Share :
2021-06-06

Global Ransomware Campaign Targeting 89 Companies – Night Blood

skull

EXECUTIVE SUMMARY

Between 22-26 May, CYFIRMA Researchers identified a Global Ransomware Campaign named “Night Blood” operated by Russian-speaking cybercriminals attributing to TA505 or its affiliates (Confidence Level: Moderate), to launch a cyberattack against global companies and government agencies.

Cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.

Researchers uncovered two approaches that could be leveraged by cybercriminals:

  • Approach 1: Extort ransom from the website visitor by forcing them to download malicious plug-in & install ransomware tool kit.
  • Approach 2: Extort ransom from the company by installing the malware to scan all systems connected using weakness identified & install ransomware tool kit.

Our initial analysis shows close patterns of this campaign handlers similar to REvil ransomware group.

Motivation: Exfiltration of sensitive information, system, and customer information for financial gains; and demand ransom.

Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and organizations are advised to take precautionary measures as highlighted in this report.

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within the environment.

TIMELINE

Following is the chronology of hacker’s conversations captured as part of this campaign.

 

 

PERIOD OF ANALYSIS: 22-26 May 2021.

  • 22 MAY 2021

As part of CYFIRMA’s monitoring, we first noticed a discord forum, where potential 96 IP addresses were published on 22 May 2021. Subsequently, we observed the same list being published in the following 3 dark web forums. The list of IP addresses has been continuously growing since then.

Russian-speaking communities: Following are the dark web channels observed. Please note that most of these Onion sites are invitation-based forums and may not be easily accessible.

Discord channel <Masked>

Dark web forums:

  • <Masked>
  • <Masked>
  • <Masked>

Handlers:

  • <Masked>
  • <Masked>
  • <Masked>
  • <Masked>
  • <Masked>
  • <Masked>
  • <Masked>

Image of Screenshot from the dark web forum

  • 23 MAY 2021

In <masked> dark web forum, CYFIRMA observed a number of cybercriminals speaking in the Russian language while making reference to Discord channel and 3 dark web channels as “catch” and “big money”.

Later in that day, we observed another potential 89 IP Addresses were being updated in the 3 dark web forums highlighted earlier.

  • 24 – 26 MAY 2021

In <masked> dark web forums cybercriminals continued to discuss weakness and exploits around web servers [IIS, Apache] and web applications.

It is suspected most of the IP Addresses i.e., publicly accessible systems listed by cybercriminals, might act as an entry point for the cybercriminals.

CAMPAIGN DETAILS

  • CAMPAIGN NAME: “ночная кровь” also known as “night blood” is suspected to be launched on 22 May 2021.
  • TARGET INDUSTRIES: Manufacturing, Food & Beverages, Financials, Real Estate & Infrastructure, Rubber, Insurance, Trading Platforms, Exchange Systems, Retail, Online Stores, Electronics, Telecommunication, ICT Services, Research, Chemical & Cosmetics, Government.
  • TARGET GEOGRAPHIES: Japan, UK, Australia, South Korea, USA, India, Thailand, Singapore, Germany, Spain.
  • SUSPECTED HACKING GROUP: TA505 or its affiliates [Confidence Level: Moderate].
  • MOTIVATION: The primary motive of this campaign appears to be the Exfiltration of sensitive information, system, and customer information for financial gains.

METHOD USED BY THE HACKERS: The following methods were discussed by the hackers:

  1. Exploit weakness in the applications and Operating System.
  2. Implanting Ransomware, Malware and Trojan.
  3. Encrypt files & folders.

ADDITIONAL INSIGHTS OF “NIGHT BLOOD”

This campaign is provided by Russian-speaking cybercriminals as Ransomware-as-a-Service (RaaS). IP Addresses targeted by the campaign has propagated as follows:

At the first stage, cybercriminals are suspected to have released a target asset list of 712 unique IP Addresses believed to be associated with 89 global organizations and government agencies.

Out of these, CYFIRMA observed 147 IP Addresses, a potential target list associated with multi-national Japanese, South East Asian, Australian, and Indian organizations.

CYFIRMA further noticed the target asset list growing based on its monitoring of multiple dark web forums. Cybercriminals have posted 296 new IP Addresses which they have identified as potential targets.

The ransomware operators are following the double whammy/double extortion strategy which includes the below tactics:

  1. Stealing sensitive details from organization
  2. Encrypting of the files and folders and demanding ransom

In this campaign, and for the first time, cybercriminals are seen targeting the webservers by exploiting its weakness and potentially using this as a launch pad for cyberattacks.

DETAILED ANALYSIS – ATTACK METHOD/VECTOR ASSESSMENT

Based on CYFIRMA’s attack method and vector assessment discussed by cybercriminals, we identified that they could be planning to use a two-way approach to demand ransom:

Approach 1:

  1. Infect publicly accessible web server of influential organizations.
  2. Force unsuspecting website visitors to download malicious plug-in & install ransomware tool kit.
  3. Demand ransom.

Approach 2:

  1. Infect publicly accessible web server of influential organizations.
  2. Install malware to scan all connected systems in the network using the weakness in the identified system.
  3. Install ransomware tool kit.
  4. Demand ransom.

Following are further details of the possible approach which could be leveraged by cybercriminals:

Approach 1 Analysis

  1. Identify entry point into the organization using reconnaissance campaign – listed IP Addresses in 3 dark web and 1 discord forums.
  2. Verify if the webserver and application weakness are present in identified systems.
  3. Exploit web server and application weakness in the publicly accessible system and Install malware:

Suspected malware file name: exe, bitap-se.deb, hook-l.deb, winkernalw.exe.

Suspected hashes: As summarized in the IOC table (masked).

This malware will attach a malicious plug-in [hash: cb70d21d0f4201467009dcac4359ccf0] to the webserver. When visiting the infected website, a downloader plug-in [Plug-in name: SafSecur, hash: dfefe1af44873b730638853a91e3a143] will be offered to all visitors to accept before they can access the site.

In our analysis of malicious plug-in as soon as it is installed, it would connect to potential Command & Control (C2) servers159.26.224, 185.50.196.212, 134.119.219.71, 36.92.106.211 through web request to download new variant of REvil Ransomware using file [File name: ExtraEarningReport.docx]

Similar to REvil, the ransomware can exfiltrate sensitive information, encrypt files and folders, and demand ransom. Further details can be referred to in the REvil ransomware technical details.

Approach 2 Analysis

      1. Identify entry points into the organization using a reconnaissance campaign.
      2. Verify if the webserver and application weakness are present in identified systems.
      3. Exploit web server and application weakness in publicly accessible system and Install malware:

Suspected malware file name: exe, mngt.deb, wexplorerplu.exe, unneti.exe.

Suspected hashes: As summarized in the IOC table (masked).

This malware can scan all connected systems in the network, identify weaknesses, and load collected network information to potential Command & Control (C2) servers. [166.173.169,185.122.200.195, 5.190.187.158, 89.35.39.65, 104.18.56.87].

The installed malware on the webserver could now source the ransomware tool kit from potential Command & Control (C2) servers [243.123.211, 168.205.218.143, 80.151.119.159, 195.154.106.106, 209.141.54.197] and could exploit the package [Suspected file name: xdope.exe, gtwek.deb]. This package is leveraged to break into vulnerable internal systems and install the ransomware.

CYFIRMA observed a new variant of REvil Ransomware using file [File name:docx].

Similar to REvil, the ransomware goes onto exfiltrate sensitive information, encrypt files and folders, and demand ransom. Further details can be referred to in the REvil ransomware technical details.

INSIGHTS

Russian hacker groups have been observed to be actively targeting multiple organizations in the past. Their primary intent is to possibly exfiltrate sensitive details for sale in the grey market or to competitors for financial gains.

Based on our findings, that campaign seems to be under the potential reconnaissance phase. We strongly recommend your organization and its subsidiaries be well prepared against the potential cyber-attack to be carried out by suspected Russian Threat Actor: TA505 and its affiliates.

RECOMMENDATIONS

Strategic Recommendations

Implement a unified threat management strategy program – including malware detection, deep learning neural networks, and anti-exploit technology connected with vulnerability and risk mitigation.

Adopt a holistic ransomware protection strategy that includes employee education, and DR plans will add a layer of security to systems and safeguard organization data, revenue, and reputation.

Management Recommendations

Strengthen patch management policy – regularly update systems with suitable security patches to ensure cybercriminals cannot take the edge of known flaws, gain access to networks, distribute ransomware.

Adopt audit patching processes and evaluate technologies and policies that can make them more effective, leveraging automation whenever feasible.

Manage employee behavior through cybersecurity education and training programs, then schedule frequent drills to test and monitor the programs’ efficiency.

Ensure preparedness for handling ransomware attacks by constructing a pre-incident preparation strategy, that includes – backup, asset management, and the restriction of user privileges.

Tactical Recommendations

Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthen defences based on tactical intelligence provided.

Patch/upgrade all applications/software regularly with the latest versions – operating system, web server, application server.

It is recommended that the systems publicly accessible over the internet are protected with a strong security policy and the following techniques could be implemented to avoid automated brute force attacks:

      • Limit the unsuccessful login attempts with account lockouts and progressive delays into the login process to make it effective.
      • Move to a non-standard port for RDP instead of using the default port 3389.
      • Use of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) helps in being effective against automated bots.
      • Restrict the logins to a specific range of IP Addresses.
      • Implement Multi-Factor Authentication (MFA) to reduce the risk of potential data breach.
      • For IIS: Add configurations covering the following best practices – Keep your cookies safe, do not allow non-HTTPS connections, remove all of IIS’s branded response headers, set up a referrer policy, set-up HSTS – insist that web browsers connect via SSL, disable all versions of TLS below 1.2 (although be aware this will prevent a few older browsers from accessing the site).

 

If you’d like the full technical report, pls write to [email protected]