In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.
The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.
The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.
Msiexec Impersonation - Exploit Leads to Data Exfiltration
Userlevel 5
+3
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Login
CUSTOMER / CYMULATE EMPLOYEE LOGINor
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.