At a Glance Dwell time: 2 days Initial access: RDP brute force (targeted wordlist) Defense evasion: privacy.sexy C2: Cobalt Strike + custom TCP beacon Lateral movement: RDP and SMB Exfiltration: Custom exfil tool, 6,900+ unique Cloudflare IPs over 443 Extortion: Personalized note for each user, 2 templates (leadership / employee) Negotiation: $200,000 BTC demanded, negotiated down to $85,000, full negotiation chats included Executive Summary Over this two day intrusion World Leaks gained initial access to the network and quickly moved to critical infrastructure including the domain controller and backup server. The threat actor’s goal was to access and exfiltrate sensitive corporate data across the organization which they used to pressure the victim into paying an extortion demand. The threat actor brute forced the Administrator account on an exposed RDP service using a targeted wordlist specific to the company. The password would not have been found on a common wordlist indicating the threat actor performed reconnaissance on the organization prior to the brute force. Within 2 minutes of logging in the threat actor executed privacy.sexy to disable security controls and then deployed SoftPerfect Network Scanner with a pre built config to map the network. They then deployed a Cobalt Strike stager directly into PowerShell process memory and dropped lactenin.exe which is malware masquerading as a Microsoft Edge Update installer. The threat actor moved laterally to the domain controller over RDP using the same Administrator credentials and replicated their tools across. They ran the same privacy.sexy script on the domain controller and copied lactenin.exe over SMB executing it immediately. The threat actor was removed from the network the same day. The threat actor regained access the following day due to the original RDP exposure not being remediated. They accessed the backup server within 2 minutes of regaining access and attempted SSH connections to the Linux file server which all failed. The threat actor then downloaded agent.exe (RustyRocket, first identified and named by Accenture) which is a custom exfiltration platform that World Leaks distributes to their operators. An operator README that was able to be recovered indicates this is a maintained platform with three operating modes, persistence recipes, and a companion pivoting proxy for segmented networks. Both the domain controller and backup server ran agent.exe simultaneously connecting to over 6,900 unique Cloudflare IPs over 443 to exfiltrate data collected over 445 from every reachable host. After exfiltrating the data the threat actor spent 68 minutes placing personalized extortion notes on every reachable workstation addressed by name to each user with separate templates for leadership and employees. Initial Access The threat actor first probed the exposed RDP service the day before with 2 SYN packets from 45.227.254[.]128 at 05:53 UTC. On Day 1 the first failed authentication attempt (Event 4625) was observed at 11:05 UTC and the brute force succeeded 2 minutes later at 11:07 UTC which was observed as a Type 3 NLA validation event with workstation name SBSSRV. The threat actor manually logged in over RDP 4 minutes later at 11:11 UTC. The password was custom to the organization and would not have been found on a common wordlist. This indicates the threat actor performed reconnaissance on the company prior to the brute force and built a targeted wordlist incorporating the company name. The source IP 45.227.254[.]128 is a Windows Server 2012 R2 machine (hostname SBSSRV) hosted by Flyservers/XWIN UNIVERSAL (AS267784). This same IP was used across both phases of the intrusion with external RDP authentications Day 1 and Day 2 after the threat actor was kicked out. The RDP exposure was not remediated. The threat actor regained access the following day from the same source IP. Reconnaissance: Day before, 05:53:47 UTC 2 SYN packets from 45.227.254[.]128 (probe) Brute Force: Day 1, 11:05:01 UTC First failed logon (Event 4625, Administrator) Day 1, 11:07:12 UTC Brute force succeeds (Type 3, workstation: SBSSRV) 2,153 failed logon attempts (Event 4625) from SBSSRV RDP Logon: Time: 11:11:38 UTC (4 minutes after brute force success) Source: 45.227.254[.]128 (Flyservers/XWIN UNIVERSAL, Vilnius LT, AS267784) Target: Entry workstation, port 3389 Account: Administrator Logon Type: 10 (RemoteInteractive) Day 2 Regained access: Source: 45.227.254[.]128 (same IP) Account: Administrator Establishing a Foothold privacy.sexy The threat actor used scripts generated by privacy.sexy which is a legitimate open source privacy hardening tool that can be found online. The script uses a TrustedInstaller privilege escalation to execute commands that even local administrators cannot run directly. It works by creating a scheduled task named privacy.sexy invoke and then using the Schedule.Service COM object to call RunEx() on that task passing in the TrustedInstaller SID (S-1-5-80...