Search This Blog

Showing posts with label Yanluowang Ransomware. Show all posts

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.

Ransomware Threat Actors on the Rise in US, Target Big Organizations


A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.

Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations. As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target." 

The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the 

Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.

Yanluowang Ransomware Deployed in Latest Attacks


Yanluowang (named after one of the ten Chinese rulers of hell, Yanluo Wang), is a newly created ransomware strain, that has been identified attacking a high-profile company. 

Upon identifying unusual behavior utilizing the legal AdFind command line Active Directory query tool, the Yanluowang ransomware was detected during an event involving an undisclosed big business. Malicious actors frequently utilize AdFind to conduct reconnaissance activities, such as gaining access to information needed to travel across their victims' networks. 

The latest strain was found by Broadcom's Symantec's threat hunter team, and at first look, it sticks out due to its unusual nickname, which is derived from the name of a Chinese deity: Yanluo Wang. He was Death's God and Diyu's Fifth Court Ruler in Chinese mythology (Diyu being depicted as the Chinese hell). The detection of this specific name appears to be connected to the extension it employs for file encryption on afflicted computers. 

Within days of the investigators finding the suspicious AdFind tool, the attackers tried to distribute their ransomware payloads throughout the compromised organization's networks. Before spreading ransomware on compromised computers, threat actors would use a malicious program to do the following: Create a .txt document with the number of remote computers to be checked on the command line. Use Windows Management Instrumentation (WMI) to obtain a list of processes operating on the remote computers mentioned in the .txt file, and lastly log all of the processes and remote machine names to processes.txt. 

And once the infected application is installed, the ransomware will suspend the hypervisor virtual machine, terminate the precursor tool harvesting process (including SQL and Veeam), and encrypt files with the ".yanluowang" extension. 

On the compromised machine, the Yanluowang gang typically leaves a README.txt ransom note advising victims not to approach law authorities or ransomware negotiation firms. 

Violations of the attacker's regulations will lead to threat actors launching distributed denial of service (DDoS) attacks against the targets and contacting workers and business partners. They also threaten to replicate the procedure in a few weeks and erase the victim's data, which is a typical tactic used to coerce victims into paying ransoms.