In 2021, Red Canary observed adversaries use a range of initial access mechanisms to gain a foothold into victims’ environments. Much of the activity we saw was consistent with our expectations, with many detections resulting from malicious emails, attempts to harvest victims’ credentials, and breaches by way of a trusted party. Additional details on trends associated with these initial access vectors and follow-on activity such as webstall installation can be found throughout the report.
Understanding initial access can help defenders protect their environments early on. Prioritizing detections related to initial access saves money, time and effort; lessens pain points for users; and reduces impact to a business. From an intelligence perspective, understanding common patterns in initial access and follow-on activity helps build confidence in determining if relationships exist between threats that co-occur in an environment.
Notably, over the past year, we observed a rise in what we refer to as “user-initiated activity:” cases where victims downloaded a malicious executable after engaging with content they purposefully sought out. This often occurs without the victim’s knowledge, particularly in cases where adversaries poison search engine results to direct victims to compromised websites.
Though user-initiated activity can be just as dangerous as adversary-initiated activity, it can be more challenging to triage because it often involves unwanted software or riskware, which many organizations deem lower-risk. However, it is critical to respond to this type of activity immediately, as follow-on threats can include infostealers and ransomware.
Top threats relying on user-initiated activity
Several of our top 10 threats—SocGholish, Yellow Cockatoo, and Gootkit—rely on variants of user-initiated activity for initial access. Though not as pervasive, we also saw similar tradecraft with Rose Flamingo, an activity cluster involved in intrusion chains where we later observed various payloads such as STOP ransomware.
- Adversaries behind both Gootkit and Yellow Cockatoo abuse search engine optimization (SEO) to display malicious content at the top of a victim’s search results. Because compromised websites are displayed prominently and presented to the victim from a trusted search engine, victims are often easily “lured” to these sites. They are then prompted to download malicious content masquerading as legitimate content. For example, if a user searched for “this is my query,” the binary they downloaded would be named `this-is-my-query.exe`. Because the file looks familiar, users are less likely to scrutinize it closely or look for red flags.
- Rose Flamingo’s initial access occurs via file-sharing websites purporting to provide free or “cracked” software.
- Similarly, SocGholish leverages drive-by-downloads masquerading as software updates. SocGholish itself is embedded in legitimate websites that have been compromised to prompt users about the need to download supposed required updates.
In each case, the tradecraft allows the operators to carry out seemingly targeted social engineering intrusions at scale.