070. Can an Adversary Abuse IoT to Deploy Ransomware?

Hello everyone! How do you choose telemetry sources? For example, IoT devices. Do you collect data from this source? Why am I asking? In a recent incident Akira affiliates (we track this cluster as Neon Wolf) used a webcam to deploy ransomware!


The adversary decided to pivot to this device, because there're no EDR on it, and it had a few critical vulnerabilities.

Was it possible to detect malicious activity earlier? Yes! According to IoCs list, the threat actors also used AnyDesk to enable redundant access. As you already know, it's an extremely common technique, here's an example of how to search for related activity:

event_type: "processcreate"

AND 

proc_file_productname: "anydesk" 

AND NOT 

proc_file_path: ("program files" OR "appdata")

I excluded standard installation paths, but you can include it, it depends on the amount of noise. Happy hunting!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!