Sophos has released new research about the use of servers in carrying out attacks; “An Insider View into the Increasingly Complex Kingminer Botnet”. The Kingminer botnet attempts to gain server access by brute-forcing login credentials, and Sophos now finds that it’s using the infamous EternalBlue exploit in an attempt to spread malware among other attack mechanisms.
As a result, Sophos has released an updated version of its Endpoint and Detection Response solution. Gabor Szappanos, threat research director, Sophos confirmed, “The world of cybercriminals is a heterogeneous mass with many different competence and resource levels among them. Understanding these varying capabilities is very important for preparing defensive actions.
The operators of the Kingminer botnet are ambitious and capable, but don’t have endless resources – they use any solution and concept that is freely available, from public domain tools to the techniques used by APT groups. This is a classic example of a lower rung cybergang unit copying an APT style attack – in this case a Chinese APT attack method – and using it as a blueprint for Kingminer.
Sophos has talked about how some cybercriminals use other attacks as blueprints, and this is evidence that the trend is continuing, if not becoming more persistent, because it is cost-effective and proven. Many parts of the Kingminer attack are orchestrated using legit or greyware applications and Powershell scripts. For defenders, this is where application control and other EDR features that detect suspicious ‘Living off the Land’ activity, as well as AMSI detections, can play a huge role.”
The opportunistic Kingminer botnet attempts to gain server access by brute-forcing login credentials, and Sophos now finds that it’s using the infamous EternalBlue exploit in an attempt to spread malware among other attack mechanisms. The new version of Sophos EDR offers a custom-built query engine to detect indicators of compromise.
Kingminer shares many of the attributes that advanced ransomware attackers use to gain access, evidence of the need for EDR with the ability to hunt active attacks. As Sophos recently discovered in its State of Ransomware 2020 survey, only 24% of organisations breached in a ransomware incident were able to detect the intrusion and stop it before it was able to encrypt their files. Sophos’ new EDR capabilities help security and IT teams detect threats and breaches that could otherwise take months to uncover.