The Ignoble Scorpius attack began with a voice phishing (vishing) call. The attacker impersonated the company's IT help desk and tricked an employee into entering their legitimate VPN credentials on a phishing site.

With these credentials, the threat actor gained initial network access and immediately escalated their privileges. They executed a DCSync attack on a domain controller to steal highly privileged credentials, including a key service account. Using these compromised credentials, they moved laterally across the network using RDP and SMB, employing tools like Advanced IP Scanner and SMBExec to map the network and identify high-value targets.

The attackers established persistence by deploying AnyDesk and a custom RAT on a domain controller, configured as a scheduled task to survive reboots...

Keep Reading

#Vishing

#Tech Support Scam

#Ransomware

Next Article Previous Article Back to All News

A hand with a pen going over a floorplan.

↑

Anatomy of an Attack: The “BlackSuit Blitz” at a Global Equipment Manufacturer

Tags