Thursday, July 28, 2016

PIR – CTA&I Wekby Lateral Movement TTPs

Executive Summary: 
This priority intelligence report (PIR) summarizes the known tactics, techniques, and procedures (TTPs) observed with Wekby lateral movement within a targets network and how the group previously infiltrated data. Wekby will likely use these techniques against a highly valued target and analysts believe this represents some of the groups more advanced TTPs. The group’s tactics are extremely effective at evading network controls and detection by seasoned network defenders. The process is customized to the target’s network, tested and fully scripted by the attackers reducing the chance of detection and operator error.

Traditional network defenses will not detect this activity and Wekby takes the time to profile the defender’s controls to determine this. Execution, is quick leaving a defender a small Window to detect the activity.

Publication Date: 25 July 2016; information cutoff date: 8 June 2016
Handling Requirements: Traffic Light Protocol (TLP) AMBER
Attribution/Threat Actors: Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
Actor Type: Adversary capabilities have been assessed as Tier IV.
Previous Reporting: Window’s Credential Editor Usage and Mitigations Tracking ID: 908481
Wekby and Subnets Tracking ID: 908384
Wekby Parite Payload Analysis Tracking ID: 912386
Wapack Labs: Recent Wekby, Pisloader, and C2 over DNS Tracking ID: 922814
Industries Targeted: Defense, Banking, Manufacturing, Information Technology, Chemicals

This report was published in its entirety to the Financial Services ISAC and Red Sky Alliance portal on July 25, 2016.  For more information, contact Wapack Labs at 844-4-WAPACK.