Friday, July 19, 2024
EHA

LUCR-3 Attacking Fortune 2000 Companies Using Victims’ Own Tools & Apps

A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal intellectual property for extortion. This threat actor surpasses Scatter Spider, Oktapus, UNC3944, and Storm-0875.

LUCR-3 is targeting Fortune 2000 companies in various sectors, which include Software, Retail, Hospitality, Manufacturing, and Telecoms. The threat actor uses existing identities for initial access instead of relying on Malware.

Attributes of LUCR-3

As part of the initial access, the threat actor performs recon on the victim identities to choose the user who will have necessary access for their exploitation.

More often, they rely on social engineering, smashing, or buying the credentials that are available on the deep web marketplace. Most of their victims have been identified as Admins, Developers, Engineers, and the Security team.

LuCR-3
AWS Attacker Lifecycle (Source: Permisio)

The credentials they use are legitimate for connecting to the target network and applications. With these credentials, they perform MFA bypass using various techniques like SIM Swapping, Push Fatigue, Phishing attacks, or buying a social engineer access through insider threats. They also modify MFA settings by registering a new device or adding alternative MFA options. 

R-SaaS & R-AWS (Recon SaaS & Recon AWS)

Moreover, this threat actor has a unique way of understanding the organizations by following a regular employee method – Viewing and searching the documents available on SharePoint, OneDrive, knowledge applications, ticketing solutions, and chat applications that provide in-depth knowledge about the victim organization. This method is carried out in the case of SaaS applications.

In the case of AWS, they leverage the billing and AWS management console for understanding the cloud infrastructure.

They also use Systems Manager (SSM) to run AWS-GatherSoftwareInventory, which will provide complete information about all the EC2 instances and the software running on them.

Persistence in all environments

For gaining persistent access into the compromised systems, the threat actor relies on previously available tools like device registration, alternate MFA, and strong authentication type (from 6 [PhoneAppOTP] to 7 [OneWaySMS]). 

In the case of AWS, the threat actor creates a user, access, and login profile (or updates a login profile). A complete report about this threat actor has been published by Permisio, which provides detailed information about the infiltration, extraction, and other details. 

As part of Defense evasion, LUCR-3 uses GuardDuty disabling, stopping the logging and serial console access. In certain cases, they also send emails relating to helpdesk tickets, the creation of authentication keys, access tokens, and OAuth.

Indicators of Compromise

NameType
P0_AWS_ACCESSKEY_CREATED_1Alert
P0_AWS_CLOUDTRAIL_LOGGING_STOPPED_1Alert
P0_AWS_CLOUDTRAIL_TRAIL_DELETED_1Alert
P0_AWS_EC2_ROOT_USER_SSH_1Alert
P0_AWS_EC2_SERIAL_CONSOLE_ACCESS_ENABLED_1Alert
P0_AWS_GUARDDUTY_STATUS_CHANGED_1Alert
P0_AWS_NEW_USER_CREATED_1Alert
P0_AWS_S3_BROWSER_USERAGENT_1Alert
P0_AWS_SM_GETSECRETVALUE_CLOUDSHELL_1Alert
P0_AZUREAD_MFA_FACTOR_ROTATION_1Alert
P0_AZUREAD_MFA_FACTOR_ROTATION_BY_ADMIN_1Alert
P0_GIT_CLONE_ALLAlert
P0_IDP_MFA_DEVICE_DOWNGRADEAlert
P0_IDP_MFA_ECOSYSTEM_SWITCHAlert
P0_IDP_MFA_EXTERNAL_EMAILAlert
P0_IDP_MFA_MANYUSERS_1DEVICEAlert
P0_INTEL_LUCR3Alert
P0_OKTA_MFA_FACTOR_ROTATION_1Alert
P0_OKTA_MFA_FACTOR_ROTATION_BY_ADMIN_1Alert
P0_SAAS_CREDENTIAL_SEARCHAlert

Source: Permisio

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Website

Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles