{ "id": "e5bb884d-3c58-4e68-b362-1bee427065e6", "created_at": "2026-04-06T00:10:44.073907Z", "updated_at": "2026-04-10T13:12:36.078433Z", "deleted_at": null, "sha1_hash": "09f0f4ab1ecd23ab937a644d527a3818337be52d", "title": "Quarterly Report: Incident Response trends from Winter 2020-21", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114781, "plain_text": "Quarterly Report: Incident Response trends from Winter 2020-21\r\nBy Jonathan Munshaw\r\nPublished: 2021-03-24 · Archived: 2026-04-05 22:20:51 UTC\r\nQuarterly Report: Incident Response trends from Winter 2020-21\r\nWednesday, March 24, 2021 08:26\r\nFor the seventh quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the\r\nthreat landscape. The top variants were Ryuk and Vatet, which is notable given the absence of Ryuk last quarter.\r\nWe also observed variants of Egregor and WastedLocker continuing to target organizations across the globe.\r\nUnlike last quarter, however, these ransomware attacks overwhelmingly relied on phishes delivering commodity\r\ntrojan maldocs, such as Zloader, BazarLoader and IcedID. Nearly 70 percent of ransomware attacks relied on\r\ncommodity trojans this quarter. Adversaries also employ commercially available tools such as Cobalt Strike, open-source post-exploitation tools like Bloodhound, and native tools on the victim’s system, such as PowerShell. For a\r\nbroader breakdown of these trends, check out our summary here.\r\nCTIR engaged in several incident response engagements in which organizations unknowingly downloaded\r\ntrojanized updates to the widely deployed SolarWinds' Orion software. Only one of these engagements involved\r\npost-compromise activity.\r\nLooking forward, Microsoft recently announced four vulnerabilities in Exchange Server and revealed that a threat\r\nactor named Hafnium had been exploiting these vulnerabilities to drop web shells, targeting an array of\r\norganizations. Soon other threat actors began leveraging these exploits as well, ranging from APTs to cryptominer\r\ngroups, with affected organizations estimated in the tens of thousands. CTIR has been responding to a growing\r\nnumber of incidents involving the Microsoft Exchange vulnerabilities.\r\nhttps://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html\r\nPage 1 of 4\n\nTargeting\r\nActors targeted a broad range of verticals, including business management, construction, education, energy and\r\nutilities, entertainment, financial, government, health care, industrial distribution, legal, manufacturing and\r\ntechnology. Adversaries most often targeted health care, as we anticipated last quarter given the spate of\r\nransomware attacks targeting health care organizations. It is worth noting there has been an increase in incidents\r\ninvolving Vatet malware, which has been known to target health care organizations. CTIR identified a potential\r\npattern in which regional hospitals associated with a hospital in a given state is initially attacked and may serve as\r\nfollow-on targets, particularly if they have active VPN connections to the affected organization. There are many\r\nreasons why actors are continuing to target the health care industry, including the COVID-19 pandemic\r\nincentivizing victims to pay to restore services as quickly as possible.\r\nThreats\r\nRansomware continued to comprise the majority of threats CTIR observed. As opposed to last quarter, which\r\nmarked an absence of commodity trojans, the majority of these attacks relied on commodity trojan maldoc phishes\r\nas an infection vector. Adversaries are continuing to use commercially available tools as well: Cobalt Strike was\r\nobserved in half of all ransomware attacks this quarter. There were also numerous ransomware engagements that\r\nleveraged open-source reconnaissance tools such as ADFind, ADRecon and Bloodhound. Windows utilities were\r\ncommon, as well. For example, PowerShell was observed in nearly 65 percent of all ransomware attacks, while\r\nPsExec usage was observed in more than 30 percent. Other observed tools included dual-use tools such as\r\nTightVNC and CCleaner and compression tools such as 7-Zip and WinRAR.\r\nFor example, in an incident response engagement involving an education organization in the U.S., the target was\r\ninitially infected via a phish containing a commodity trojan. In this case, the phish contained a malicious\r\nMicrosoft Excel attachment that executed the commodity trojan Zloader when if the user enabled macros (CTIR\r\nassessed that this Zloader variant was customized for the target based on the fact that its file hash had not been\r\npreviously observed). An employee at this organization opened the attachment and forwarded it to a colleague.\r\nThe adversary then pivoted in the environment, leveraging the Group Policy replication mechanism in Windows\r\nActive Directory to distribute Ryuk and using PsExec to move laterally and execute remote commands, in line\r\nwith previous Ryuk behavior. The adversaries obtained domain administrator (DA) credentials and, besides\r\nencrypting systems on the network, also wiped backup indexes. More than 1,000 endpoints were encrypted,\r\ncausing significant damage to the organization, affecting Active Directory, DHCP, DNS and anti-virus software.\r\nIn December 2020, Cisco Talos became aware of a sophisticated supply-chain attack in which adversaries gained\r\naccess to victims' networks via trojanized updates to SolarWinds' Orion software. This attack targeted numerous\r\nlarge enterprises and U.S. government agencies. CTIR engaged in several incident responses in which\r\norganizations had unknowingly installed the compromised update. Only one of these engagements involved post-compromise activity, such as malicious PowerUP PowerShell execution. PowerUP appears to be part of\r\nPowerSploit, and is a collection of PowerShell modules that are used to assist red teaming activities. While the\r\nPowerUP-like PowerShell script did not execute anything at this time, it appeared to be set up as a wrapper or\r\nutility, possibly for additional code to be funneled into. CTIR continues to monitor for activity related to the\r\nSolarWinds compromise.\r\nhttps://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html\r\nPage 2 of 4\n\nBeginning in March, CTIR has been responding to a growing number of incidents involving the Microsoft\r\nExchange vulnerabilities. In one engagement, a customer in the payment processor/technology sector saw no\r\nindication that CVE-2021-26855 was exploited. They did, however, observe scanning behavior from a known IP\r\naddress linked to these attacks, which sent packets to a particular Exchange server beginning February 28. In\r\nanother engagement, a customer in the healthcare sector saw a CVE-2021-26855 exploit, though we have yet to\r\ndetermine if the activity was just limited to scanning at this time. In one incident response engagement affecting\r\nan organization in Germany, we saw a slight deviation from the post-exploitation activity in the aforementioned\r\nengagements. The activity started in much the same way, with the adversary installing web shells on the victim\r\nenvironment. However, prior to the deployment of web shells, the customer saw the Domain Admin account\r\npassword was reset via the presence of the \"Password last set\" attribute in Active Directory (AD).\r\nInitial vectors\r\nIt was difficult to identify an initial infection vector in many engagements last quarter due to shortfalls in logging.\r\nHowever, in engagements in which the initial vector could be identified, or reasonably assumed, phishing\r\nremained the top infection vector for the seventh quarter in a row. The vast majority of these were comprised of\r\nmaldoc phishes as mentioned above. However, there were also engagements involving business email\r\ncompromise, such as when an employee at an entertainment company received a phish with a spoofed Microsoft\r\nOnline login page, after which the adversary attempted to authenticate to their Office 365 account from multiple\r\nlocations. The adversary successfully authenticated and bypassed MFA through use of a legacy application,\r\nhighlighting the need to disable legacy protocols.\r\nCTIR encourages all organizations to save their logs to make any potential incident response engagements more\r\nefficient and effective.\r\nOther notable initial vectors included exploitation of public-facing applications, such as an education organization\r\nthat had their F5 Load Balancer exploited via CVE-2020-5902 — a remote code execution vulnerability in f5 —\r\nin the course of a DDoS attack. There were also several instances of exploitation of a vulnerability in Telerik UI,\r\ntracked as CVE-2019-18935. Talos first saw an increase in actors exploiting Telerik UI in summer 2020 — a trend\r\nthat continues today.\r\nTop-observed MITRE ATT\u0026CK techniques\r\nBelow is a list of the most common MITRE ATT\u0026CK techniques observed in this quarter’s IR engagements.\r\nGiven that some techniques can fall under multiple categories, we grouped them under the most relevant category\r\nin which they were leveraged. This represents what CTIR observed most frequently and is not intended to be\r\nexhaustive.\r\nKey Findings:\r\nPhishing with malicious attachments and links accounted for a larger number of the initial access\r\ntechniques this quarter compared to the previous quarter.\r\nWe observed a variety of execution methods using native Windows utilities, such as “rundll32.exe” and\r\n“msiexec.exe”. The use of these utilities may avoid triggering security tools due to them being commonly\r\nhttps://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html\r\nPage 3 of 4\n\nused in daily operations.\r\nEngagements involving cryptocurrency mining malware continue to be very low. However, the number of\r\nransomware engagements nearly doubled this quarter.\r\nLeveraging valid accounts is the most observed lateral movement technique this quarter. RDP usage and\r\nremote access services, such as TightVNC, for lateral movement, increased this quarter.\r\nInitial Access (TA0027) — T1078 Valid Accounts: Credentials for a compromised account were\r\nleveraged by the adversary \r\nPersistence (TA0028) — T1053 Scheduled Task/Job: Adversaries create a scheduled task to run\r\nmalicious executable every hour \r\nExecution (TA0041) — T1204.002 User Execution: Malicious File: Adversary sent phishing emails\r\nthat contained a malware attachment when clicked, would deploy additional tools to harvest credentials \r\nDiscovery (TA0007) — T1482 Domain Trust Discovery: Use AdFind (“adfind.bat”) to query for all\r\nusers, computers, groups, and trusts \r\nCredential Access (TA0006) — T1003 OS Credential Dumping: Use tools such as Mimikatz to\r\ncompromise credentials in the environment. \r\nPrivilege Escalation (TA0029) — T1484 Group Policy Modification: Force group policy update that\r\ncreates service to execute ransomware. \r\nLateral Movement (TA0008) — T1021.001 Remote Desktop Protocol: Adversary connects to the\r\nsystem using RDP with valid credentials \r\nCollection (TA0035) — T1560.001 Archive Collected Data: Archive via Utility: 7-Zip used to\r\ncompress a file containing dumped LSASS credentials  \r\nDefense Evasion (TA0030) — T1070 Indicator Removal on Host: Remove files and artifacts from\r\nthe infected machine \r\nCommand and Control (TA0011) — T1132.001 Data Encoding: Standard Encoding: Use Base64\r\nto encode C2 communication \r\nExfiltration (TA0010) — T1567 Exfiltration Over Web Service: Exfiltrated data was located on a\r\nfile sharing site \r\nImpact (TA0034) — T1486 Data Encrypted for Impact: Deploy Ryuk ransomware \r\nSource: https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html\r\nhttps://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html" ], "report_names": [ "ctir-trends-winter-2020-21.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09f0f4ab1ecd23ab937a644d527a3818337be52d.pdf", "text": "https://archive.orkl.eu/09f0f4ab1ecd23ab937a644d527a3818337be52d.txt", "img": "https://archive.orkl.eu/09f0f4ab1ecd23ab937a644d527a3818337be52d.jpg" } }