Cristian Souza

Nov 26, 2024 | securelist.com | Cristian Souza |Eduardo Ovalle |Ashley Munoz |Timofey Ezhov

IntroductionIn a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).

May 28, 2024 | securelist.com | Cristian Souza |Eduardo Ovalle |Dmitry Kachan |Alina Sukhanova

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

May 23, 2024 | securelist.com | Eduardo Ovalle |Ashley Munoz |Cristian Souza |Christopher Zachor

IntroductionAttackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt.