February 17, 2021
Over the past thirty days, the Ankura Cyber Security team has responded to a broad array of matters involving emerging ransomware tactics, aggressive business email compromises, and sophisticated cyber espionage campaigns.
As we detail in the pages below, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) analysts have detected an increasing number of ransomware/extorsion groups leveraging a new tactic against smaller victims which appears to force the targeted entity into negotiations with the attacker much quicker. This latest observation may indicate that additional threat groups may adapt this tactic into Q2 of 2021.
As a function of our response activities, Ankura’s CTAPT has initiated monitoring of a new malware variant called “CinaRAT”. This variant is closely related to “QuasarRAT” which is an older remote access trojan (RAT) previously leveraged by several cyberespionage groups throughout Asia and the middle east to target organizations across multiple verticals. “CinaRAT” was first detected on open-source malware forums approximately two (2) months ago and has already undergone four (4) mutations, possibly indicating that sophisticated threat actors are actively modifying it to decrease detection ratios and increasing its functionality.
Lastly, during this period Ankura’s Cyber Security team has been working with organizations which may have been exploited due to a recently identified vulnerability within SonicWall appliances, potentially enabling unauthorized remote access to individual user accounts.
Evolving Ransomware Tactics (RDDoS)
CTAPT analysts have been actively monitoring an increasing number of ransomware/extorsion threat groups integrating distributed denial of service (DDoS) attacks as part of their toolkits when targeting new victims. Ransomware groups utilizing DDoS attacks to cripple a victim’s publicly facing infrastructure was first observed during late Q3 2020, though was only being utilized by two (2) prominent groups, “RagnarLocker” and “SunCrypt”. This new tactic was aptly named “Ransom DDoS” (RDDoS).
RDDoS attacks typically follow the same playbook as other ransomware campaigns but with one added last step:
- Threat groups actively identify an initial compromise vector to gain access to the victim’s network
- Once access is obtained, threat actors will download malicious tool kits to establish a foothold
- Threat actors will then enumerate the internal network to identify high-value systems and move laterally to access these endpoints
- Sensitive data from these endpoints are then exfiltrated for later use as collateral for extorsion
- Next, encryption algorithms are employed on various endpoints, rendering them unusable
- The victim’s publicly facing infrastructure is then overwhelmed with bot-like traffic, essentially rendering infrastructure such as websites and email unreachable
As seen in the timeline above, this last step takes place after the encryption phase of the attack and proves to be an effective tactic for forcing the victim into a negotiation. “SunCrypt’s” first known successful use of RDDoS appeared to target a small business which likely did not have adequate DDoS mitigation considerations in place prior to the attack.
Figure 1: Negotiation between a “SunCrypt” threat actor and victim
CTAPT has recently identified that the “Avaddon” threat group is now leveraging the RDDoS tactic when targeting new victims across Europe and Asia.
Figure 2: Screenshot of “Avaddon” extorsion site identifying a new RDDoS victim in Poland
Figure 3: Screenshot showing that the victim’s website is unreachable as a result of the RRDoS attack
At this stage, it is too early to assume that other ransomware groups will adopt this tactic in the near future; however, if it proves to increase return on investment (ROI) for “Avaddon”, “SunCrypt”, and “RagnarLocker”, CTAPT believes that additional threat groups would adopt RDDoS as an additional layer of pressure when targeting small organizations. To mitigate future DDoS attacks, CTAPT suggests that organizations separate and distribute publicly facing assets across different infrastructure, preferably using a content delivery network (CDN) which softens the impact of a DDoS campaign by avoiding single points of congestion.
Return of ShinyHunters
Approximately three (3) months ago, CTAPT reported that “ShinyHunters” announced their “retirement” after apparently making more than enough money to cease operations. However, as CTAPT reported in the August 2020 edition of this publication, it is believed this announcement had more to do with the group being targeted and compromised by another threat actor who gained access to “ShinyHunters’” data and subsequently released it on various dark web marketplaces. It now appears that actors previously associated with “ShinyHunters” have reemerged on several underground forums and are updating download links associated with previously compromised victims and data sets.
Figure 4: Screenshot showing download links attributed to “ShinyHunters” accounts as updated
Figure 5: Screenshot showing a known “ShinyHunters” account publishing new content
As noted above, these new posts appear to be associated with previously compromised victims and there is no indication that “ShinyHunters” has carried out any attacks against new victims. Nevertheless, CTAPT analysts perceive this recent forum activity as a potential indicator that “ShinyHunters” will resume operations in the near future.
Introduction to “CinaRat”
According to the CinaRat author’s Github page, it was created to be used as a “fast and light-weight administration tool coded in C#” and is a close variation of the QuasarRAT, which has been tied to cyberespionage threat groups such as APT 33, APT 10, and “The Gorgon Group”. While very similar to the QuasarRAT, CinaRAT has evasive components which allows for attackers to sustain near-zero detection for long periods of time, essentially increasing adversarial dwell time within a victim’s network.
According to third-party reporting, CinaRAT was recently delivered to a victim through a malicious ISO archive file. The decreased detection offered by CinaRAT is due to a number of factors including:
- Reflective loading of remote .NET DLL executables from Github user accounts
- Unique payloads with separate URLs
- Once decoded, the RAT leverages a code injection technique in which the executable section of the RAT replaces a legitimate process in memory, allowing for the RAT to be disguised on the infected machine
- Legitimate .NET library naming conventions were used in the loader, which allows it to pass through antivirus software as it appears to be a legitimate whitelisted process
CinaRAT V1 was first detected on VirusTotal on 8 December 2020. As of the date of this publication, CinaRAT has gone through four (4`) variations, with V4.1 being detected as of 03 February 2021, which suggests that sophisticated state-sponsored adversaries are altering the malware to fit their unique demands and are staging the tool for future deployments. Ankura suggests that organizations leverage a zero-trust approach when defending their networks and endpoints and proactively block the indicators of compromise (IOCs) included in the appendix of this report.
On the evening of January 22nd, 2021 SonicWall, a networking device manufacturer, reported that they were investigating a “highly-sophisticated,” and coordinated breach of their internal network and infrastructure. On February 1st SonicWall, confirmed that threat actors facilitated the breach by exploiting a zero-day firmware vulnerability (SNWLID-2021-0001) within SonicWall’s SMA (Secure Mobile Access) 100 series version 10.x devices. The vulnerability produced improper SQL command neutralization, which allowed remote exploitation for access to credentials by attackers that had not been authenticated. Initially, SonicWall believed their Netextender VPN clients had also been compromised, however that was quickly ruled out as a possibility during the initial investigation.
As of February 3rd, SonicWall has made available a series firmware update (10.2.0.5-29sv) that patches the zero-day vulnerability in SMA 100 units, and organizations/individuals need to apply the patch “immediately,” to avoid being potentially compromised. Any users that may have logged in to the devices via web-interface need to have their passwords reset, and MFA (Multifactor Authentication) should be enabled for all accounts as a general best practice. If deploying the patch is completely unfeasible at the moment, then customers should enable the built-in WAF (Web Application Firewall) to combat the vulnerability.
SonicWall is one of several large security companies to have publicly disclosed a security event over the past few months; however, SonicWall did not disclose details related to attribution for the breach making it difficult to ascertain the potential fallout from the attack. It should be noted that one (1) day after SonicWall announced the incident, CTAPT analysts identified a well-known threat actor (“sailormorgan32”) attempting to sell 4 terabytes worth of SonicWall data for $500,000 on the infamous “Exploit Forum”. The actor stated the data was comprised of “1 terabyte of documents and 3 terabytes of their product source code were stolen. Source codes for SSL VPN, Sonic Core and many other popular solutions of the company.”
Threat Actor of the Month
CTAPT analysts routinely monitor dozens of underground forums to identify transactions involving highly sensitive data. As a result, CTAPT can enumerate and track the most active threat actors over a thirty (30) day period and provide this data to our clients and law enforcement if warranted. This section will provide a brief overview of one selected actor.
“g0ldenboy” is the handle of a threat actor active on multiple underground marketplaces, most notably the “White House Market”. Based on previously observed activity, this actor appears to be a Russian speaker and may reside in Russia or eastern Europe. “g0ldenboy” specializes in selling compromised accounts belonging to VPN solutions, and streaming services while also offering SMS and email spamming, SMTP servers, and private SOCKS proxies. “g0ldenboy” was first observed on 14 December 2016 and has been steadily active into 2021. The continued success of “g0ldenboy” reinforces why proper password hygiene and enablement of multi-factor defenses are still vital aspects of a proper defense-in-depth security plan.
- Versus Market, AlphaBay Forum, TradeRoute Market, Berlusconi Market, White House Market, Dream Market, AlphaBay Market, Dream Market: “g0ldenboy”
- Nightmare Market: “G0ldenboyStore”
- Dread: “/u/g0ldenboy”
- White House Market: “/userinfo?user=g0ldenboy”
Figure 6: Screenshot of account profile on White House Market
Figure 7: Screenshot of recent sale of compromised IPVanish and NordVPN accounts