Full Report
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from October. Threat actor of the month: Nitrogen, Interlock, Sarcoma & AposSecurity (Extortion groups) We initially always observed data […] The post Threat Context Monthly: Executive intelligence briefing for October 2024 appeared first on Outpost24.
Analysis Summary
# Threat Actor: Nitrogen, Interlock, Sarcoma & AposSecurity (Extortion Groups)
## Attribution & Identity
These actors are identified as emerging extortion groups, characterized by focusing solely on data exfiltration and subsequent extortion without deploying ransomware encryption payloads. The article suggests that behind these new names are likely affiliates from larger Ransomware-as-a-Service (RaaS) projects who have chosen to operate independently. Several other threat actors are mentioned briefly alongside these groups (e.g., 0mega, Earth Baxia, Marko Polo, etc.), but Nitrogen, Interlock, Sarcoma, and AposSecurity are highlighted as the focus of the extortion trend analysis.
## Activity Summary
These groups specialize in compromising targets, exfiltrating data, and establishing a Data Leak Site (DLS) on the TOR network. They then leverage the threat of public data release to extort payment, bypassing the encryption phase typical of traditional ransomware attacks. This approach simplifies the attack process and has led to a high volume of these groups appearing recently.
## Tactics, Techniques & Procedures
- Compromise of target environments.
- Data exfiltration.
- Establishment and use of Data Leak Sites (DLS) on the TOR network for extortion demands.
- Attacks are described as opportunistic.
- Likely initial access methods include leveraging **valid accounts** or exploiting **public-facing applications**.
## Targeting
- Sectors: No specific sector preference mentioned; attacks are opportunistic.
- Geography: No preferred targeted regions. However, some groups avoid targeting CIS countries.
- Victims: Mostly affecting **Small and Medium-sized Enterprises (SMEs)**.
## Tools & Infrastructure
- Infrastructure: **Data Leak Sites (DLS)** hosted on the **TOR network**.
- Malware: No specific malware detailed for *these specific* extortion groups, emphasizing data exfiltration over malware deployment (encryption).
## Implications
The rise of data-exfiltration-only extortion groups lowers the barrier to entry for cybercriminals, leading to an increased volume of threat actors. This shift puts significant pressure on organizations' data governance and incident response, as external pressure from public data release is the primary leverage point, rather than system downtime due to encryption.
## Mitigations
- Implement robust controls around **valid accounts** to prevent credential compromise.
- Maintain strong patching and monitoring processes for **public-facing applications** to prevent exploitation.
- Proactive data loss prevention (DLP) measures specifically tailored to unauthorized data egress.
***
# Threat Actor: LockBit Group (Ransomware-as-a-Service)
## Attribution & Identity
The LockBit Group is a notorious cybercrime entity targeted by Operation Cronos. The operation also implicated affiliates linked to the Russian cybercrime group **“Evil Corp”** (also known as UNC2452, WIERD, or DODBAL). A key figure implicated in connection with LockBit and Evil Corp is **Aleksandr Ryzhenkov**, accused of developing ransomware and making extortion demands. Furthermore, **Eduard Benderskiy**, a former high-ranking **FSB official**, was noted for facilitating the relationship between Evil Corp and Russian Intelligence Services, suggesting state-level connections for affiliated actors.
## Activity Summary
LockBit faced significant disruption due to **Operation Cronos**, a coordinated international law enforcement action. This operation resulted in **four arrests** (including a developer and a hosting administrator), the seizure of **nine servers**, and the imposition of **financial sanctions** against affiliates. Authorities also seized LockBit’s Data Leak Site (DLS) and made a decryption tool for LockBit 3.0 victims available via the 'No More Ransom' portal.
## Tactics, Techniques & Procedures
- Use of Ransomware-as-a-Service (RaaS) model.
- Development and deployment of ransomware variants (specifically LockBit 3.0 mentioned in regard to decryption tools).
- Leveraging affiliates who are subject to international sanctions.
- Association with actors who have deep ties to state intelligence (FSB).
## Targeting
- Targeting specifics were not detailed in this section, beyond the general criminal nature of the group.
## Tools & Infrastructure
- **LockBit 3.0** ransomware.
- Seizure of group infrastructure and **Bulletproof hosting** utilized by the group.
- **Data Leak Site (DLS)** seized by authorities.
- Affiliates linked to the actor **Evil Corp**.
## Implications
Operation Cronos demonstrates substantial international cooperation leading to the degradation of a major RaaS operation through arrests, seizures, and sanctions. The exposure of links between high-profile cybercrime (Evil Corp) and Russian Intelligence Services highlights the state-sponsored risk component associated with actors leveraging LockBit infrastructure.
## Mitigations
- Utilize the provided decryption tool via the ‘[No More Ransom](https://www.nomoreransom.org/en/decryption-tools.html#Lockbit30)’ portal if affected by LockBit 3.0.
- Remain aware of geopolitical risks associated with actors linked to Russian intelligence services when dealing with affiliates from this ecosystem.
***
# Threat Actor: Unnamed Actors Exploiting Veeam / Fog & Akira
## Attribution & Identity
Unnamed threat actors who have leveraged vulnerabilities in Veeam Backup & Replication software.
## Activity Summary
These actors exploited a critical vulnerability (**CVE-2024-40711**) in Veeam Backup & Replication software, often in combination with **compromised credentials**, to establish unauthorized accounts and attempt to deploy ransomware.
## Tactics, Techniques & Procedures
- Exploitation of **CVE-2024-40711** in Veeam Backup & Replication software.
- Leveraging **compromised credentials**.
- Attempted deployment of ransomware payloads.
## Targeting
- Targets are organizations utilizing Veeam Backup & Replication software.
## Tools & Infrastructure
- **Fog** Ransomware variant (attempted deployment).
- **Akira** Ransomware variant (attempted deployment).
## Implications
The successful combination of a zero-day/critical vulnerability exploitation and compromised credentials presents a high-risk pathway for immediate ransomware deployment against backup infrastructure.
## Mitigations
- Immediately patch or secure any instances of **Veeam Backup & Replication software** against **CVE-2024-40711**.
- Enhance monitoring and controls around access to backup systems, assuming credentials may be compromised.