{
	"id": "89977e69-5011-4607-bd98-e934bb5222da",
	"created_at": "2026-04-06T00:17:39.882125Z",
	"updated_at": "2026-04-10T03:24:24.418032Z",
	"deleted_at": null,
	"sha1_hash": "cd55169258de5e40a997dde40524859403264c9e",
	"title": "Quarterly Report: Incident Response trends in Summer 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 114886,
	"plain_text": "Quarterly Report: Incident Response trends in Summer 2020\r\nBy Jonathan Munshaw\r\nPublished: 2020-09-01 · Archived: 2026-04-05 23:04:51 UTC\r\nQuarterly Report: Incident Response trends in Summer 2020\r\nTuesday, September 1, 2020 11:00\r\nBy David Liebenberg and Caitlin Huey.\r\nFor the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat\r\nlandscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker,\r\namong others.  In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied\r\nmuch less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks\r\nthis quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly\r\nrelying on the tool as they abandon commodity trojans. We continued to see ransomware actors engage in data\r\nexfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.\r\nFor a more complete breakdown with more information, you can check out the full report summary here.\r\nTargeting\r\nActors targeted a broad range of verticals, including manufacturing, education, construction, facility services, food\r\nand beverage, energy and utilities, financial services, healthcare, industrial distribution, real estate, technology,\r\nand telecommunications. The top targeted vertical was manufacturing, a change from last quarter when the top\r\ntargeted industries were health care and technology.\r\nhttps://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html\r\nPage 1 of 3\n\nThreats\r\nRansomware continued to comprise the majority of threats CTIR observed. In a break from previous quarters, no\r\none ransomware family was dominant this quarter. In the past, Ryuk was much more prominent. In a continuation\r\nfrom last quarter, the majority of ransomware attacks were not observed in conjunction with commodity trojan\r\ninfections. Part of the reason for this could be an increase in the use of Cobalt Strike. Sixty-six percent of\r\nransomware engagements this quarter involved the use of Cobalt Strike.\r\nFor example, an engineering company was infected with LockBit ransomware. The adversaries used Cobalt Strike\r\nfor command and control (C2) purposes, with CTIR observing traffic to a Cobalt Strike C2 every six minutes. The\r\nadversaries also used an open source post-compromise tool called “CrackMapExecWin,” which is designed to\r\nautomate assessments of large Active Directory networks. This tool was executed on different network ranges in\r\nthe victim environment to have all the systems on those networks perform a forced Group Policy update. The\r\nGroup Policy included an XML file which set up a service that executed the ransomware from a client's\r\ncompromised server. The adversaries created user accounts on compromised hosts and established remote desktop\r\nconnections to targeted servers using their accounts. They also cleared event logs as a means of evasion. The\r\nadversaries also deployed TeamViewer, frequently used by actors to exfiltrate information.\r\nInterestingly, data from this attack was posted on a site Maze uses to publish their stolen data, reflecting the fact\r\nthat LockBit, along with other ransomware operations engaging in these ransomware/data theft hybrid attacks,\r\nhave joined together to share resources and data.\r\nThere were also Remote Access Trojans (RATs), such as a financial services organization that received a targeted\r\nphishing attempt with a maldoc containing a JavaScript RAT submitted via the organization’s ticket-handling\r\nsystem and web shells, including a manufacturing organization that had their Telerik server exploited, after which\r\nthe adversary then deployed APSX .NET web shells.\r\nInitial vectors\r\nFor the majority of engagements, definitively identifying an initial vector was difficult due to shortfalls in logging.\r\nHowever, in engagements in which the initial vector could be identified, or reasonably assumed, phishing\r\nremained the top infection vector. CTIR also observed an increase in actors exploiting servers running the Telerik\r\nUI framework. The latest vulnerability (CVE-2019-18935) allows for remote code execution. It is particularly\r\ndangerous because there are many ASP.NET applications that may run older versions of Telerik UI that leaves\r\nvictims exposed, even if the applications are patched themselves. In one instance, an adversary targeted a tech\r\ncompany via a server running Telerik UI. The adversary then ran “cmd.exe” and executed malicious commands\r\nculminating in a ransomware attack.\r\nTop-observed MITRE ATT\u0026CK techniques\r\nBelow is a list of the most common MITRE ATT\u0026CK techniques observed in this quarter’s IR engagements.\r\nGiven that some techniques can fall under multiple categories, we grouped them under the most relevant category\r\nin which they were leveraged. This represents what CTIR observed most frequently and is not intended to be\r\nexhaustive.\r\nhttps://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html\r\nPage 2 of 3\n\nKey Findings\r\nPhishes with malicious attachments were the top infection vector.\r\nSeveral open-source tools, such as Mimikatz; Windows utilities, such as PsExec; and red-team tools such\r\nas Cobalt Strike were commonly observed this quarter.\r\nEncoded PowerShell commands account for several execution techniques seen, illustrating the need for\r\npolicies to limit unprivileged users from using PowerShell or CMD applications.\r\nRemote Desktop Protocol (RDP) was a key technique used for lateral movement. This is a continuation of\r\na trend seen last quarter around attacks against victim organization’s remote desktop services (RDS),\r\npossibly related to the increased threat surface due to remote work stemming from COVID-19.\r\nATT\u0026CK techniques\r\nT1566.001 Phishing: Spear-phishing Attachment — Maldoc downloads Qakbot after macros are\r\nenabled.\r\nT1053 Scheduled Task/Job — Executables create scheduled tasks on the system to run as the user\r\naccount.\r\nT1059.001 Command and Scripting Interpreter: PowerShell — Executes PowerShell code to retrieve\r\ninformation about the client's Active Directory environment.\r\nT1021.001 Remote Desktop Protocol — Adversary connects to the system using RDP with valid\r\ncredentials.\r\nT1070 Indicator Removal on Host — Remove files and artifacts from the infected machines.\r\nT1132.001 Data Encoding: Standard Encoding — Use base64 to encode C2 communications.\r\nT1486 Data Encrypted for Impact — Deploy Netwalker ransomware.\r\nSoftware: Cobalt Strike — Qakbot associated IP addresses in \"CLOSE_WAIT\" status to a known Cobalt\r\nStrike beacon IP.\r\nSource: https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html\r\nhttps://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html"
	],
	"report_names": [
		"CTIR-quarterly-trends-Q4-2020.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd55169258de5e40a997dde40524859403264c9e.pdf",
		"text": "https://archive.orkl.eu/cd55169258de5e40a997dde40524859403264c9e.txt",
		"img": "https://archive.orkl.eu/cd55169258de5e40a997dde40524859403264c9e.jpg"
	}
}