Attacks Against Linux SSH Services Detected by AhnLab EDR
Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS that individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports
Attacks Targeting MS-SQL Servers Detected by AhnLab EDR
MS-SQL servers are one of the main attack vectors used when targeting Windows systems because they use simple passwords and are open publicly to the external Internet. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with administrator
Initial Access to IIS Web Servers Detected by AhnLab EDR
In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing
Infostealers Extorting Web Browser Account Credentials Detected by AhnLab EDR
Web browsers are some of the programs most commonly and frequently used by PC users. Users generally use browsers to look up information, send and receive emails, and use web services such as shopping. This is the case for both individual users and employees conducting business in companies. To use
Defense Evasion Techniques Detected by AhnLab EDR
Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions, but also firewalls, APT defense solutions and products such as EDR. Even in general user environments without separate organization responsible for security, most of them
Kimsuky Group’s Spear Phishing Detected by AhnLab EDR (AppleSeed, AlphaSeed)
Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014, and have expanded their attacks to other countries since 2017 [1]. The group has mainly
Data Leak Detected by AhnLab EDR (vs. Ransomware Threat Actors)
Ransomware threat actors have been extorting money after taking control over organizations’ internal networks, distributing ransomware, encrypting systems, and holding system restoration for ransom. Recently, however, threat actors not only encrypts the systems but also leaks internal data and threatens to expose them publicly if the ransom is not paid.
Various LSASS Credentials Dumping Methods Detected by EDR
AhnLab SEcurity intelligence Center (ASEC) has posted the blog article “Account Credentials Theft in Domain Environments Detected by EDR” [1] that discusses threat actors stealing account credentials after taking control over the system in an Active Directory environment. Among the account credentials theft method, this article will cover in detail
Account Credentials Theft in Domain Environments Detected by EDR
The “Internal Reconnaissance in Domain Environments Detected by EDR” [1] post covered cases where EDR was used to detect the process of a threat actor taking over a system in an Active Directory environment before conducting internal reconnaissance to collect information. If an organization’s infrastructure is an environment that uses
Internal Reconnaissance in Domain Environments Detected by EDR
While threat actors can raise a profit by installing CoinMiners or ransomware after initial access, they often first install a backdoor or RAT malware to seize control over the infected system. Infostealers are used for the purpose of stealing user information in the system, but sometimes, they are used to
