
Malvertising Attacks: A New Threat for Windows Administrators - PuTTy and WinSCP
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATIONS
Resource Development
T1583.008: Acquire Infrastructure: Malvertising
Implement comprehensive ad-blocking solutions across the organization's network.
Educate users on the dangers of clicking on ads and encourage the use of official software download sources.
Initial Access
T1189: Drive-by Compromise
Employ secure web gateways and advanced threat protection solutions to monitor and block malicious websites.
Encourage users to verify URLs before downloading software and use trusted sources.
Execution
T1106: Native API
Implement endpoint protection solutions that can detect and block suspicious API calls.
Regularly update endpoint security solutions to recognize new threats.
T1204.002: User Execution: Malicious File
Use application whitelisting to prevent unauthorized software execution.
Train users to recognize phishing and other social engineering tactics.
T1059.006: Command and Scripting Interpreter: Python
Restrict the execution of scripting languages like Python on endpoints where they are not necessary.
Use script-blocking tools and monitor script execution logs for anomalies.
Persistence
T1543.003: Create or Modify System Process: Windows Service
Monitor and restrict the creation of new services.
Use endpoint detection and response (EDR) tools to alert on suspicious service creation activities.
T1053.005: Scheduled Task/Job: Scheduled Task
Regularly audit scheduled tasks and jobs.
Implement alerts for the creation of new scheduled tasks, especially those not conforming to typical patterns.
Defense Evasion
T1140: Deobfuscate/Decode Files or Information
Use advanced malware detection tools capable of identifying and analyzing obfuscated code.
Conduct regular code reviews and employ static and dynamic analysis tools.
T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Enforce strict file and directory permissions.
Use tools to monitor and alert on changes to critical file permissions.
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
Implement system hardening measures to secure the DLL search order.
Use tools to monitor and alert on suspicious DLL loads.
T1574.002: Hijack Execution Flow: DLL Side-Loading
Employ endpoint security solutions capable of detecting DLL side-loading attempts.
Regularly audit and verify DLL files on critical systems.
T1027.002: Obfuscated Files or Information: Software Packing
Use advanced threat detection tools to unpack and analyze packed files.
Train security teams to recognize signs of software packing.
T1027.013: Obfuscated Files or Information: Encrypted/Encoded File
Implement data loss prevention (DLP) solutions to monitor and control data encryption activities.
Use tools that can detect and analyze encoded or encrypted files.
T1055.001: Process Injection: Dynamic-link Library Injection
Use EDR tools to detect and block process injection attempts.
Regularly review and update security policies to address injection techniques.
Lateral Movement
T1570: Lateral Tool Transfer
Monitor and restrict the use of tools like SMB for lateral movement.
Use network segmentation to limit lateral movement opportunities.
Exfiltration
T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
Implement DLP solutions to monitor and block unauthorized data exfiltration attempts.
Use web application firewalls (WAFs) to detect and prevent data transfers to unauthorized cloud storage services.
Impact
T1486: Data Encrypted for Impact
Regularly back up critical data and ensure backups are stored securely and offline.
Use ransomware protection solutions to detect and block encryption activities.
Train users to recognize and respond to ransomware threats.
By following these remediation steps, organizations can effectively mitigate the threats posed by the described campaign.