Technical Security Alert 032822001
- Financial Services
- Government Facilities
Risk Rating: HIGH
SocGholish has currently infected thousands of US businesses, government, academic, non-profit, and healthcare organizations, resulting in subsequent ransomware events with losses ranging between $1 million and $40 million per incident.
The initial stage, SocGholish collects victim browser information upon visiting a compromised website. The malware initiates a series of HTTP redirects before prompting the victim to download a software update for their web browser.
The final stage typically involves the delivery of a “Cobalt Strike Beacon” payload used by threat actors for further network reconnaissance and lateral movement that ultimately leads to ransomware deployment.
SocGholish C2 domains rotate regularly and often use hijacked subdomains of legitimate websites that can blend in with seemingly normal network traffic. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations:
[8 random hex characters].subdomain.domain.topleveldomain
INDICATORS OF COMPROMISE
Known IP Addresses
File Names and Hashes
C2 pattern — [8 random hex characters].subdomain.domain.topleveldomain
- Implement regular backups of Maintain backups offline, and ensure the data is encrypted and immutable.
- Confirm that the Native Domain Admin account “Administrator” has a strong password and is in “Disabled” status. This account should not be used for day to day activities and should be placed under the protected group AD Group.
- Store copies of data offline using multi-factor authentication with strong password
- Disable command-line and scripting activities and
- Install and regularly update antivirus software with real-time
- Implement network segmentation to prevent accessibility across multiple machines on the network.
- Keep computers, devices and applications patched and up to Prioritize patching known exploited vulnerabilities.
- Safeguard the network by enacting administrative privileges and configuring access controls with the least privilege in mind.
- Consider adding an email banner to emails received outside of your
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Disable hyperlinks in received
- Use double authentication when logging into accounts or
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.
- Use Admin Disabling Tools to support identity and privileged access
- Implement time-based access for accounts set at the admin-level and.
RELATED UDTSECURE SERVICES
The following UDTSecure Cyber Security Services can help clients test and mitigate for this important vulnerability with the following services:
- UDTSecure AD Threat & Compromise Assessment
- UDTSecure Vulnerability Security Assessment and Patch Management as a Service
- UDTSecure Managed Threat Hunting Service
- UDTSecure Compromise Assessment
- UDT Professional Services to help with all your mitigation needs.