Security News > 2023 > January > Threat attackers can own your data in just two days

Threat attackers can own your data in just two days
2023-01-18 23:45

If the user navigates and clicks on the only visible file, a Link File Format file, the LNK file starts the infection process by launching a batch file.

Attackers obtain the credentials of a service account via Kerberoasting, a known technique based on abusing valid Kerberos tickets, 15 minutes after the initial infection.

Shortly before the exfiltration starts and 46 hours after the initial infection, the attackers deploy the legitimate Atera remote administration tool on several different machines.

The implementation of that tool on several computers allows the attackers to come back to the system even if the IcedID malware is discovered and computers are cleaned from it.

The attackers used the legitimate rclone fine syncing tool to encrypt and send several directories they chose to the Mega file sharing service.

The report notes the final step is data exfiltration, but the attack could easily lead to a ransomware demand.


News URL

https://www.techrepublic.com/article/threat-attacks-own-data-two-days/