In December 2024, a significant discovery was made involving an open directory likely linked to the Fog ransomware group’s affiliates. This directory contained an extensive array of tools and scripts designed for reconnaissance, exploitation, credential theft, and lateral movement in networks. The findings were reported by the DFIR Report’s Threat Intel Group.
Initial Access and Exploitation
The group initially infiltrated networks using compromised SonicWall VPN credentials, revealing a deeper reliance on various offensive tools. These tools included the SonicWall Scanner for VPN credential exploitation, DonPAPI for accessing Windows Data Protection API (DPAPI)-protected credentials, and Certipy for abusing Active Directory vulnerabilities. Additionally, scripts such as Zer0dump and Pachine/noPac were aimed at exploiting critical Active Directory vulnerabilities, underscoring the sophisticated exploitation techniques employed.
Persistence Mechanisms
To maintain access, the attackers utilized AnyDesk, an established remote management tool automated via a PowerShell script. This script allowed them to pre-configure remote access credentials seamlessly, enabling continuous control over the compromised systems. Furthermore, Sliver Command and Control (C2) executables were hosted on the server, which provided means for managing backdoor connections.
Victim Profiling
The extent of the impact was broad, with victims across various industries including technology, education, and logistics, primarily in regions such as Italy, Greece, Brazil, and the USA. This geographical and sectoral targeting indicates a strategic approach aimed at maximizing damage and potential ransomware yields.
Analysis and Evaluation
The DFIR team assessed the directory’s use by Fog affiliates based on observable evidence, including compromised victims whose data appeared on Fog’s dedicated leak site. Community notes and VirusTotal repositories further hinted at a link between the server’s activities and the larger ransomware ecosystem.
Tools and Techniques
The detailed forensic analysis encompassed numerous tools:
- SonicWall Scanner: This Python script facilitated access to SonicWall VPNs using compromised credentials, followed by port scanning.
- AnyDesk: Leveraged for persistence, the attackers employed scripts to automate its installation, ensuring continuous access to compromised machines.
- DonPAPI: Utilized for retrieving credentials from various Windows applications like Chrome and Firefox.
- Zer0dump: Targeted the Zerologon vulnerability to compromise domain controllers, enabling privilege escalation.
Additionally, Pachine and noPac were used to exploit Kerberos vulnerabilities for domain admin impersonation, showcasing their advanced tactics.
Command and Control Operations
Proxychains and Powercat were instrumental in evading detection and securing communications with C2 servers. Proxychains allowed the attackers to route network traffic through proxies, crafting a stealthy operational profile. The Sliver framework, particularly through binaries like slv.bin, indicated an organized structure of command and control operations.
Geographic and Industry Impact
Upon examining the impacted networks, it became clear that most compromised systems were clustered in Italy, hosted by local IT and cybersecurity service providers. The broader implications showed that the ransomware’s tactics were not only tech-focused but spanned various sectors, revealing vulnerabilities across essential services.
Conclusion and Recommendations
The insights from this report stress the importance of vigilance and proactive measures in cybersecurity defenses. Organizations are advised to audit their network access points, reinforce credential management practices, and be wary of common exploitation vectors. Continuous monitoring for unusual activity and fostering a culture of security awareness will also be crucial in mitigating risks posed by advanced ransomware operations like those observed in this case.
This discovery and analysis serve as a critical reminder of the evolving threat landscape posed by ransomware, necessitating ongoing adaptations within cybersecurity frameworks to thwart such relentless adversaries.