Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Endpoint. Show all posts

Tackling the Top Initial Attack Vectors in Ransomware Campaigns

Ransomware attacks remain a major concern for organizations worldwide, causing significant financial losses and operational disruptions. A recent report by Kaspersky sheds light on the primary attack vectors used in ransomware campaigns, highlighting the importance of addressing these vulnerabilities to mitigate the risk of an attack.

According to the report, three common initial attack vectors account for the majority of ransomware campaigns: phishing emails, vulnerable remote access services, and software vulnerabilities. These vectors serve as entry points for threat actors to gain unauthorized access to systems and initiate ransomware attacks.

Phishing emails remain one of the most prevalent methods used by attackers to distribute ransomware. These emails often employ social engineering techniques to deceive users into opening malicious attachments or clicking on malicious links, leading to the execution of ransomware on their devices. It is crucial for organizations to educate employees about recognizing and avoiding phishing attempts and to implement robust email security measures to filter out such malicious emails.

Vulnerable remote access services pose another significant risk. Attackers target exposed Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services, exploiting weak or compromised credentials to gain unauthorized access to networks. Organizations should implement strong authentication mechanisms, enforce secure password practices, and regularly update and patch their remote access solutions to mitigate this risk.

Software vulnerabilities also play a crucial role in enabling ransomware attacks. Threat actors exploit known vulnerabilities in operating systems, applications, or plugins to gain a foothold in networks and deploy ransomware. It is essential for organizations to establish a comprehensive patch management process, promptly applying security updates and patches to address known vulnerabilities.

To effectively combat ransomware campaigns, organizations should adopt a multi-layered security approach. This includes implementing strong perimeter defenses, such as firewalls and intrusion detection systems, to detect and block malicious traffic. Endpoint protection solutions that utilize advanced threat detection and prevention mechanisms are also critical in identifying and mitigating ransomware threats.

Regular backups of critical data are essential to recovering from ransomware attacks without paying the ransom. Organizations should ensure that backups are stored securely, offline, and tested regularly to verify their integrity and effectiveness in restoring data.

Reducing the risk of ransomware attacks requires addressing the three primary attack vectors: phishing emails, weak remote access services, and software flaws. Businesses may fortify their defenses and lessen the effects of ransomware events by implementing strong security measures, employee education, timely patching, and backup procedures.

Why Endpoint Resilience Is Important

 

LastPass, a password management company, made headlines last month when it revealed that one of their DevOps engineers had his personal home computer hacked and infected with keylogging malware, resulting in the exfiltration of corporate data from the vendor's cloud storage resources. The story sheds new light on the significance of endpoint resilience. 

Typically, media coverage of mega breaches (e.g., AT&T, Independent Living Systems, Zoll Medical Data, Latitude Financial Services) focuses on the exfiltration points rather than how the threat actor got there. However, post-mortem analysis has repeatedly revealed that compromised credentials are the most common source of a hack, which is then used to establish a beachhead on an end-user endpoint (e.g., a computer). As a result, comprehensive cybersecurity strategies should include endpoint resiliency as an essential component of the overall approach.

The Lifecycle of a Cyberattack Today

The majority of today's cyberattacks begin with credential harvesting campaigns that employ social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or a combination of these. Cybercriminals also profit from the sale of millions of stolen credentials on the Dark Web.

Attackers use brute force, credential stuffing, or password spraying campaigns to gain access to their target environment once they have stolen, weak, or compromised credentials. Cyber adversaries are increasingly taking advantage of the fact that organizations and their workforce rely on mobile devices, home computers, and laptops to connect to company networks in order to conduct business.

As a result, these endpoint devices become the natural entry point for many attacks. According to a Ponemon Institute survey, 68 percent of organizations experienced a successful endpoint attack in the previous 12 months.

Many organizations deploy security tools such as data loss prevention, disc and endpoint encryption, endpoint detection and response, and anti-virus or anti-malware as a first step to protect endpoints and reduce risk exposure. However, IT and security professionals have little insight into the effectiveness of these tools. For example, unmonitored security applications on endpoints can quickly degrade and become compromised. Many factors can have an impact on application health, including a lack of updates, software collision, unintentional deletion by end users, and malicious compromise.

Absolute Software conducted a study on the effectiveness of enterprise security controls and discovered that security tools were typically working effectively on less than 80% of devices, and in some cases as low as 35%. Due to ineffectiveness, cyber adversaries frequently move laterally to perform additional reconnaissance and identify IT schedules, network traffic flows, and scan the entire IT environment to gain an accurate picture of its resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime targets for reconnaissance in search of additional privileged credentials and access.

Once an attacker has determined the location of valuable data, they typically seek ways to elevate access privileges in order to exfiltrate the data and conceal their activity.

Rising Endpoint Resilience

When establishing visibility and security controls across endpoints, security professionals must recognize that each endpoint is responsible for some or all of its own security. In contrast to the traditional network security approach, established security measures apply to the entire network rather than individual devices and servers. Making each endpoint resilient is therefore critical to implementing a successful defense strategy.

Forrester Research recommends taking a proactive approach to endpoint security and establishing endpoint resilience to combat human error, malicious actions, and decayed, insecure software. Organizations should consider resilience as part of their planning process when modernizing endpoint management strategies because there is no guarantee that security controls installed on employee devices will not tarnish or become compromised over time.

Consolidating Tech Stacks and Enhancing Cyber Resilience Require Self-healing Endpoints

 

Self-healing endpoint platform suppliers are being pushed to develop fresh approaches to assist CISOs in combining tech stacks while enhancing cyber-resilience. Self-healing platforms have the ability to lower expenses, improve visibility, and collect real-time data that measures how resilient their systems are to cyberattacks. The risk profile that their boards of directors desire is one that lowers costs while boosting cyber-resilience. 

A self-healing endpoint is one that uses adaptive intelligence and self-diagnostics to recognise a suspected or actual breach attempt and take prompt action to thwart it. Self-healing endpoints can automatically turn off, verify that all OS and application versions are accurate, and then reset to an optimum, secure configuration. 

Enterprise end-user expenditure on endpoint protection solutions is expected to skyrocket from $9.4 billion in 2020 to $25.8 billion in 2026, growing at a compound annual growth rate of 15.4%, according to Gartner. By the end of 2025, according to Gartner's forecast, more than 60% of businesses will have switched from traditional antivirus software to endpoint protection platform (EPP) and endpoint detection and response (EDR) solutions that integrate prevention with detection and response. But for the market to grow to its full potential, self-healing endpoint suppliers must quicken innovation.

In a recent analysis titled "The Future of Endpoint Management," Forrester, a major market research company worldwide, identified the key themes that will propel evolution in the endpoint management market. For organisations that adopt these trends, they lead to an enhanced employee experience, more operational effectiveness, and a smaller attack surface.

According to Forrester, "modern endpoint management" is guided by six principles: automation, context awareness, self-service, cloud-centricity, and analytics. By utilising them, the end user experience is brought front and centre and the flexibility of the hybrid workforce is enabled. Although progress has been made and steps have been taken in the direction of implementing these principles, Forrester admits that endpoint management as a practise still has issues, including high costs, a lack of integration with security, and poor employee privacy. The research gives professionals advice on how to overcome these challenges by paying attention to cutting-edge market trends like self-healing. 

A business endpoint can only be dependable if it runs smoothly and according to plan. By downloading unsupported third-party programmes or falling for phishing scams, employees have the potential to maliciously or accidentally compromise their endpoints. Many nefarious threat actors use human mistake as an excuse to disable security software on enterprise equipment. A self-healing solution ensures that critical applications are monitored for tampering, degradation, and failure so that automation can be used to repair or even reinstall the problematic or missing app. This mitigates against such compromises. 

Self-healing can exist on three levels: the application, the operating system, and within the firmware. Forrester states that Absolute is among the “firmware-based technologies that ship embedded within the device and ensures that everything operating on the device functions correctly, e.g., endpoint agents, VPNs, and software. Even if administrators replace or reimage the hard drive, this persists.

By Forester's collaboration with nearly 30 system manufacturers, we are able to leverage the patented Absolute Persistence technology that is present in over 500 million devices for our Secure Endpoint solutions. Once turned on, the device is ferociously tough and can withstand attempts to deactivate it, even if the firmware is flashed, the hard drive is changed, or the device is re-imaged. 

Forrester recently examined anonymized data from various subsets of more than 14 million Absolute-enabled devices that were in use by around 18,000 global customers over a two-week timeframe. Additionally, it used data and details from reliable outside sources. Although we noticed a slight increase in the adoption of Windows 11 in the enterprise, we found more Chrome OS devices in education. Many of the devices were running Windows 10. 

The researchers found that the average Windows 10 device is 59 days behind on patches, with the biggest delays reported by the government and professional services (83 and 75 days). The delay worsens when education is included, with gadgets being, on average, 115 days behind. These devices were vulnerable to more than 200 vulnerabilities that have a cure available, including 21 that are judged critical and one that is currently being exploited, according to the total number of vulnerabilities fixed on Patch Tuesday in July and August. 

Every endpoint is a possible target for hackers, but those that have sensitive data on them, including PII and PHI, are more dangerous. Additionally, as a result of users being widely dispersed and highly mobile, they are now able to access systems and data from off-network locations, increasing the possibility that data will be stored locally and, consequently, the attack surface. According to our analysis, sensitive data was stored on 76% of enterprise devices on average, with financial services having the greatest percentage (84%).

From BMW to Ferrari, Automotive Industry Flooded with Vulnerabilties


Automakers struggling with vulnerabilities

A range of automakers from Toyota to Acura is affected by vulnerabilities within their vehicles that can let hackers steal personally identifiable information (PII), lock owners out of their vehicles, and even control functions like starting and stopping the vehicle's engine. 

A team of seven security experts said vulnerabilities in the automakers' internal applications and systems gave them a proof-of-concept hack to send commands using only the vehicle identification number (VIN), which can be seen through the windshield outside the vehicle. 

Experts found security loopholes in the automaker industry

The team has found serious security loopholes from automakers like BMW, Ford, Volvo, Ferrari, and various others throughout Europe, the US, and Asia. It has also found problems with suppliers and telematic companies like Spireon, which makes Gps-based vehicle tracking solutions. 

BMW said that IT and data security are the top priorities for the company, and it continuously monitors its system landscapes for potential security threats or vulnerabilities. 

"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks. No vehicle-related IT systems were affected or compromised. No BMW Group customers or employee accounts were compromised," a spokesperson at BMW said. 

This is the most recent security threat that surfaced, in March last year, telemetry from industrial systems security firm Dragons found Emotet command-and-control servers in contact with various automotive manufacturer systems. 

In December, experts found vulnerabilities in three mobile apps that let drivers remotely unlock or start their vehicles. These bugs allowed unauthorized malicious actors to perform the same commands from afar. 

Automakers slow to identify threats

Security vulnerabilities have been a challenge in the automotive industry for a long time, and automakers are not very proactive in identifying the potential severity of the threat developments. 

Experts believe that while automakers are slowly changing into software developers, they find it difficult to address all points of the development cycle- which includes security. 

One very simple notion is if you're not good at software, you're probably not going to be very good at making that software safe. That is guaranteed." "Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers," said Gartner automotive industry analyst Pedro Pacheco.

When automakers make more sophisticated ecosystems that connect customers with app stores and connect them with their smartphones and other connected devices, the stakes also get high. 

"This is the reason why cybersecurity is going to become more and more of a pressing issue," said Pedro. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."






Cuban Ransomware Gang Hacked Devices via Microsoft Drivers

Multiple accounts which signed malicious drivers for the Cuba ransomware organization to deactivate endpoint security solutions have been suspended by Microsoft from its hardware developer program.

Cuba attempted to disable vulnerability scanning programs and alter settings using these cryptographically signed 'drivers' after infiltrating a target's systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it.

Additionally, In October, Microsoft received information from the Google-owned Mandiant, SentinelOne, and Sophos that many cybercrime groups were utilizing malicious third-party kernel-mode hardware drivers which were signed by Microsoft to transmit ransomware. 

According to Microsoft's counsel, "In these attacks, the attacker had already gained administrative rights on compromised systems prior to using the drivers, the company's investigation has revealed that several developer's accounts for the Microsoft Partner Center had been engaged in submitting malicious drivers to acquire a Microsoft signature."

The Cuba ransomware group employed the driver as part of its post-exploitation operations together with a malicious loader application, which was most likely used to end the processes of security products before the ransomware was activated. Mandiant named this malicious utility BURNTCIGAR back in February after it had previously been seen. It was installed using a faulty driver that was connected to the Avast antivirus software at the time.

Sophos' Christopher Budd, director of threat research, stated, "We've discovered a total of 10 malicious drivers, all of which are variations of the original discovery. Starting at least in July of last year, these drivers exhibit a concentrated effort to advance through the trust chain. It is tough to write a malicious driver from scratch and get it approved by a reputable body. Nevertheless, it's highly efficient because the driver can virtually complete any task without hesitation."

Since Windows 10, Microsoft has demanded that kernel-mode drivers be signed by the Windows Hardware Developer Program. Researchers at Sophos Andreas Klopsch and Andrew Brandt claim that the signature denotes trust. In 2022, the use of reputable third-party device drivers has increased for the purpose of killing security tools.

According to a U.S. government alert, the Cuba ransomware group has profited an additional $60 million through operations against 100 companies worldwide. The report warned that the ransomware organization, active since 2019, continues to target American entities with critical infrastructure.


Several Security Breaches Exploited by Zerobot Botnet

 

FortiGuard Labs discovered a special botnet named Zerobot that was seen in the field spreading by exploiting nearly twenty security flaws in IoT devices or other programs.

Prior to downloading a script for further propagation, Zerobot targets multiple vulnerabilities to obtain access to a device. Zerobot targets several different architectures, such as i386, amd64, arm, mips, mips64, mipsle, ppc64, ppc64le, riscv64, and s390x. Zero is the filename used to save the bot.

On November 18, 2022, the malware made its first public appearance, mostly affecting Windows and Linux-powered computers.

Prior to November 24, the first one was simply equipped with the most fundamental features. The newest version now has a 'selfRepo' module that allows it to replicate itself or infect more endpoints using various protocols or security holes.

The bot connects the remote command-and-control (C2) server after infecting the machine and waits for further instructions. There are 21 exploits in Zerobot.This includes flaws affecting,  Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, FLIR AX8 thermal imaging cameras, Zyxel firewalls, TOTOLINK routers, and F5 BIG-IP.

"The botnet includes a variety of modules, including assaults for various protocols, self-replication, and self-propagation. This also uses the WebSocket protocol to connect with its command-and-control server." Researcher Cara Lin from Fortinet FortiGuard Labs remarked.

The Go programming language was used to create the new botnet  Zerobot. The WebSocket protocol is used for communication. Users should be alert to this new danger, update any compromised systems connected to their network, and aggressively deploy updates as soon as they become available.




HP's Defense From Emerging Cybercrime


Cybersecurity is constantly evolving, so cybercrime's scope and consequences have grown significantly over time. Cybersecurity is a concern in the workplace and at the highest levels of government given the rise of ransomware.

With defined supply chains and markets, the cybercrime business has undergone a major shift or one that is more professional and industrialized. According to HP's senior malware expert Alex Holland, cybercrime has grown to be a significant industry. On contrary, as per HP's study, the dark web is encouraging cybercriminals to cooperate, exchange goods, support one another's operations, and even profit from them.

Maintaining its staff throughout the epidemic and after it, with the advent of hybrid work, has been one of the urgent concerns in this transforming landscape, as far as firms are concerned. "That's generated a lot of issues for organizations because they need to set up their devices remotely, manage their devices remotely, and we realize that endpoint visibility - in terms of security and identifying threats - has been a concern for the enterprise. Enterprises must also be able to defend against and recover from such attacks, should the worst happen," Holland adds.

Additionally, there is a significant risk for organizations because of the blurring of the barriers between an employee's personal and professional lives. 71% of employees, as per research HP published in May, claim they use computers at home more frequently and to access more company data. Office workers are also increasingly utilizing their work devices for personal tasks, in fact, 70% of them admit to doing so, such as checking their emails.

"We notice that utilizing work devices—especially for risky tasks like opening webmail. Email is effectively a direct line into the organization, as we continually observe from the data we examine in my team. Once an endpoint has been taken over, an attacker is free to move about or do a lot of harm," Holland claims.

By incorporating security into hardware, which is reinforced by the Endpoint Security Controller hardware chip, Holland claims HP wants to combat these threats. This secure-by-design strategy depends on a solid framework and system integrity verification. The maker offers a wide range of security systems, including firmware security, memory virus detection, and isolating dangerous tasks. 

HP offers services to provide a firm's desired security configuration right off the manufacturing line, which is the opposite side of the issue when it comes to configuring devices before they are dispatched to employees.










Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Microsoft Alert a Major Click Fraud Scheme Targeting Gamers

Microsoft is keeping tabs on a widespread click fraud scheme that targets gamers and uses covertly installed browser extensions on hacked devices.

The act of exaggerating the number of clicks on pay-per-click advertisements that constitutes a fraudulent click. According to experts, botnets are responsible for approximately a third of the traffic created by advertising on ad networks. To safeguard their image and keep their clients happy, advertising platforms frequently use click fraud prevention techniques, such as the Google search engine. 

In a series of tweets over the weekend, Microsoft Security Intelligence stated that "attackers monetize clicks generated by a web node WebKit or malicious browser extension stealthily installed on devices."

The internet company clarified in a tweet that the initiative targets unaware people who click rogue advertising or comments on YouTube. 

By doing this, a fake game cheats ISO file will be downloaded, and when opened, it will install the threat actors' necessary browser node-webkit (NW.js) or browser extension. Microsoft also mentioned that they saw the actors using Apple Disk Image files, or DMG files, indicating that the campaign is a cross-platform endeavor. 

It's important to note that the ISO file contains hacks and cheats for the first-person shooter game Krunker. Cheats are software tools that provide users of a game with a distinct advantage over other players.

DMG files, which are Apple Disk Image files usually used to distribute software on macOS, are also employed in the attacks in place of ISO images, demonstrating that the threat actors are aiming their attacks at several operating systems.

The discovery is no longer shocking because threat actors frequently use gamers as fine targets in their efforts, especially those who are scrambling to locate free cheats online.

The prevalence of virus spreading through well-known game franchises was demonstrated earlier in September by a report from endpoint security provider and customer IT security software company Kaspersky. The most popular file was distributed via Minecraft, which had 131,005 users infected between July 2021 and June 2022. 



Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.

Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.