Potential Data Exfiltration Ransomware Campaign

Potential Data Exfiltration Ransomware Campaign

CYFIRMA Threat Intelligence identified multiple threats against organizations across the world as part of a potential data exfiltration ransomware campaign.

Upon performing additional investigation, CYFIRMA research identified several indicators suggesting Russian Threat Actor TA-505 (Confidence Level: High) and possibly Chinese Threat Actor – Gothic Panda (Confidence Level: Low) collaborating with an unknown threat actor who is suspected of operating this potential data exfiltration ransomware campaign which we refer as UNC010.

Hackers’ primary motive for this campaign appears to be exfiltrating sensitive information in order to commit corporate espionage for financial gains.

CYFIRMA Risk Rating for this Out of Band Notification (OOB) is: CRITICAL

Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and your organization is advised to take precautionary measures as highlighted in this report.

The following vulnerabilities are believed to be exploited under these ransomware campaigns:

1.  Remote Code Execution Vulnerability in Microsoft Windows Remote Desktop Gateway (RD Gateway) CVE No: CVE-2020-0609

CVSS Score: 9.8

EXPLOIT DETAILS

Following are the exploit details which could be leveraged to take advantage of the vulnerability mentioned above:

Exploit Title – Remote Desktop Gateway – ‘BlueGate’ Category: Remote Code Execution

Exploit Details

2.  Remote Code Execution Vulnerability in Microsoft Windows Remote Desktop Gateway (RD Gateway) CVE No: CVE-2020-0610

CVSS Score: 9.8

EXPLOIT DETAILS

Following are the exploit details which could be leveraged to take advantage of the vulnerability mentioned above:

Exploit Title – Remote Desktop Gateway – ‘BlueGate’ Category: Remote Code Execution

Exploit Details

3.  Remote Code Execution Vulnerability in Microsoft Windows Remote Desktop Client CVE No: CVE-2020-0611

CVSS Score: 7.5 Exploit: NA

4.  Remote Code Execution Vulnerability in Microsoft Windows Remote Desktop Services CVE No: CVE-2020-0655

CVSS Score: 8.0 Exploit: NA

5.  Remote Code Execution Vulnerability in Microsoft Windows Remote Desktop Client CVE No: CVE-2020-1374

CVSS Score: 7.5 Exploit: NA

6.  Denial Of Service vulnerability in Microsoft Windows Remote Desktop Protocol (RDP) CVE No: CVE-2020-0660

CVSS Score: 7.5 Exploit: NA

7.  Denial of Service Microsoft Windows Remote Desktop Gateway CVE No: CVE-2020-1466

CVSS Score: 7.5 Exploit: NA

Additional Investigation and Findings

CYFIRMA Research conducted a detailed analysis of the suspected hacking groups, infrastructures, malware families, and TTPs associated with the campaign to identify what the hacker groups are trying to do in the campaign(s). Since your organization and/or subsidiaries could be targeted by the campaign operated by the sophisticated hacking groups, understanding the complete picture of their activity and taking action to protect yourselves are critical, in addition to assessing and fixing the targeted assets.

UNC 010 (Potential Data Exfiltration Ransomware Campaign) Attribution

In addition to the hacker conversation, CYFIRMA investigated the strategy, TTPs, and context of the tools and infrastructure to identify which hacking group could be potentially behind the campaign or activity. Based on our investigation, we suspect the following hacking groups could be planning the ransomware attacks.

TA-505 (Confidence Level: High), Gothic Panda (Confidence Level: Low), Unknown Group

From the hacker conversation and additional investigation, the hacking group profile mainly operating this campaign is not clear.

CYFIRMA identified several indicators suggesting TA-505, a Russian cybercrime group, has been involved in the campaign in some way. These indicators include the unnamed malware variants and their C2 infrastructure publicly reported to be associated with TA-505. CYFIRMA believes that the TA-505 group has been targeting global companies in multiple industries such as Financial Institutions, Retail, Supply Chain, and F&B. They may have attempted to implant trojan and backdoor to steal sensitive information, carry out reconnaissance. These attacks could possibly be carried out to exfiltrate sensitive information such as IP, Trade Secrets, Blueprints with the possible intent of Corporate Espionage, Financial Gains for sale in the Deep/Dark web.

CYFIRMA identified multiple IPs related to the campaign that was possibly used by Gothic Panda (aka APT3), a Chinese nation-sponsored hacking group, for their campaign operations. They include few Maze ransomware C2 servers and spam/phishing IPs recently observed as part of a few other campaigns.

Although CYFIRMA didn’t find any indicator suggesting Gothic Panda is actively operating this campaign, there is a possibility that an unknown hacking group is operating this campaign with some support from Gothic Panda.

Targeted Technologies (Suspected)

Based on the investigation findings on the campaign infrastructure, CYFIRMA identified the following technologies (platforms, devices, middleware, services, applications) that could be targeted by the campaign.

Platforms: Windows, macOS
Services: RDP, DNS, FTP, Home Network Administration Protocol (HNAP) devices, IBM TN-3270 Mainframes, IMAP, Java Remote Method Invocation (JRMI), LDAP, MySQL, POP3, SIP devices, SMTP, SSH, Telnet, Web, X11 Servers
Applications: Safari, Adobe Reader, MS Office

Potential TTPs of This Campaign

During the campaign infrastructure and malware samples captured from the hacker conversation, CTI found the following TTPs potentially used by the hackers during this campaign. Generally, each campaign has multiple stages and TTPs can be used at different stages such as reconnaissance, exploitation, delivery, installation, C2, etc.

Tor Node:

CTI identified several IP addresses related to the campaign that has been used as TOR nodes. The hacker group is suspected to use the TOR network for their campaign operations to anonymize their access and avoid tracking/investigation of their activities. As the nature of TOR network, they may possibly use other TOR gateway nodes in this campaign as well.

Open Proxy:

CTI identified indicators suggesting that one of the IPs related to the campaign has been recently acting asan open proxy. We suspect the hacking groups are scanning, brute-forcing, and exploiting vulnerabilities through these proxies to hide their original attack sources and anonymize their activities.

Scanning and Bruteforce:

CTI identified the hacker group has been planning to attack RDP servers. Although CTI couldn’t find additional indicators suggesting RDP attacks, compromising internet-facing RDP servers and launching ransomware on them potentially prevent or damage the business operations of the targeted organizations as same as the publicly reported Snake ransomware campaign. Additionally, CTI identified multiple IPs related to the campaign have been observed scanning and/or attacking internet- facing servers and systems including the followings: DNS / FTP / Home Network Administration Protocol (HNAP) devices / IBM TN-3270 Mainframes / IMAP / Java Remote Method Invocation (JRMI) / LDAP / MySQL / POP3 / SIP devices / SMTP / SSH / Telnet / Web / X11 Servers.

For more information, pls reach us here.