Securin’s quarterly report on ransomware metrics reveals that three new APT groups are using ransomware to mount attacks on their targets, bringing the total number of APT groups using ransomware to 43.
Securin’s quarterly report recently recorded a 7.6% spike in vulnerabilities tied to ransomware, increasing the total number of vulnerabilities from 288 to 310. Quarter 1 of 2022 also saw an increase in the number of APT groups from 40 to 43. In this blog, we will explore in detail the threat posed by APT groups and how using ransomware in their arsenal has made them the most dangerous adversary for critical organizations around the world.
Active APT Groups Operating from Specific Regions
New APT Groups Using Ransomware
The newly identified APT groups using ransomware to target their victims in Q1 2022 are DEV-0401 (China), APT35 (Iran), and Exotic Lily.
APT35
APT35 is an Iranian government-sponsored threat actor group. The group is known for targeting Middle Eastern countries, the United States, and industries such as finance, medical research, energy, chemicals, and telecommunications to collect strategic intelligence.
APT35 |
|
---|---|
Vulnerabilities Used |
CVE-2021-44228 (Apache Log4j) + 15 other vulnerabilities |
Ransomware Deployed |
Memento |
Payloads Used |
CharmPower backdoor |
Other Malware Deployed |
MANGOPUNCH, DRUBOT, ASPXSHELLSV, PUPYRAT, TUNNA, BROKEYOLK, and HOUSEBLEND |
Operative Since |
2013 |
Aliases |
Ajax Security Team, NewsBeef, Phosphorus, TA453, and Newscaster |
Previous Attacks
APT35 deployed credentials-stealing malware in oncology, genetic, and neurology research organizations in the United States and Israel, targeting senior medical professionals and their research information. Spear phishing and custom malware are among an array of tactics the group uses against victims. The group also tried to disrupt election campaigns in the 2020 US presidential elections by deploying spear phishing messages to campaign officials—although it did not cause much damage. APT35 is known to conduct mass exploitation attacks using the Microsoft Exchange Server vulnerability on their target networks.
Exotic Lily
The Exotic Lily APT group uses CVE-2021-40444 to target its victims and is tied to Conti ransomware. This group acts as an Internet Access Broker (IAB), i.e., steals credentials from organizations and sells them to the highest bidder. It was discovered by the Google Threat-Analysis group. So far, the techniques they have used involve email campaigns and file sharing software.
Exotic Lily |
|
---|---|
Vulnerabilities Used |
Microsoft Windows MSHTML platform (CVE-2021-40444) |
Ransomware Deployed |
Conti and Diavol |
Payloads Used |
BazarBackdoor payloads and Bumblebee |
Associated APT Groups |
Wizard Spider |
Operative Since |
September 2021 |
Previous Attacks
Exotic Lily first started exploiting the Microsoft MSHTML zero day (CVE-2021-40444) in September 2021. The group then began to actively impersonate employees from companies and delivered payloads containing malware to steal various system details such as the OS versions, user names, and domain names, which are then exfiltrated in the JSON format to a C2. The group has been targeting specific industries such as IT, cybersecurity, and healthcare.
DEV-0401
DEV-0401, a Chinese ransomware attack group, also actively exploited the Log4j vulnerability (CVE-2021-44228) and installed the Night Sky ransomware to extort data from vulnerable servers on the internet.
DEV-0401 |
|
---|---|
Vulnerabilities Used |
CVE-2021-26084 CVE-2021-34473 CVE-2021-44228 |
Ransomware Deployed |
Night Sky, LockFile, AtomSilo, Rook, and Khonsari |
Operative Since |
December 2021 |
Previous Attacks
DEV-0401 has previously deployed multiple ransomware families, including LockFile, AtomSilo, and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premise exchange servers (CVE-2021-34473). The group has used command and control (CnC) servers that spoof legitimate domains.
Although some APT groups are state-sponsored, they have not shied away from targeting other organizations in the private sector. Today, APT groups are more organized, even adopting 9 to 5 job operations, providing employee benefits, and exploiting multiple vulnerabilities. Organizations, private or public, need to be vigilant and deploy adequate measures to ensure that these groups do not take advantage of them.
We have analyzed the latest vulnerabilities, threats, and techniques used by the ransomware groups and compiled a detailed ransomware report. Securin offers Ransomware Attack Surface Assessment to detect vulnerabilities open to ransomware attacks. You can also check out our other services and contact us if you want to build a strong defense of your network architecture.