Digital lock on a chip board.

Ankura Cyber Threat Intelligence Bulletin

May 17, 2021


Over the past thirty days, the Ankura Cyber Security team has responded to a variety of matters attributed to foreign nation-state-sponsored threat groups engaged in sustained exploitation campaigns targeting clients across multiple social media platforms as well as through email attacks. Furthermore, the Ankura Response, Investigations, and Intelligence (“RII”) team also worked on numerous matters involving multiple ransomware variants, large-scale Microsoft 365 breaches, and localized intrusion events. The entities impacted include critical infrastructure, local municipalities, financial interests, insurance companies, and manufacturing concerns.

For this month’s report, ‘Ankura’s Cyber Threat Analysis and Pursuit Team (“CTAPT”) has compiled detailed metrics surrounding the tactics employed by ransomware/”extortion” actors. These metrics were derived from matters worked by the Ankura RII team and provide a window into recent trends.

Lastly, during this period, Ankura’s Cyber Security team has observed activity believed to be attributed to an Iranian threat group known to specifically target academic institutions, research hospitals, and government entities.

Observed Ankura Ransomware TTPs

CTAPT analysts reviewed matters where Ankura assisted clients with ransom and extortion events over the last two years and offers some observations as a result.

Beginning in early 2019 through today, Ankura has responded to hundreds of ransomware and extortion matters and has tracked and documented the tactics, techniques, and procedures (“TTPs”) related to these events. CTAPT analysts routinely catalog the TTPs to include the initial vector of compromise, lateral movement enablers, payloads deployed on victim endpoints, exfiltrated data methods, and other related intelligence.

From late 2019 to late 2020, Ankura detected a rise in the use of compromised credentials to gain unauthorized access. Often, credentials or variants of credentials available on the “Dark Web” were used in password spray attacks on the related domains associated with the email address. Since employees will often use a variant of previous passwords when updating credentials, threat actors are often successful spraying or brute-forcing using the exposed password as a start.

Domain controllers are normally where users authenticate and are validated access onto a network. For this reason, domain controllers are of significant interest to threat actors. An example of that occurred in late 2019 when Ankura observed three groups, including, compromise of a domain controller to gain access to an organization’s internal infrastructure.  Once compromised, the authentication and validation process can no longer be trusted, and the threat actors can cause massive damage, a very desirable position from a ransomware group perspective.

Another TTP Ankura noted that was popular with extortion/ransom groups was exploiting Remote Desktop Protocol (RDP). Nineteen (19) different groups were observed leveraging RDP vulnerabilities, and this method of compromise was the most successful TTP used by threat actors to distribute ransomware from mid-2019 to late 2020.  RDP is a network protocol that allows an individual, once connected, to control the processes, resources, and data of a machine remotely. During an RDP attack, threat actors look for improperly secured RDP services to exploit and gain access to an organization’s network. Ransom/extortion groups had plenty of success with this TTP.

Phishing campaigns were the second most widely used attack vector used by multiple groups from early 2019 until late 2020. Analysts noted seventeen individual groups that used phishing campaigns to gain access to an internal network or infrastructure. Phishing includes using social engineering to manipulate victims into surrendering sensitive information, downloading malicious files through emails or links, submitting payments on the actor’s behalf, or gaining access to physical locations that could house sensitive data.

The following is a graph that includes several of the data points mentioned above. The information is separated based on the attack vector used and which ransomware group used that vector to successfully gain access to a system:

Targeting of CNA Financial

CNA Financial, reported to be one of the United States’ largest commercial property and casualty insurance companies with 5,800 employees located around the world, had fallen victim to a ransomware attack on March 21st, 2021[1]. CNA Financial released a public statement on March 23rd that stated the company sustained a “sophisticated cybersecurity attack” that caused a network disruption and impacted certain CNA systems, including corporate email. Due to the serious impact of this attack, CNA disconnected its systems from its network out of caution to prevent further compromise. “”Bleeping Computer”” has confirmed with CNA Financial the involvement of a new ransomware variant known as “Phoenix CryptoLocker” in its recent cyberattack. During the attack, “Phoenix CryptoLocker” encrypted over 15,000 devices on CNA’s network as well as encrypted the computers of remote employees who were logged into the company’s VPN at the time. When encrypting these devices, the ransomware appended the “.phoenix” extension to the encrypted files, and a ransom note named “PHOENIX-HELP.txt” with a bird-shaped graphic was created, as seen below.

Ransom note created during the CNA Financial ransomware attack

Figure 1: Ransom note created during the CNA Financial ransomware attack.

“Phoenix CryptoLocker” ransomware is believed to be potentially tied to the Russian-based threat group Evil Corp based on the similarities in the code[1]. Evil Corp is known as an advanced persistent threat group (APT) that has recently resurfaced after a short hiatus. “Phoenix CryptoLocker” is believed to be a spinoff of previous ransomware utilized by Evil Corp, such as “WastedLocker”.

CNA Financial confirmed that they believe the threat actor group responsible for the cyberattack is Phoenix, and the group is not a sanctioned entity. They also stated that no United States government agency had confirmed a relationship between the group that attacked CNA and any sanctioned entity. CNA emphasized their mitigation procedures that are currently in progress, such as their engagement with a team of third-party forensic experts to investigate and determine the full scope of the ongoing incident. Law enforcement and the FBI have also been contacted to conduct their own investigation.

At the time of publication, CNA Financial had not publicly stated if insureds’ or policy holders’ unencrypted information were stolen due to the endured ransomware attack but ensured that any parties affected would be notified directly. However, if the cyberattack was successful in obtaining data, the attack on CNA Financial could significantly impact CNA client companies associated through cyber-insurance policies. The accessed data could help threat actors determine which companies to target next, the scope of applied cyber-insurance, and the limits of deductibles. This information could then be utilized to set optimal ransom demands and create convincing phishing messages, increasing the ransomware attack’s probability of success.

Hafnium Update

One of the most publicized issues circulating the news cycle over the past few weeks is the fallout from the March 2021 Microsoft Exchange breach, which reportedly impacted tens of thousands of companies worldwide. Reporting indicates that the distribution of is greatest in the United States, with the second-highest being in Germany[1]. Since the disclosure that ProxyLogon was leveraged as the attack chain for Exchange server exploitation, Microsoft has developed a tool for companies to utilize to check for indicators of compromise (IOC’s) on their Exchange servers[2].

Recently, several ransomware groups and threat actors took advantage of this massive Exchange vulnerability to launch their attacks throughout the world. While the primary suspect of the attack is still the Hafnium attack group, there are links to an additional threat group known as Hades ransomware operation. Hades was linked to the Forward Air trucking cyber-attack in December 2020, which required Forward Air to shut down their systems to prevent further damage to their infrastructure. The connection between Hades and Hafnium comes from an investigation into a Hades ransomware attack, where researchers discovered a domain tied to a Hafnium indicator of compromise. The Hades ransomware gang also has connections to INDRIK SPIDER, a cybercriminal group based out of Russia.

Additional ransomware groups began taking advantage of ProxyLogon to launch ransomware campaigns on vulnerable companies. Black Kingdom is a strain of ransomware, also referred to as GAmmAWare, that has recently been seen exploiting ProxyLogon. The first reports of Black Kingdom came days after the initial disclosure of ProxyLogon. An estimated 1,500 Exchange servers have web shell scripts that link back to Black Kingdom operators – not to mention the companies that have yet to disclose attack information. The ransom note(s) left by Black Kingdom demanded $10,000 in Bitcoin (approx. 0.1696 BTC) to get a decryption key; however, as with most ransomware attacks, threat actors may only release part of the encrypted data and demand more ransom to release the full dataset.

However, Black Kingdom isn’t the only ransomware that has taken advantage of the situation. The DearCry ransomware variant, a.k.a. DoejoCrypt, has also been seen leveraging ProxyLogon to launch its attacks. While DearCry carries the same naming schema of the WannaCry ransomware, the only notable similarity between the two is the encryption style. Once infected, victims are met with a ransom note stating that they must contact the threat actors to negotiate a ransom for unlocking encrypted files and systems. DearCry has been seen targeting common file extensions on victim machines such as .docx, .log, .xlsx, .csv, and many more.

Threat Actor of the Month

The MABNA Institute is a threat actor which the United States Department of Justice has associated with ‘Iran’s Islamic Revolutionary Guard Corps[1]. The threat actor utilizes sophisticated phishing operations to target those within and servicing the academic sector, including (but not limited to) software groups, scientific organizations, and academic institutions around the world. Ankura recently responded to the compromise of an entity researching COVID-19 vaccines and found several email accounts had been accessed, likely in search of related information. In recent attacks MABNA Institute, utilized and deployed advanced phishing infrastructure to specifically target these academic institutions: National University of Singapore, Volda University College, Durham University, Østfold University College, Halmstad University, University of Newcastle, Lebanese American University, University of Newcastle in New South Wales and Kristianstad University. To date, MABNA Institute has stolen over $3.4 billion worth of sensitive information and credentials from the academic sector and those servicing it.

MABNA Institute is known for its phishing operations and credential theft tactics, which are key characteristics to their campaigns. Once credentials are compromised, they are sold on Iranian sites because demand for this information within Iran is high due to international sanctions that limit access to research and resources. Activity of this threat actor is expected to maintain an elevated tempo throughout 2021, as the demand for these credentials is still on the rise.

A known site associated to the MABNA Institute threat actor. This is a description of their offerings, which notably includes international journals.

This is the latest update given on the site, once again stating the sale of VPN access to universities.

This website was developed by an actor associated with MABNA Institute to sell stolen credentials gathered throughout MABNA’s campaigns, including VPN credentials to gain access to the universities.

Trending IOCS

Indicator Type Attribution
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede Hash DearCry
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 Hash DearCry
10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da Hash DearCry
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff Hash DearCry
103.77.192[.]219 IP Hafnium
104.140.114[.]110 IP Hafnium
104.250.191[.]110 IP Hafnium
108.61.246[.]56 IP Hafnium
149.28.14[.]163 IP Hafnium
157.230.221[.]198 IP Hafnium
167.99.168[.]251 IP Hafnium
185.250.151[.]72 IP Hafnium
192.81.208[.]169 IP Hafnium
203.160.69[.]66 IP Hafnium
211.56.98[.]146 IP Hafnium