T1070 Indicator Removal Mappings

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Indicator Removal attacks. This integrated solution enhances CrowdStrike Falcon capabilities, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact. Indicator Removal attacks involve adversaries attempting to erase or alter system logs, forensic artifacts, or other indicators of compromise (IOCs) to evade detection. By removing these telltale signs, attackers aim to avoid triggering security alerts and delay detection, allowing them to maintain persistent access to systems. Intel TDT plays a critical role in identifying these evasive techniques by providing deep, real-time telemetry on program execution, memory access, and control flow. This telemetry allows security teams to detect abnormal behaviors, such as unauthorized manipulation of system logs or tampering with file systems, which are indicative of efforts to remove attack indicators. In addition, CAMS offloads memory scanning tasks from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activities without sacrificing system performance. CAMS helps identify suspicious actions, such as attempts to alter or delete logs, modify file system attributes, or hide evidence of compromise in memory.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

This remote command execution vulnerability is exploited by an unauthenticated, remote adversary via the DDNS function in ncc2 binary file. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode and IZ1H9 to cause a distributed denial of service attack. In the IZ1H9 attack, once the attackers took advantage of the vulnerability, they injected the IZ1H9 payload into the device. This program included instructions to download another script from a specific web address. When this script ran, it erased records to cover up the malicious actions and then downloaded additional software designed for different types of devices. The script also changed the device's settings to block certain network connections, making it more difficult to remove the malware. After these steps, the infected device connected to a control server, waiting for instructions on which type of denial-of-service attack to carry out, such as disrupting services using various internet protocols. In the Beastmode attack, exploiting the vulnerability led to the download and execution of a script called "ddns.sh." This script then fetched the Beastmode program, which was saved and run with specific settings. These settings allowed the infected device to join a subgroup within the larger botnet, helping the attackers manage and assess the effectiveness of their exploits. Once devices were compromised by Beastmode, the botnet could be used to launch various types of denial-of-service attacks, similar to those seen in other Mirai-based botnets.

This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation.