I recently read through this FalconFeeds article on Qilin ransomware; being in DFIR consulting for as long as I have, and given how may ransomware incidents I’ve responded to or dug into, articles with titles like this attract my attention. I do not presume to know everything, and in fact, I’m very interested in the insights others provide based on their own investigations. As such, articles like this grab my attention.
As I read through the article, however, I become somewhat confused. Consider this quote from article:
On closer examination, it is likely that the individual behind the Stack Overflow post was an infected victim rather than an attacker. This assessment is supported by the fact that another IP address 107[.]167[.]93[.]118 was observed with the same machine name (WIN-8OA3CCQAE4D) and identical configuration details. Such consistency across multiple, unrelated systems strongly indicates that the exploit automatically renames compromised hosts, leaving behind a uniform system identifier that inadvertently exposed itself in public forums. [emphasis added]
Okay, this statement is interesting. At work/day job, for example, we’ve observed this workstation name a number of times, with different IP addresses. Again, these have been observed at different times, so the thinking is that either a threat actor used different means to connect to the Internet, or the workstation with the NetBIOS name/machineID is a virtual machine shared by several individuals. I think what really threw me was the statement “…the exploit…”; while the word “exploit” is mentioned several times in the article, there’s nothing that clearly delineates what that exploit is, nor how it was discovered or defined.
Later in the blog post, we see the section illustrated in Figure 1.
| This article has been indexed from Windows Incident Response
Read the original article: Post navigation |
