cring

Spook BitLocker Conti

Additional tools to be used

Cobalt Strike Mimikatz NLBrute

Ligolo-ng FRPC Impacket

Sysinternals Suite

Initial Access

Technipa Share (%)

Exploit Public-Facing Application (T1190) 70%

External Remote Services (T1133) 30%

0% 10% 20% 30% 40% 50% 60% 70%

5
 Execution

Technipa Share (%)

Command and Scripting Interpreter:

PowerShell (T1059.001)
50%

System Services: Service Execution (T1569.002) 40%

Command and Scripting Interpreter:

10%
Visual Basic (T1059.005)

0% 10% 20% 30% 40% 50% 60% 70%

Persistance

Technipa Share (%)

Server Software Component: Web Shell (T1505.003) 60%

Boot or Logon Autostart Execution: Registry

20%
Run Keys / Startup Folder (T1547.001)

Create Account: Local Account (T1136.001) 10%

Scheduled Task/Job: Scheduled Task (T1053.005) 5%

External Remote Services (T1133) 5%

0% 10% 20% 30% 40% 50% 60% 70%

Lateral Movement (Horizontal Movement)

Technipa Share (%)

Remote Services: Remote Desktop Protocol (T1021.001) 70%

Lateral Tool Transfer (T1570) 15%

Remote Services: SMB/Windows Admin

15%
Shares (T1021.002)

0% 10% 20% 30% 40% 50% 60% 70%

6
In the MAJORITY (70%) of projects, initial access to the INFRASTRUCTURE was realized through
VULNERABILITIES in services available from the INTERNET. The most FREQUENT VULNERABILITY of
this type is ProxyLogon (a critical vulnerability in Microsoft Exchange Server).

It allows for the realization of two vectors at once:

6Y quickly gain access to users' correspondence (including that of TOP

management) for its further poo6lication or blackmail with a ransom
demand;

to infiltrate the infrastructure and develop an attack inside the VICTIM'S network.

Despite the EASE of use and widespread use of MS Exchange as a product, many
companies are not in a HURRY to close the vulnerability on the PERIMETER, which is what
attackers take advantage of.

Overall, the volume of tire INCIDENTS investigated by Solar JSOC CERT remained at
the 2020-2021 level. The only difference
is that in 2022, we did not see any INCIDENTS in this category that started with ishing emails. This
MAY BE due to the fact that, since the beginning of the EOD, companies have QUICKLY configured
6as antivirus software that protected
AGAINST mass malicious e-mails.

7
Haptivism
Additional tools to be used

Cobalt Strike Mimikatz Impacket AnyDesk

Initial Access
Technipa Share (%)

Exploit Public-Facing Application (T1190) 67%

Valid Accounts: Local Accounts (T1078.003) 25%

Supply Chain Compromise: Compromise

8%
Software Supply Chain (T1195.002)

0% 10% 20% 30% 40% 50% 60% 70%

Execution
Technipa Share (%)

Command and Scripting Interpreter:

Unix Shell (T1059.004) 76%

Command and Scripting Interpreter:

Windows Command Shell (T1059.003) 12%

System Services: Service Execution 12%

(T1569.002)

0% 10% 20% 30% 40% 50% 60% 70% 80%

Persistance
Technipa Share (%)

Server Software Component: Web Shell (T1505.003) 60%

Valid Accounts: Local Accounts (T1078.003) 20%

Account Manipulation: SSH Authorized Keys (T1098.004) 10%

Create Account: Local Account (T1136.001) 10%

0% 10% 20% 30% 40% 50% 60% 70%

8
 Lateral Movement (Horizontal Movement)

Technipa Share (%)

Remote Services: SSH (T1021.004) 45%

Remote Services: Remote Desktop Protoco (T1021.001) 28%

R e m o t e Services: SMB/Windows Admin Shares 27%

0% 10% 20% 30% 40% 50% 60% 70%

Impact

Technipa Share (%)

External Defacement (T1491.002) 58%

Exfiltration (TA0010) 26%

Internal Defacement (T1491.001) 8%

Data Destruction (T1485) 8%

0% 10% 20% 30% 40% 50% 60% 70%

HACKTIVISM is the main trend for 2022. From a technical point of view (tools used, tactics and
techniques), incidents in this category were not particularly COMPLEX, but there were 5 times
more of them compared to the previous year. By the fourth quarter of 2022, the number of
such ATTACKS began to DECREASE. The MOTIVATION of HACKTIVISTS BEGAN TO DECLINE, and some of
those who remained began to IMPROVE their skills
and unite under the prossionals.

According to our statistics, the PUBLIC sector was the most frequent target of hacktivist attacks,
and finance, telecom and energy. As a rule, these were popular organizations known to
the general PUBLIC, attacks on which COULD cause resonance.

As in the shoring cases, the vast majority of attacks were launched

from exploiting VULNERABILITIES in web6 services. Specifically, in our investigations
We have seen hacks of such popular services as Exchange, WowzaStreamingEngine, Horizon,
Apache, Oracle WebLogic Server, Bitrix, Joomla, and Drupal. This was followed by site de-
exploitation, NON-REPAYABLE encryption (without ransom demands) and data theft.

9
Hacking the
infrastructure for the
purpose of ny6erspionage
by APT groups

Estimated list of the groupings we found

APT27 APT41 APT10 Lazarus Group

Malicious tools used by upazanized groups in incidents

PlugX Light Shadowpad Mirage

Microcin Gh0st Rat MATA Framework

Additional tools to be used

Impacket Mimikatz Cobalt Strike

SharpHound noPac SMBScan

Nbtscan EarthWorm Rubeus

Go-SOCKS5 Rssocks
10
 Initial Access

Technipa Share (%)

Exploit Public-Facing Application (T1190) 40%

Trusted Relationship (T1199) 40%

Phishing: Spearphishing Attachment (T1566.001) 20%

0% 10% 20% 30% 40% 50% 60% 70%

Execution

Technipa Share (%)

Windows Command Shell (T1059.003) 60%

Command and Scripting Interpreter: PowerShell (T1059.001) 30%

Scheduled Task (T1053.005) 10%

0% 10% 20% 30% 40% 50% 60% 70%

Persistance

Technipa Share (%)

Server Software Component: Web Shell (T1505.003) 35%

Windows Service (T1543.003) 35%

Boot or Logon Autostart Execution: Registry

30%
Run Keys / Startup Folder (T1547.001)

0% 10% 20% 30% 40% 50% 60% 70%

11
 Lateral Movement (Horizontal Movement)

Technipa Share (%)

Remote Services: Remote Desktop

80%
Protocol (T1021.001)

Remote Services: SMB/Windows Admin

Shares (T1021.002) 20%

0% 10% 20% 30% 40% 50% 60% 70% 80%

The main targets of APT groups were STATE authorities.

In general, INCIDENTS related to the penetration of APT groups into company INFRASTRUCTURES
remain at the same level as in previous YEARS. The diversity of methods for gaining primary
access also remains.

A special feature of 2022 is that investigations related to infiltration of the INFRASTRUCTURE

through contractors have become 6 more numerous than those related to infection by
classic ishing emails. At the beginning of the year, attackers actively targeted the most
vulnerable contractors and used them to reach their original targets.
After a brief LULL, there was a new surge of sub6social ATTACKS due to the fact that the
main targets of hackers - KIIs - have significantly improved their SECURITY and the
attackers had to look for weaknesses through contractors again.

12
Conclusions
In addition to the main activity (cryptocurrency or mining), the attackers massively
posted manisodes related to SWOs. As a result, the number of ATTACKS related to
HACKTIVISM increased fivefold.

The most popular VECTORS of penetration into the VICTIM'S INFRASTRUCTURE are
exploitation of vulnerabilities (often known for several YEARS), attacks through
contractors (supply chain and trusted relationship), compromise of user data, and
ishing.

The speed of ATTACKS HAS changed DRAMATICALLY. Whereas it used to take months
FROM AN attacker entering an infrastructure to breaking in and stealing money or
data, hackers now TAKE AN average of 7 days to achieve their goal.

Less pro sessional hackers have begun to unite under highly skilled
attackers, and various tools to carry out attacks are increasingly being
distributed for free on darknet forums or in TG channels.

The activity of pro-government APT groups has increased.

Their interests have long been not limited to federal and regional authorities.
We meet them in the STRUCTURES of energy companies and even in the media. At
the same time, in the wake of constant CYBERATTACKS, IS employees have become
more ATTENTIVE TO INCIDENTS,
THIS MADE IT possible to DETECT MORE proo sessional attackers and their movement
through the network much more QUICKLY.

13
rt.ru Email: He's a body:
rt-solar.ru solar@rt-solar.ru +7 (499) 755-07-70