The SOC case files: XDR neutralizes threat-loaded external drive targeting MSP

Incident summary

• A U.S.-based managed services provider (MSP) was targeted by a well-equipped threat actor shortly before the Thanksgiving holiday.
• The attackers connected a malicious external drive loaded with advanced hacking tools onto a single workstation.
• In just over a minute the threat was mitigated: The SOC identified the unauthorized tools, quarantined them, and isolated the endpoint.

The incident was detected, contained, and mitigated by Barracuda’s 24/7 Security Operations Center (SOC). The SOC is part of Barracuda Managed XDR, an extended visibility, detection, and response (XDR) service that provides customers with round-the-clock human and AI-led threat detection, analysis, incident response, and mitigation services to protect against complex threats.

How the attack unfolded

The attack took place the day before Thanksgiving, a major U.S. holiday

• On the morning of November 27, the SOC’s automated systems spotted an array of advanced hacking tools appearing one after another in quick succession on a single workstation in a monitored MSP’s network.
• The tools were all being loaded into the same Windows folder from an unauthorized external drive connected to the workstation.

The main attack attempt

• The core of the attempted attack involved four known hacking tools.
• The first of these was an executable called SharpUp, which an attacker can use to try to escalate their privileges in a compromised account.
• The second was a malicious file called LaZagne. This is a password-stealing tool that the attackers probably included in case they were unable to escalate the privileges of a compromised account using SharpUp. They could then use LaZagne to try to obtain credentials for existing accounts with higher privileges.
• Threat intelligence reports indicate that LaZagne has been leveraged in recent attacks by sophisticated threat actors, including China-based advanced persistent threats (APTs).
• The third threat was Mimikatz, a very common tool used by threat actors for numerous tasks including extracting sensitive information and lateral movement.
• The fourth tool found by the SOC analysts was the THOR APT Scanner. This tool is typically used by security professionals to identify malicious activity by threat actors, but it can also be used by attackers themselves for various tasks including the bulk theft of usernames and passwords.

Threat response and mitigation

• XDR Endpoint Security’s SentinelOne agent successfully detected the four hacking tools, marked them as threats, and mitigated them accordingly.
• The Storyline Active Response (STAR) custom rules developed by Barracuda’s SOC engineers effectively detected the presence of Mimikatz and took automated response action to isolate the compromised endpoint.
• By isolating the endpoint and terminating network connectivity, the threat was contained and removed before any malicious processes could be spawned.
• The SOC team analyzed the events, issued an alert, and contacted the MSP directly with a detailed summary of the detections and corresponding response actions.
• The SOC provided critical security recommendations to help the MSP strengthen the protection of their environment, including restricting access for external drives.

Key learnings

• Threat actors are notorious for carrying out attacks around major holidays — times when traditional security teams may be understaffed, and organizations may be less vigilant overall.
• Managed services providers are a growing target for threat actors who understand that if they can successfully breach an MSP, they can expand the scope of the attack to the organizations whose IT infrastructure is managed by the MSP.
• Having a SOC that operates 24/7/365, such as the Barracuda Managed XDR SOC team, to provide continuous, ongoing threat detection and response capabilities is crucial.

The main tools and techniques used in the attack

Known indicators of compromise (IOCs) observed in this attack

• SharpUp SHA1: 4791564cfaecd815ffb2f15fd8c85a473c239e31
• LaZagne SHA1: 0e62d10ff194e84ed8c6bd71620f56ef9e557072
• Mimikatz SHA1: d1f7832035c3e8a73cc78afd28cfd7f4cece6d20
• THOR APT SHA1: 5c154853c6c31e3bbee2876fe4ed018cebaca86f

Barracuda Managed XDR features like threat intelligence, automated threat response, and the integration of wider solutions such as XDR Server Security, XDR Network Security, and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.

For further information on how Barracuda Managed XDR and Security Operations Center can help, please contact us.