
Casbaneiro Phishing Campaign
BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and Europe. The campaign, attributed to the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci), employs a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing. The campaign deploys Horabot to deliver the Casbaneiro (a.k.a. Metamorfo) banking trojan through a comprehensive phishing operation.
Indicators of Compromise
Domains (3)
grupobedfs.comfactu.it.comfacturastbs.shopHashes (8)
69fc15919044fc6a94bb251afd90a0a07204b79df3bc62c49ba6b0febefbc33eb56d00addd6c6a266de3c739dad22aa1de52624066544929754d47332257cba63e4002c7f0909d3c743b3586098e248d413f485c6bb033cafdb322bd8b206ebb1693448804bf1c90ad7317af250bcd6ea021256e33e983b224aea81d4ecc2e20239cb9232fe01c8b82eb627f66acc6848cb223dfea46d4923844c1fe20f1de494e08a1525a62a387595a2e4942b56ec3f3b3259996115ea2e6ea3638ccb877051af69a3283e28a8cc9a11819ecc2f2cff46dcabbfa78cefc71a02b881a064593d1d08f7e44641d921fad22ed175b928c696befd14a55271eb203f8fcaff553d5APT Groups
Water Saci
BR
Notes
<span id="docs-internal-guid-3dd024f2-7fff-fd18-40a6-9a47a7c9959b"><h3 style="line-height:1.38;margin-top:8pt;margin-bottom:2pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(67, 67, 67); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">NOTES</span></h3><div style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></div><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The Casbaneiro campaigns make one thing clear: Augmented Marauder is not a group that stands still. Their ability to run parallel attack chains — dynamically generated PDF lures, ClickFix social engineering, and WhatsApp-based propagation all operating at the same time — means that blocking a single delivery method buys very little time. The financial sector organizations in Latin America and Europe that are in this group's crosshairs need intelligence that moves at the same pace.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Tracking the indicators tied to this campaign is the first step. SOCRadar's </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">IOC Radar</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> allows security teams to query domains, IPs, and file hashes associated with Casbaneiro and Horabot infrastructure, returning enriched context including risk scores and dark web findings — removing the need for manual correlation across multiple sources.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Since Horabot propagates by abusing compromised Outlook accounts, credential exposure sits at the center of this threat. SOCRadar's </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Advanced Dark Web Monitoring</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> surfaces stolen credentials appearing in dark web forums and marketplaces before they get weaponized in follow-on phishing waves.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">For the broader picture, SOCRadar's </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Cyber Threat Intelligence</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> platform keeps continuously updated profiles on threat actors like Augmented Marauder — covering their evolving TTPs, targeted industries, and regional focus. Given that this group rotates its delivery mechanisms roughly every quarter, that kind of persistent tracking is what turns reactive incident response into proactive defense.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Augmented Marauder's staying power comes from constant reinvention. Keeping pace with that requires more than periodic threat reviews — it requires continuous, contextual intelligence.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br><br></span></div></span>
Mitigation
<span id="docs-internal-guid-95fb1145-7fff-76b7-cf1c-6b20fd26be3e"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></h2><h3 style="line-height:1.38;margin-top:8pt;margin-bottom:2pt;"><a href="https://attack.mitre.org/mitigations/M1047/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">M1047 - Audit</span></a></h3><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.</span></p><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:</span></p><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">System Audit:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implementation: Use tools to scan for deviations from established benchmarks.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Permission Audits:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implementation: Run access reviews to identify users or groups with excessive permissions.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Software Audits:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Configuration Audits:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Audits:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.</span></p></li></ul><br><h3 style="line-height:1.38;margin-top:8pt;margin-bottom:2pt;"><a href="https://attack.mitre.org/mitigations/M1035/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">M1035 - Limit Access to Resource Over Network</span></a></h3><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:</span></p><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit and Restrict Access:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regularly audit permissions for file shares, network services, and remote access tools.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Remove unnecessary access and enforce least privilege principles for users and services.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use Active Directory and IAM tools to restrict access based on roles and attributes.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Deploy Secure Remote Access Solutions:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Configure access controls to restrict connections based on time, device, and user identity.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enforce MFA for all remote access mechanisms.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable Unnecessary Services:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Identify running services using tools like netstat (Windows/Linux) or Nmap.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use firewall rules to block traffic on unused ports and protocols.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Segmentation and Isolation:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict communication between subnets to prevent lateral movement.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor and Log Access:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools.</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enable auditing and logging for successful and failed attempts to access restricted resources.</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Tools for Implementation</span></p><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">File Share Management:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Microsoft Active Directory Group Policies</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Samba (Linux/Unix file share management)</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">AccessEnum (Windows access auditing tool)</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Secure Remote Access:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Microsoft Remote Desktop Gateway</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Apache Guacamole (open-source RDP/VNC gateway)</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Zero Trust solutions: Tailscale, Cloudflare Zero Trust</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Service and Protocol Hardening:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Nmap or Nessus for network service discovery</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols</span></p></li><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">iptables or firewalld (Linux) for blocking unnecessary traffic</span></p></li></ul><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Segmentation:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;" role="presentation"><span style="font-size: 12pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">pfSense for open-source network isolation</span></p></li></ul><br><h3 style="line-height:1.38;margin-top:8pt;margin-bottom:2pt;"><a href="https://attack.mitre.org/mitigations/M1053/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">M1053 - Data Backup</span></a></h3><h3 style="line-height: 1.38; margin: 0pt -11pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:</span></h3><h3 style="line-height: 1.38; margin: 0pt -11pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regular Backup Scheduling:</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Use Case: Ensure timely and consistent backups of critical data.</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.</span></h3><h3 style="line-height: 1.38; margin: 0pt -11pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Immutable Backups:</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Use Case: Protect backups from modification or deletion, even by attackers.</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.</span></h3><h3 style="line-height: 1.38; margin: 0pt -11pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Backup Encryption:</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Use Case: Protect data integrity and confidentiality during transit and storage.</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.</span></h3><h3 style="line-height: 1.38; margin: 0pt -11pt; padding: 0pt 0pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Offsite Backup Storage:</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Use Case: Ensure data availability during physical disasters or onsite breaches.</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.</span></h3><h3 style="line-height: 1.38; margin: 0pt -11pt 12pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Backup Testing:</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Use Case: Validate backup integrity and ensure recoverability.</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">- Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.</span></h3></span>