
From Data Insights to Cyber Threats: The Tale of Qlik Sense and Cactus Ransomware
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
ID | Mitigation | Description |
Use application control to mitigate installation and use of unapproved software that can be used for remote access. | ||
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software. | ||
Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. |
ID | Mitigation | Description |
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting. | ||
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [60] | ||
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting. |
ID | Mitigation | Description |
Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. | ||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. | ||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. | ||
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |