To provide a clearer understanding of the attack method, our cyber expert, Carter Young, has prepared a step-by-step guide that details the stages of attack execution, and the indicators of compromise observed.

In January, the Telefónica Tech UK Security Operations Centre identified unusual activity on an endpoint linked to a known threat group.

Using a ‘Windows + R’ attack vector, the attackers deployed an encoded PowerShell command via MSHTA.EXE to install multiple files disguised as PNG images. Embedded within these seemingly harmless images was a comprehensive attack toolkit for a remote management tool, which automatically installed itself on the host system. If left undetected, the attacker would have gained full, uninterrupted remote access to the device, enabling them to launch further attacks within the network, such as:

• Lateral movement to compromise additional systems
• Ransomware deployment to encrypt critical data
• Credential harvesting for deeper infiltration

Why This Matters

This incident highlights the significance of proactive security measures and the importance of an experienced Security Operations Centre team. We hope that the insights presented here will assist organisations in strengthening their security posture and staying ahead of evolving threats. For additional guidance or to enhance your organisation’s defences, please do not hesitate to contact us for a consultation.

Want to Learn More?

We’ve prepared a comprehensive, step-by-step guide that details:

• The execution of the attack and tactics used by the threat group
• Indicators of compromise that helped identify the breach
• A rapid containment and recovery strategy to ensure no data loss

Download the Full Threat Report Now: Gain exclusive insights from the front lines of cyber security and learn how to defend your organisation against emerging threats.

Download Now