He’s on to Something.

He’s on to Something.


He’s on to Something.

Dedicated Threat Hunting Investigations

I always enjoy reading an article from someone who truly gets it. This particular article was a preview of a forthcoming ebook from SC Media titled “All about MDR: What it is and how to optimize it.” The article describes managed detection and response (MDR) services as when a “vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.” [The analysts at Gartner would properly add that the vendor needs to bring their own technology to the table as part of the service as well.] The article emphasizes the following key prerequisites for anything called “MDR”:
  • Access to real human threat hunters – a truly rare breed.
  • Specific focus on threat detection and threat response.
  • Continuous monitoring and scanning.
  • Guided remediation and prioritization.
  • Working partnership built on shared and non-shared responsibilities.

Proactively Fight the Fire

The article goes on to distance MDR from (M)EDR, XDR, MSSP and SIEM/SOC services. Providers of these services often say they are performing “MDR Services” when they are just slapping a new label on their old MSSP services or selling products. MSSPs are more focused on the administration of alerts (reactive) than (proactive) threat hunting, threat intelligence and incident response. The later three skills define what you should look for in a MDR provider. When an MSSP, EDR, XDR or SIEM/SOC provider calls themselves an MDR provider, it’s akin to a Fire Department radio dispatcher saying they put out fires. A bit of a stretch. You want the people that actually fight the fire on scene with your team.

Dedicated Threat Hunting Investigations | PacketWatch

A Passion for Eliminating Threats

MDR is when a…

“vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.”

Daniel Thomas SC Media

At PacketWatch, we employ dedicated threat hunters whose passion and sole occupation is to hunt and eliminate threats. That’s it – nothing else. Their vernacular is formed by the incidents they respond to each week. Our PacketWatch platform is the ultimate threat-hunting tool because it is designed by and for threat hunters. It provides the additional detailed visibility into the network and context that EDR, XDR, and SIEM lack. Our threat hunting team knows what to prioritize and how to kill it. That’s what hunters do.

So, good for the folks at SC media!  I look forward to reading the rest of their ebook. In speaking recently with the Gartner analysts, we expect they will be reinforcing many of the same points in their upcoming revised MDR Market Guide too.  The reason you want an MDR provider is for the quality and experience of the people you will be working with, not just another technology.  So, if you are considering Managed Detection and Response services (or want to upgrade from your current provider), please give us a call today at 1.800.864.4667.  We’ll be happy to show you what outcomes a real MDR provider can provide your firm.

There’s Your Sign.

There’s Your Sign.


There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Well, that was Awkward.

Well, that was Awkward.


Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.

Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang Still Operational


Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

  • Blackhole.exe
  • steel.exe
  • Runtime_Service.exe
  • robnr.exe
  • BlackholeCleaner.exe
  • NewBoss4.exe
  • Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Windows Temp
Figure 1: Malicious executables in Windows directory
Gigabyte Driver
Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Kernel Driver
Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Program Data
Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.
New Boss
Figure 5: NewBoss4 executable in Windows update directory
Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Ransom Note

Figure 7: Ransom note


Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Black Hole Cleaner

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

  1. Deploy Endpoint Detection and Response (EDR) across endpoints and servers
    • Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
  2. Monitor network traffic for suspicious activity
    • Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
  3. Implement and maintain data backups
    • Back up data regularly to offline/off-site storage
    • Test these backups regularly
  4. Implement multi-factor authentication (MFA) across the environment
  5. Regularly patch software and operating systems to the latest available versions
  6. Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.


Why Wait for An Alert?

Why Wait for An Alert?


Why Wait for An Alert?

Is this Threat Hunting?

In a recent scan of marketing literature from other security vendors, nearly every piece I read claimed that they will provide you with “threat hunting” services – one even claiming they did 24x7x365. Really? Better double-check that SOW or service description before signing and ask yourself, “What am I really getting?”

Let’s look at what “threat hunting” actually is and compare. Gartner says this about threat hunting (emphasis added):  


To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative, and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.[i]

Automated Threat Detection?

In reality, many of these vendors are selling “threat detection” rather than “threat hunting.” They changed the name of their managed security operations center (SOC) services to use the new marketing buzzword. It’s 24x7x365 because it’s just an automated detection service. Their “analyst” (a Tier 1 SOC guy) waits for an automated alert and then works to adjudicate the alert, likely escalating it to another more senior “analyst” before concluding its relevance and sending it back to you. They only have data from the sources you provided. How’s that any different than the managed SOC services they sold last year? It doesn’t sound like the definition Gartner set forth to me.   

In that same article, Gartner says:


While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis, and creative thinking skills. [ii]

Hunt Before the Alert

Note Gartner’s focus on highly skilled, creatively thinking humans. Preferably experienced ones that have responded to all types of security incidents. These are real analysts looking for an intruder before any alerts are generated. They want different tools to expand the context of what they see and allow them to conclusively adjudicate a potential threat (not just an alert). They make and test hypotheses based on current threat intelligence. Ideally, you’d want a dedicated analyst that has direct knowledge of your unique IT environment. Not a random pod of folks. These real threat hunters are “rare” it says. They are probably not working in the graveyard shift at a SOC.

Real Managed Threat Hunting

PacketWatch offers a real managed threat hunting service. Our team of elite experts is from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. They hunt and respond to incidents using the proprietary PacketWatch platform. They are creative thinkers honed with skills from responding to all types of security incidents across the globe. They work one-on-one with you and your team to further your security program. They are equipped to “uncover hidden, advanced threats missed by automated, preventative and detective controls.” They aren’t waiting for an alert to act. That sounds more like what Gartner meant when they defined the term.

Next Steps

So, if you are considering hiring a team for Threat Hunting:

  1. Ask to meet the analyst assigned to your account
  2. Read the Statement of Work (SOW)
  3. Measure them against the Gartner standard
  4. Make a wise decision

Give us a call or Contact Us to meet some of these rare, highly skilled, creatively thinking humans.

[i] Gartner. “How to Hunt for Security Threats
[ii] Ibid.