Tuesday, June 25, 2024

Fog Ransomware Attacking Windows Servers Administrators To Steal RDP Logins

A new ransomware variant dubbed ‘Fog’ has been spotted targeting US businesses in the education and recreation sectors.

Forensic data revealed that threat actors accessed victim environments using compromised VPN credentials. Notably, two different VPN gateway providers were used for the remote access. 

Pass-the-hash activity against administrator accounts was also detected, and these accounts were then used to create RDP connections to Windows servers running Veeam and Hyper-V.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Fog Ransomware Attacking Windows Servers

Arctic Wolf Labs started tracking the spread of a Fog ransomware variant on May 2, 2024. Every victim organization was based in the US, with 80% of them working in the field of education and 20% in the field of recreation.

Threat actors gained access to victim environments by using compromised VPN credentials and administrator accounts, which they then used to establish RDP connections to Windows Servers.

Credential stuffing was evident, which was supposed to allow for easier lateral movement around the environment. 

“In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts,” Arctic Wolf Labs shared with Cyber Security News.

“On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors.”

Threat actors were seen erasing backups from Veeam object storage and encrypting VMDK files in VM storage.

Threat actors left ransom notes on compromised systems, and they always used the same functional ransomware payload. Aside from a unique chat code, the ransom messages were similar.

Apart from the.onion address utilized for communication between the threat actor and the victim, researchers said they had not encountered any other dark web presence, like a website that leaks data.

“At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown,” researchers said.

Given the short time lag between the initial breach and encryption, the threat actors seem more focused on making a quick profit than launching a more complex attack that involves data exfiltration and a high-profile leak site.

The evidence implies that the threat actors are largely focused on the education sector and have financial motivations, which is in line with established victimology.

Even if the strategies used in these situations are pretty standard for ransomware activity, these threats should serve as a reminder of the need for defense-in-depth and secure, off-site backup infrastructure to thwart attacks as soon as possible.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles