In a recent security event, the eCrime actor known as BLOCKADE SPIDER was observed conducting a cross-domain attack originating from a compromised Managed Service Provider (MSP) and targeting one of its clients. The adversary’s ultimate objective was the deployment of PLAY ransomware. The intrusion was detected and neutralized by CrowdStrike’s proactive threat hunting and managed detection and response teams before the final payload could be executed.

BLOCKADE SPIDER’s Attack Chain

The intrusion began with BLOCKADE SPIDER exploiting a known vulnerability, CVE-2023-27997, in an unpatched Fortinet FortiGate firewall appliance at the MSP. After gaining initial access, the actor leveraged Exchange Web Services (EWS) with a legitimate user’s credentials to send internal phishing emails. These emails contained a link to a malicious SMB share which, when accessed, executed a batch script to deploy a custom backdoor named Grixba.

With persistent access established via Grixba, BLOCKADE SPIDER proceeded with reconnaissance and lateral movement. The actor used the AdFind tool for Active Directory discovery and executed native commands like net and nltest for domain enumeration. To harvest credentials, the adversary used ProcDump to dump the memory of the Local Security Authority Subsystem Service (LSASS) process. Further tooling included attempts to use AnyDesk for remote access and the GMER rootkit scanner to identify security products on the compromised systems. The actor then used native Remote Desktop Protocol (RDP) to move laterally within the client’s network.

CrowdStrike’s Detection and Response

The malicious activity was first identified by the CrowdStrike Falcon OverWatch team of proactive threat hunters. They observed behavior consistent with hands-on-keyboard adversary techniques, including the use of AdFind for discovery and the creation of a new local administrator account. Upon detecting the attempt to dump LSASS credentials, the Falcon Complete managed detection and response (MDR) team was engaged.

The Falcon Complete team immediately took action, containing the compromised host within minutes of observing the credential access attempt. This rapid containment severed the adversary’s access to the client’s environment. The subsequent investigation confirmed the cross-domain nature of the attack, tracing its origin back to the compromised MSP. The combined efforts of Falcon OverWatch and Falcon Complete successfully stopped the intrusion before BLOCKADE SPIDER could deploy the PLAY ransomware.

Source: https://www.crowdstrike.com/en-us/blog/defeating-blockade-spider-how-crowdstrike-stops-cross-domain-attacks/