The tide has turned for the Hive ransomware group. This week, the FBI and international partners shared news of a successful sting operation. Two of the group’s servers and one of Virtual Private’s servers were seized due to “hacking by hackers”. The FBI also revealed they were able to dive deep into the group’s infrastructure and gather intelligence before dismantling the operation.
Hive is one of the most prolific ransomware networks in the world and has long plagued critical infrastructures like governments and hospitals. First discovered in his July 2021, at the height of the COVID-19 pandemic, the syndicate is known for its Ransomware-as-a-Service (RaaS) model. The Hive ransomware group has extorted over $100 million of him from his 1,500 organizations in at least 80 countries.
According to the DOJ, the month-long operation culminated last July when the FBI secretly accessed Hive’s control panel and obtained the software keys used in the double-extortion attack that were shared with the syndicate’s partners. reached. No arrests have been made yet, but authorities said they were mapping the administrators, software and affiliates involved based on the seized servers. Authorities are helping a recent victim regain access to their networks, with nearly 300 organizations saving him more than $130 million in ransom payments.
Hive teardown is one of the first big crackdowns of 2023. Various law enforcement agencies are working together to slow the ransomware epidemic. While the ransomware economy continues to be lucrative for attackers, these sting operations have hit the attackers the hardest: revenue.civil servants from now on Recruitment Rewards for information linking the Hive with foreign governments.
The purported Chinese-speaking threat actor has enhanced its evasions via the lesser-known open-source SparkRAT and Golang malware. In this week’s analysis by SentinelLabs, A recent series of attacks, dubbed DragonSpark, have been observed to employ unusual tactics to bypass security layers. DragonSpark attacks have so far victimized organizations in China, Taiwan, Hong Kong, and Singapore.
Initial access involves compromising vulnerable web and MySQL servers exposed to the internet and dropping the “China Chopper” web shell. After gaining that foothold, the DragonSpark attack uses lateral movement techniques that combine privilege escalation and malware deployment to get deeper into the victim’s environment.
As lateral spread progressed, attackers used a cross-platform remote access Trojan called SparkRAT to perform a number of malicious activities, including manipulating system files, stealing information, and executing additional PowerShell commands. Run SparkRAT is based on Golang and can run on Windows, macOS, and Linux. All other malicious tools observed in the DragonSpark attack are open source tools such as SharpToken, BadPotato, and GotoHTTP.
The Golang malware ‘m6699.exe’ executes code from a Go script embedded in the malware binary. This is a technique to thwart static analysis and evade detection. The malware then opens a reverse shell and allows the attacker to initiate remote code execution (RCE).
SentinelLabs analysts hypothesize: Multi-platform and feature-rich tools like SparkRAT will continue to appear in future attacks by threat actors known to favor open source software in their campaigns.
This week, new warnings from CISA, NSA, and the Multistate Information Sharing and Analysis Center (MS-ISAC) were removed against multiple Federal Civil Administration (FCEB) agencies using lawful remote monitoring and management (RMM). Attacks were detailed. software.
Malicious activity against many FCEB networks was carried out through callback phishing campaigns. Attackers sent spoofed help desk emails to personal and government email addresses of federal employees. The email was found to contain a link to a first-stage domain, prompting the victim to call the attacker posing as a help desk technician.
After the “technician” persuaded the caller to visit the domain, the malware was automatically downloaded using AnyDesk and ScreenConnect (a popular RMM tool used by remote workers worldwide) downloads Connect the target to the second stage domain. Access to victim’s device.
Weaponizing legitimate remote software continues to be attractive to attackers as an effective means of establishing local user access. – All without requiring admin privileges. A joint alert published this week highlights the surge in social engineering and phishing attacks combined with the use of legitimate software for access.
This follows recent instances where attackers hosted an online Pokémon-based NFT game and lured fans of the franchise into downloading a Remote Access Trojan (RAT) onto the site. Such efforts are seen as “quick wins” for attackers because they can gain the access they need without spending time and resources developing bespoke attacks. The official CISA alert includes a list of precautions organizations can take to avoid social engineering attacks and reduce the risk of RMM software abuse.