070. Can an Adversary Abuse IoT to Deploy Ransomware?
Hello everyone! How do you choose telemetry sources? For example, IoT devices. Do you collect data from this source? Why am I asking? In a recent incident Akira affiliates (we track this cluster as Neon Wolf) used a webcam to deploy ransomware!
The adversary decided to pivot to this device, because there're no EDR on it, and it had a few critical vulnerabilities.
Was it possible to detect malicious activity earlier? Yes! According to IoCs list, the threat actors also used AnyDesk to enable redundant access. As you already know, it's an extremely common technique, here's an example of how to search for related activity:
event_type: "processcreate"
AND
proc_file_productname: "anydesk"
AND NOT
proc_file_path: ("program files" OR "appdata")
I excluded standard installation paths, but you can include it, it depends on the amount of noise. Happy hunting!
See you tomorrow!
Comments
Post a Comment