Full Report
Key Takeaways
Analysis Summary
# Main Topic
Discovery of an open directory in December 2024, believed to be associated with a ransomware affiliate linked to the Fog ransomware group, containing a comprehensive toolkit for post-compromise activities including reconnaissance, exploitation, lateral movement, and command-and-control.
## Key Points
- The directory was hosted at `194[.]48[.]154[.]79:80`.
- Initial access methods included leveraging compromised SonicWall VPN credentials.
- The toolkit facilitated credential theft (using DonPAPI), Active Directory exploitation (via Certipy, Zer0dump, and Pachine/noPac targeting vulnerabilities like CVE-2020-1472), and maintenance of persistence.
- Persistence was achieved using AnyDesk, automated via a PowerShell script that preconfigured remote access credentials.
- Sliver C2 executables and Proxychains were present for C2 operations and protocol tunneling, respectively.
- Powercat was also available for alternative networking communications and reverse shell establishment.
## Threat Actors
- **Primary Attribution:** Ransomware affiliate likely linked to the **Fog ransomware group**.
- **Confidence Level:** Moderate confidence based on overlapping victim data found on the Fog Ransomware Dedicated Leak Site (DLS).
## TTPs
- **Initial Access:** Compromised VPN credentials (SonicWall).
- **Discovery/Reconnaissance:** SonicWall Scanner tool usage.
- **Credential Access:** Use of DonPAPI for extracting DPAPI-protected credentials.
- **Privilege Escalation/Lateral Movement:** Exploitation of Active Directory vulnerabilities (e.g., CVE-2020-1472) using tools like Certipy, Zer0dump, and Pachine/noPac.
- **Persistence:** Installation and automation of AnyDesk via a PowerShell script to maintain remote access.
- **Command and Control:** Use of Sliver C2 binaries (`slv.bin`, `sliver-client_linux`).
- **Defense Evasion/Tunneling:** Usage of Proxychains for tunneling traffic and Powercat for reverse shells and data transfer.
## Affected Systems
- **Initial Compromise Vector:** SonicWall VPN infrastructure.
- **Domain Systems:** Systems relying on Active Directory Certificate Services (AD CS).
- **Geographic Scope:** Victims identified across Europe, North America, and South America.
- **Specific Countries:** Italy, Greece, USA, and Brazil.
- **Industries:** Technology, Education, Retail, and Transportation & Logistics.
## Mitigations
- Secure multi-factor authentication and strong credential hygiene for perimeter access systems like SonicWall VPNs.
- Patch systems against known Active Directory vulnerabilities (e.g., CVE-2020-1472).
- Monitor for the deployment and execution of persistence mechanisms like AnyDesk, especially when automated via unusual PowerShell scripts.
- Monitor for the use of offensive C2 frameworks such as Sliver and tools like Powercat.
- Harden Active Directory Certificate Services (AD CS) to prevent abuse techniques like those employed by Certipy.
## Conclusion
The discovered infrastructure reveals a sophisticated ransomware affiliate utilizing diverse tools for the compromise lifecycle, from initial access via exploited VPNs to advanced Active Directory abuse and C2 communication via Sliver and tunneling techniques. Organizations should prioritize securing remote access points and auditing privileged/certificate services immediately.