RaaS Ransomware as a Service and Purple Team Operations
Introduction
Hello everyone, everything good? Today I came to share something very interesting that happened to me, in which case I always wander through the forums to even learn a few things, until I received a message of an offer to work as a RaaS reseller partner, where I would earn 40% of profits both for companies that I commit to and for groups or individuals that I recruit.
The most interesting thing is that it wasn’t just RaaS, but HaaS the famous Hacking as a Service, kind of a bug bounty program but the crime, the more companies you compromise and even botnets you get, you make money with it. Of course that was just what the respective user quoted to me, I didn’t go into depth and even refused the offer, after all someone strange comes up to you and says you’re recruiting for an APT group, it reminded me of the ISIS that used the networks to recruit members.
Anyway, with the information I got, apparently they are recruiting from several sources and from what I understand lockbit has returned.
https://twitter.com/cryptoinsane/status/1408342272438005762
Also, the GOLD SOUTHFIELD group is very active with the Revil ransomware, which has affected many organizations out there. Apparently, some cell of the group or even unmapped groups in Miter Att&ck is still adhering to this type of service.
If you want to know the groups: https://attack.mitre.org/groups/ just filter by RaaS
But now let’s talk about what matters, what risks do companies take?
Purple Team Operations
First of all, companies are taking serious risks, this is a fact, my recommendations are that you start taking security seriously and empowering your professionals and investing in observation skills. I recently shared a Shodan screenshot of 60,000 RDPs exposed, imagine! Of those 60,000, 30% are vulnerable already bring serious problems for who will be the target of these attacks.
In addition, 0days are rolling and being sold even along with HaaS or RaaS, being a ready kit for any script kiddie to make an attack and earn money on top of that, just search shodan and that’s it, giving the initial access and closing the communication with the opponent’s C2 is great!
So I made a map with Att & ck, mapping the threats that can be exploited and, of course, I’ll leave a pastebin with links to some forums for the Threat Intelligence folks to keep an eye on ;)
https://pastebin.com/tn6BmREF
Below is the map, I recommend that Red Team work together with Blue Team to take action to manage and analyze vulnerabilities, internal pentests and adversary emulation too if necessary, and validate security controls, the perfect opportunity to use https: / / d3fend. miter.org/
This is the map, I put together both HaaS and RaaS oriented techniques verified by the recruiter, in addition based on this map you can try to create Commitment Indicators (IoCS) to detect some abnormal behavior and study how techniques involved in the map.
https://github.com/CyberSecurityUP/TTPs-Mitre-Attack
https://attack.mitre.org/resources/sightings/
https://securityinsight.nl/webinar/threat-hunting-beyond-the-ioc-with-mitre-att-ck
That’s it, I tried to be the most objective and bring a brief message about a new threat that is gaining a lot of momentum.
https://securityinsight.nl/webinar/threat-hunting-beyond-the-ioc-with-mitre-att-ck
