Essential Insights
- UNC6692 exploited SNOWBELT extension to download malicious files and used internal port scanning and PsExec for lateral movement, including RDP access to backup servers.
- They extracted LSASS memory to obtain credential hashes, exfiltrating this sensitive data covertly via LimeWire to escalate privileges.
- The attacker used Pass-The-Hash to access domain controllers, downloaded and exfiltrated critical Active Directory data with FTK Imager, and monitored activities through screenshot captures.
Threat, Attack Techniques, and Targets
The threat actor UNC6692 used social engineering and custom malware to attack specific targets. They employed the SNOWBELT extension to download files such as SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP file with a Python executable. These tools helped them control the infected systems.
UNC6692 started by scanning the local network for open ports 135, 445, and 3389. They then used a tool called PsExec to run commands remotely on the target system through a secure tunnel. They checked for local administrator accounts and used them to connect via RDP, which is a remote desktop protocol. Their goal was to move inside the network without being noticed.
They also targeted backup servers on the network. Using administrator credentials, they extracted sensitive information from the LSASS process, a core part of Windows that stores passwords and security data. They exfiltrated this data using LimeWire, a file sharing tool, to avoid detection. Their final goal was to access the domain controllers, which manage the entire network.
They downloaded a ZIP archive containing a tool called FTK Imager. This tool allowed them to copy important files from the Active Directory database, SAM registry, and other system hives. These files contain critical security data about user accounts and system configuration. They then sent this data outside the network, again using LimeWire.
Finally, the actor used screen captures to record activity on the domain controllers, focusing on their use of a web browser and forensic tool.
Impact, Security Implications, and Remediation
This attack can cause severe damage. Stealing domain controller data gives attackers the ability to impersonate users and take control of the entire network. Exfiltrating sensitive information like password hashes and system files can later be used for more attacks or unauthorized access.
The attack also shows how social engineering combined with custom malware can bypass security measures. If an organization’s defenses are weak, or if staff are not trained to recognize tactics like phishing, threat actors can gain access easily.
Organizations should verify their security controls. They must monitor for signs of lateral movement and suspicious file transfers. Network segmentation, strong password policies, and multi-factor authentication are important. Regular audits of system logs and network activity help spot unusual actions early.
Since specific remediation guidance is not provided here, it is recommended to consult the relevant security vendors or authorities to develop a tailored response plan. They can offer specific tools and procedures to prevent similar attacks and mitigate damage if an intrusion occurs.
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
