CVE-2049-16098

#ParsedReport #CompletenessHigh 10-07-2023

The five-day job: A BlackByte ransomware intrusion case study

Report completeness: High

Actors/Campaigns: Volt typhoon (motivation: cyber espionage)

Threats: Blackbyte Blacklotus Lolbin technique Cobalt strike Beacon Process hollowing technique Proxyshell vuln Kovter Anydesk tool Netscan tool Adfind tool Mimikatz tool Trojan:win64/wingoobfusc.lk Exbyte stealer Upx tool Vssadmin tool Timestomp technique Process hacker tool Procmon tool Ollydbg tool Windbg tool Screenconnect tool Teamviewer tool

Victims: Us critical infrastructure organizations

Geo: Chinese

CVEs: CVE-2019-16098 [Vulners] CVSS V3.1: 7.8, Vulners: Exploitation: Unknown X-Force: Risk: 7.8 X-Force: Patch: Unavailable Soft:

CVE-2021-34523 [Vulners] CVSS V3.1: 9.8, Vulners: Exploitation: True X-Force: Risk: 9 X-Force: Patch: Official fix Soft:

CVE-2021-34473 [Vulners] CVSS V3.1: 9.8, Vulners: Exploitation: True X-Force: Risk: 9.1 X-Force: Patch: Official fix Soft:

CVE-2049-16098 [Vulners] CVSS V3.1: Unknown, Vulners: Exploitation: Unknown X-Force: Risk: Unknown X-Force: Patch: Unknown

CVE-2021-31207 [Vulners] CVSS V3.1: 7.2, Vulners: Exploitation: True X-Force: Risk: 6.6 X-Force: Patch: Official fix Soft:

CVE-2022-21894 [Vulners] CVSS V3.1: 4.4, Vulners: Exploitation: Unknown X-Force: Risk: 4.4 X-Force: Patch: Official fix Soft:

TTPs: Tactics: 5 Technics: 0

IOCs: IP: 3 Registry: 3 Path: 14 Url: 4 File: 1049 Domain: 1 Hash: 6 Command: 6 Coin: 1

Soft: microsoft 365 defender, microsoft defender, microsoft defender for endpoint, microsoft exchange, active directory, psexec, windows firewall, bootnxt, onenote, outlook, have more...

Algorithms: sha256, base64

Functions: ReadMe, RABAsSaa

Win API: ShellExecuteW

Win Services: db2, agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, Ntrtscan, have more...

Languages: golang

Platforms: intel, x86