Threat Intel - Data Exfiltration and Actor Infrastructure Exposed
Basically, hackers made mistakes that revealed how they steal data.
A recent investigation revealed how threat actors exposed their data exfiltration methods. Insufficient security measures led to this incident, affecting organizations' defenses. Understanding these tactics is crucial to enhance security.
The Threat
In recent investigations, Huntress SOC analysts uncovered the methods used by threat actors to exfiltrate sensitive data. These actors often utilize common applications, such as WinZip and 7Zip, to stage data for exfiltration. However, their tactics can sometimes lead to mistakes that expose their infrastructure and methods. For instance, they have been observed using native Windows utilities like finger.exe and backup tools such as Restic to facilitate their operations.
On February 25, 2026, Huntress reported a ransomware incident involving the INC ransomware. Analysts discovered that the threat actor had accessed the customer's infrastructure a day earlier, taking advantage of insufficient security measures. The lack of a fully deployed Huntress agent and the absence of a Security Information and Event Management (SIEM) system hindered early detection of the attack.
Who's Behind It
The threat actor's approach involved mapping a share to the compromised endpoint and using elevated privileges to execute malicious commands. They created a scheduled task that executed a PowerShell script, which included sensitive environment variables such as AWS_ACCESS_KEY_ID and RESTIC_PASSWORD. This indicates a level of sophistication, as the actor utilized a renamed copy of a legitimate backup utility, restic.exe, to mask their activities.
The investigation revealed that the threat actor had previously been active in similar incidents, employing base64-encoded PowerShell commands to push configurations and execute follow-on commands. This pattern suggests a methodical approach to data theft, raising concerns about the actor's capabilities and intent.
Tactics & Techniques
The tactics used by these threat actors often involve a combination of legitimate tools and malicious intent. For example, they disabled security products like VIPRE Business Agent and manipulated system settings to facilitate their operations. The use of base64-encoded commands in PowerShell logs complicates detection, as these commands can resemble legitimate administrative actions.
Additionally, the threat actor's reliance on backup utilities for data exfiltration is a growing trend in cybercrime. This technique, often associated with double extortion attacks, allows them to steal data before deploying ransomware, increasing their leverage over victims.
Defensive Measures
Organizations must adopt a proactive stance against such threats. This includes deploying comprehensive security solutions and ensuring that SIEM systems are in place for real-time monitoring. Regular audits of security measures and employee training on recognizing suspicious activities can also enhance defenses.
Moreover, understanding the tactics and techniques employed by threat actors is vital. By staying informed about emerging threats and adjusting security protocols accordingly, organizations can better protect themselves against potential data breaches and ransomware incidents.
Huntress Blog