Hackers have used a Windows Defender tool to distribute undetected LockBit 3.0 ransomware on a system. American computer security company SentinelOne was investigating the incident.
The attackers entered a server through a vulnerability in the Log4j logging program. They ran a number of commands in PowerShell, which included using Windows Defender’s MpCmdRun.exe command-line tool to set up a so-called Cobalt Strike ‘beacon’.
Cobalt Strike is legitimate software to perform system and network penetrations, but hackers now use it to set up a beacon, which allows malware to be uploaded to a server. In this case, it was LockBit 3.0 ransomware, which encrypts your files and demands cryptocurrencies as a ransom.
It’s not the first time that LockBit 3.0 attackers have used legitimate software for their practices, as VMWare’s own command-line interface has already come into play.
MpCmdRun.exe in the Command Prompt.
« Previous post Next post »