The cybercrime group TA505’s Get2 threats are constantly trying to penetrate targets’ infrastructure, but awareness, speedy communication, and quick action in the security community help create a strong network of defense.
Blog
Cyber attack update: The intelligence community uncovers latest evolution of TA505/Get2 Attack
In the past several weeks, a common evolution has taken place within the Get2 attack schema, a prolific cyber-threat program. TA505, the attack group behind Get2, saw its illicit return on tactics diminish due to the attacks’ duration in place, volume of usage, and counter-intelligence exchange among security operations teams. In response, the attack group paused activity for several days, and then showed up swiftly with a new delivery mechanism in their approach to their victims. In this particular case, Get2 changed from html file-based delivery to embedded links overnight.
Thanks to a broad pool of knowledge collection, initial indications of the change began to be shared through vigilant private intelligence-share communities while most in the western hemisphere were still sleeping. This initial discovery and intelligence distribution included the stage 2 and stage 3 domains that this attack infrastructure utilizes for malware delivery. Security personnel on call were able to initiate their respective processes with this information. Success in countering the attack evolution is not solely reliant on availability of information. Protection also relies on the speed with which security operations teams can react. Both determine the company’s level of confidence in combatting the latest threat of the attack infrastructure.
Cybercrime group TA505’s latest Get2 changes fail to fool well-connected security teamsIn a highly capable security operations center (SOC), team members use information gathering and intelligence enrichment processes to efficiently target the threats prevalent to them and their clients. In instances where Get2 was attempting to breach a company, the enrichment process involves analysts’ skill at taking the new information and “tuning” it in the form of controls specific to the company IT infrastructure in order to block the attack. While knowing what is going on everywhere in the cyber-attack realm would be ideal, the most important threat intelligence is the knowledge of what is happening in and against one’s own enterprise.
Successfully reacting to Get2 looked like this:
Teams are able to make great strides within a matter of hours, due to operators with dynamic skillsets, a deep knowledge of and attention to active and current threats specific to the infrastructure they protect, and broad, reliable community-sharing relationships. With these proactive approaches, they can ready the defense for subsequent attack campaigns that will be launched later that day.