Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Hades Ransomware Linked to Hafnium and Exchange Attacks
#1
Quote:Security experts have linked the Hades ransomware operation to the Hafnium state-backed group that was behind early attacks on Microsoft Exchange servers.

The ransomware crew was responsible for attacks on trucking giant Forward Air and a handful of others. It has been linked to infamous Russian cybercrime operation Evil Corp (Indrik Spider), as a new variant of its WasterdLocker ransomware, designed to help the group escape sanctions that would discourage victims to pay up.

However, a new report from Awake Security claims to have found a domain used for command-and-control in a Hades attack in December 2020, just before the zero-day Exchange server attacks were discovered.

“Our team was pulled in after the compromise and encryption to review the situation and in this one case a Hafnium domain was identified as an indicator of compromise within the timeline of the Hades attack,” explained Awake Security VP, Jason Bevis.

“Moreover, this domain was associated with an Exchange server and was being used for command-and-control in the days leading up to the encryption event.”

He claimed there are two possibilities: an advanced threat actor is operating under the guise of Hades, or multiple independent groups coincidentally compromised the same environment, due to poor security.

Other findings mark Hades out as an unusual ransomware group. Very few victims have been identified, and most seem to come from manufacturing sectors.

Bevis also noted “very little sophistication” in the leak sites set up by the group, with its Twitter account, a page on Hackforums, and Pagebin and Hastebin pages all subsequently removed.

“As incident responders know it is common for ransomware actors to set up leak sites for their data, but what was interesting about Hades is that they used methods for both their leaks and their drop sites that would likely be taken down within a very short time,” he argued.

“We know the actor requested amounts in the range of $5 to $10m of ransom and was very slow to respond to some individuals. In some cases, they may not have responded at all. In fact, one Twitter user even claimed ‘TA never responds.’ If there were only a few organizations attacked, why would it take so long to respond to requests for ransom? Was there another potential motive here? Why haven’t we seen Hades since?”

Bevis also noted that the data leaked on the sites is far less impactful than the information the group has actually stolen, which relates to detailed manufacturing processes.

The report also pointed to remnants of activity from the TimosaraHackerTerm (THT) ransomware group in some Hades victim environments a few weeks prior to the latter’s attacks. These include use of Bitlocker or BestCrypt for encryption, connection to a Romanian IP address and use of VSS Admin to clear shadow copies of the local machine


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Ransomware: the most high-profile attacks of 2023 Kaspersky Blog mrtrout 0 713 02-20-2024 , 11:59 PM
Last Post: mrtrout
  Russian hackers linked to widespread attacks targeting NATO and EU mrtrout 0 939 04-15-2023 , 07:54 PM
Last Post: mrtrout
  Ransomware gang uses new Microsoft Exchange exploit to breach servers tarekma7 0 582 12-21-2022 , 09:00 AM
Last Post: tarekma7
  The Week in Ransomware - July 22nd 2022 - Attacks abound mrtrout 0 667 07-24-2022 , 03:00 AM
Last Post: mrtrout
  US Sanctions Cryptocurrency Exchange SUEX for Aiding Ransomware Gangs mrtrout 0 581 09-23-2021 , 08:11 PM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)