No summertime vacation for threat actors who were once again very busy during August 2021, launching ransomware attacks against several organizations.
The Conti ransomware operators were very active this month, breaching the systems of SAC Wireless, a US-based Nokia subsidiary. They were able to upload the stolen information to their cloud server and encrypt files on the compromised systems. The FBI has connected Conti to more than 400 cyberattacks against organizations with ransom demands as high as $25 million.
Conti runs its ransomware operation as a Ransomware-as-a-Service (RaaS). The core team manages the Conti malware and Tor sites, while Conti affiliates breach networks and encrypt devices. The profits are split between 30% (for the core team) and 70% (for the affiliate). When Conti did not keep its end of the bargain, a disgruntled affiliate got even by publishing inside information about the Conti operation. The leaked information included Conti’s IP addresses for Cobalt Strike C2 servers and an archive of 113 MB archive, which contained hacking tools, manuals written in Russian (for using Cobalt Strike, mimikatz to dump NTLM hashes, and text files with various commands), training material, and help documents for affiliates to perform Conti ransomware attacks.
The Proxyshell Vulnerability
During August, we saw that more and more cyberattacks are targeting Active Directory. For instance, LockFile attackers gained access to Active Directory by exploiting the ProxyShell Exchange Server and PetitPotam vulnerabilities for dropping malware. The LockFile malware was first detected in July 2021 and is designed to attack enterprises in various industries such as manufacturing, financial services, engineering, legal, business services, and travel and tourism.
- The threat actors first compromised Exchange servers using a ProxyShell attack vector.
- They then installed a set of tools, including an exploit for the CVE-2021-36942 vulnerability (aka PetitPotam, an NTLM relay attack bug that can be used by a low-privileged attacker to take over a domain controller).
- They also installed the active_desktop_launcher.exe to load a malicious active_desktop_render.dll file.
- Once this file was loaded and decrypted, a shellcode from the file was executed for activating the efspotato.exe file to exploit PetitPotam.
- Once the threat actors gained access to the local domain controller, they copied the LockFile ransomware as well as a batch file and supporting executables to the domain controller.
On the ransomware front, we saw that HiveNightmare attacks were on the rise. HiveNightmare, aka CVE-2021-36934, is an NTFS-centric, access control list (ACL) flaw impacting Windows 10 builds 1809 to 21H1, allowing non-privileged users to execute arbitrary code, read sensitive data, and extract registry hive data (including hashed passwords) which can, in turn, be used to further elevate privilege.
REvil Ransomware Gang Vanishes
We end this monthly wrap-up on a more positive note. Back in June this year, the REvil ransomware gang launched a massive attack on 60 managed service providers and 1,500 businesses worldwide, making it one of the largest ransomware attacks ever. The threat actors abused a zero-day vulnerability in the Kaseya VSA remote management application to gain access. REvil demanded $70 million in ransom payment from the victims to get a universal decryptor to regain access to their compromised files. For unknown reasons, the REvil ransomware group suddenly disappeared, and its Tor payment sites and infrastructure were shut down, leaving its victims without the option to get the decryptor. It seems that before their disappearance, the threat actors handed the decryptor to Russian intelligence who shared the decryptor with US law enforcement as a gesture of goodwill. In the end, Kaseya obtained the decryption key from an unnamed “trusted third party” and promptly distributed it to its affected customers. At the beginning of August, the decryptor was leaked on a hacking forum.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Stay cyber safe!