Category: Adversary IntelligenceIndustry: BFSIRegion: AsiaMotivation: FinancialTLP: AMBERExecutive SummaryCloudSEK's threat research team is closely monitoring a significant ransomware attack that has disrupted India's banking ecosystem, impacting banks and payment providers. This report aims to dissect the attack chain, uncover adversary tactics, and offer actionable insights for organizations to enhance their security posture. As the situation is still unfolding, this report will provide ongoing updates and recommendations to address the evolving threat landscape.The impacted entity in this case is Brontoo Technology Solutions, a key collaborator with C-EDGE, a joint venture between TCS and SBI. This report aims to explore the broader implications of this attack on the ecosystem.Understanding the Potential Attack ChainAccording to the report filed by Brontoo Technology Solutions with CertIn(Indian Computer Emergency Response Team) it was mentioned that the attack chain started at a misconfigured jenkins server. CloudSEK threat research team was able to identify the affected jenkins server and subsequently the attack chain.In the recent history we have published extensively on the exploitation of Jenkins using a local file inclusion vulnerability, read about the case study here and the complete exploit chain hereScreenshot of shodan identifying the said vulnerability in the targeted serverVulnerability: CVE-2024-23897: The Jenkins instance used by Brontoo Technology was affected by the same LFI CVE which can be leveraged to read internal code or in this case as port 22 was open, get secure shell access by reading the private keys.A primary part of the ransomware world is the Initial Access Brokerage, we suspect(with low confidence) looking at the history and recent attack chains exploited, this access could have been sold by IntelBroker(A threat actor/Moderator from breachforums) to RansomEXX group for further exploitation.This flowchart shows the attack path of compromising the Jenkins server using said vulnerabilityAnalysis and AttributionThrough our investigation and leveraging sensitive sources, we have confirmed that the ransomware group responsible for this attack is RansomEXX. This determination was facilitated by our extensive engagement with the affected banking sector in IndiaRansomEXX v2.0 is a sophisticated variant of the RansomEXX ransomware, known for targeting large organizations and demanding significant ransom payments. This group operates as part of a broader trend where ransomware developers continuously evolve their malware to bypass security defenses and maximize their impact. Below is a detailed analysis of the RansomEXX v2.0 ransomware group:1. Background and EvolutionInitial Emergence: RansomEXX, initially known as Defray777, first appeared in 2018. It was rebranded to RansomEXX in 2020.Evolution to v2.0: The v2.0 variant emerged as a response to the increasing effectiveness of defensive measures. This evolution indicates enhancements in encryption techniques, evasion tactics, and payload delivery methods.2. Infection Vectors and TacticsInitial Access: Common vectors include phishing emails, exploiting vulnerabilities in remote desktop protocols (RDP), and leveraging weaknesses in VPNs and other remote access services.Lateral Movement: After initial access, the group employs tools like Cobalt Strike, Mimikatz, and other legitimate administrative tools to move laterally within a network.Privilege Escalation: Utilizing known exploits and credential theft to gain higher privileges within the compromised environment.(Please look at the Appendix for complete table)3. Payload and EncryptionEncryption Algorithm: RansomEXX v2.0 uses strong encryption algorithms, such as RSA-2048 and AES-256, making file recovery without the decryption key virtually impossible.File Encryption: Targets critical files and backups, rendering them inaccessible. The group often exfiltrated data before encryption to use it as leverage (double extortion).4. Ransom Demands and NegotiationRansom Notes: Victims receive detailed ransom notes with instructions for payment, typically in Bitcoin or other cryptocurrencies.Negotiation Tactics: RansomEXX is known to engage in negotiations, sometimes lowering ransom demands based on the victim's response and perceived ability to pay.5. Notable IncidentsHigh-Profile Attacks: RansomEXX has targeted a range of high-profile organizations across various sectors, including government agencies, healthcare providers, and multinational corporations.Impact and Response: The attacks have resulted in significant operational disruptions, data breaches, and financial losses. Many victims have resorted to paying the ransom to restore operations quickly.6. Recent DevelopmentsAdaptive Techniques: RansomEXX v2.0 continues to evolve, incorporating new techniques to bypass security measures. Recent reports indicate the use of stolen digital certificates to sign malware, increasing trust and reducing detection rates.Collaboration with Other Threat Actors: There is evidence of collaboration with other cybercriminal groups, sharing tools, techniques, and infrastructure.Attack HistoryWhile analyzing the attack history we found the following information:1. Region Wise distribution: The Ransomware group has majorly been active in Europe, Asia and America region. They target continents and regions with maximum chance of payoutPie Chart showing region wise distribution of attacks2. Sector wise distribution: We can see that the most targeted industries are Government followed by Technology then Manufacturing, Telecom as well as Healthcare.All of these industries are business critical and have the maximum chance of a payout or reputation upliftmentPie chart showing the distribution of sector wise attacks3. Timeline of attacks: Since the ransomware group has been rebranded they have had a total of 58 victims, following timeline represents the number of attacks per year:4. Some Notable hacks: As mentioned above RansomEXX is known to target High value organizations, following are some of the notable organizations they have attacked.Telecommunications Services of Trinidad and TobagoMinistry of Defense of PeruKenya AirwaysFerrariViva AirLITEONLarger Impact and Current Situation AnalysisThis attack highlights a significant vulnerability within our current systems and threat modeling practices. Large organizations with substantial security budgets are more challenging to breach, prompting attackers to exploit the path of least resistance. Consequently, supply chain attacks have become increasingly prevalent. The key takeaway from this report is not only that the primary organization should maintain an updated Jenkins server, but all critical vendors must also ensure their Jenkins servers are consistently up to date.This situation is still evolving, with negotiations ongoing with the ransomware group, and the data has yet to be published on their PR website.The ransomware group has a history of making extravagant ransom demands, and we anticipate a similar approach in this case.These groups are meticulous in assessing the victim's payment capabilities and the nature of the encrypted data, which they use as leverage.Threat Actor Activity and RatingThreat Actor ProfilingActive since: Original group(Defray777) active since 2018PR website: hxxp[:]//rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onionCurrent Status: Active and a sudden surge in activityHistory: Targets High value organizationsReferences*Intelligence source and information reliability - Wikipedia#Traffic Light Protocol - Wikipediahttps://www.cloudsek.com/blog/born-group-supply-chain-breach-in-depth-analysis-of-intelbrokers-jenkins-exploitationhttps://www.cloudsek.com/blog/xposing-the-exploitation-how-cve-2024-23897-led-to-the-compromise-of-github-repos-via-jenkins-lfi-vulnerabilityAppendixMITRE framework mapped to TTPs Initial Access-Phishing: Spear Phishing Attachment (T1566.001): Attackers use targeted phishing emails with malicious attachments.- Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in public-facing applications.- Valid Accounts (T1078): Using stolen or brute-forced credentials.Execution- Command and Scripting Interpreter: PowerShell (T1059.001): Utilizing PowerShell scripts to execute malicious commands.- Command and Scripting Interpreter: Windows Command Shell (T1059.003): Using the command prompt to execute malicious commands.- System Services: Service Execution (T1569.002): Using Windows services to execute the ransomware payload.Persistence- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Modifying registry keys or adding files to the startup folder.- Create or Modify System Process: Windows Service (T1543.003): Creating or modifying Windows services for persistence.Privilege Escalation- Exploitation for Privilege Escalation (T1068): mExploiting vulnerabilities to escalate privileges.- Valid Accounts: Local Accounts (T1078.003): Using local administrator accounts.Defense Evasion- Obfuscated Files or Information (T1027): Using obfuscation techniques to avoid detection.- Deobfuscate/Decode Files or Information (T1140): Decrypting or decoding files to execute payloads.- Disabling Security Tools (T1562.001): Disabling antivirus and other security tools.Credential Access- OS Credential Dumping: LSASS Memory (T1003.001): Dumping credentials from the LSASS process.- OS Credential Dumping: NTDS (T1003.003): Dumping Active Directory credentials.Discovery- Network Service Discovery (T1046): Enumerating network services.- System Information Discovery (T1082): Gathering information about the OS and hardware.- Process Discovery (T1057): Enumerating running processes.Lateral Movement- Remote Services: Remote Desktop Protocol (T1021.001): Using RDP to move laterally within the network.- Remote Services: SMB/Windows Admin Shares (T1021.002): Using SMB shares to move laterally and deploy ransomware payloads.Collection- Data from Local System (T1005): Collecting data from the local system.- Data Staged: Local Data Staging (T1074.001): Staging collected data locally before encryption or exfiltration.Exfiltration- Exfiltration Over C2 Channel (T1041): Exfiltrating data over an established command and control (C2) channel.- Exfiltration Over Web Service (T1567.002): Using web services to exfiltrate data.Impact- Data Encrypted for Impact (T1486): Encrypting files on the victim’s system.- Service Stop (T1489): Stopping services to facilitate encryption and hinder recovery efforts.- Inhibit System Recovery (T1490): Deleting or disabling backup and recovery systems.Indicators Of Compromise: SHA25662e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452981e6f2584f5a4efa325babadcb0845528e8147f3e508c2a1d60ada65f87ce3c98266835a238797f34d1a252e6af0f029c7823af757df10609f534c4f987e70fad635630ac208406cd28899313bef5d4e57dba163018dfb8924de90288e8bab3b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214b89742731932a116bd973e61628bbe4f5d7d92b53df3402e404f63003bac5104d931fe8da243e359e9e14f529eafe590b8c2dd1e76ca1ad833dd0f927648f88bec2a22d92dd78e37a6705c8116251fabdae2afecb358b32be32da58008115f77f9c6dca22e336cf71ce4be540905b34b5a63a7d02eb9bbd8a40fc83e37154c2209c99e37121722dd45a2c19ff248ecfe2b9f1e082381cc73446e0f4f82e0c4684cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd6601045878147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13dcb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849259670303d1951b6b11491ddf8b76cad804d7a65525eac08a5b6b4473b42818b48301f37e92a9d5aa29710bda4eee034dd888a3edd79e2f74990300ffd8eb3b648460c9633d06cad3e3b41c87de04177d129906610c5bbdebc7507a211100e984b8103cd9fbb0efb472cbf39715becacf098f7ee44bf98f6672278e4e741542b5c3569c166654eed781b9a2a563adec8e2047078fdcbafcdef712fabf2dd3f575ccf8c6bf9c39ccb54c5ebabd596a1335da522d70985840036e50e3c87079ab4335d1c6a758fcce38d0341179e056a471ca84e8a5a9c9d6bf24b2fb85de651a5452c219223549349f3b2c4fe25dfef583900f8dac7d652a4402cf003bf5ecf46URLshxxp://iq3ahijcfeont3xx.sm4i8smr3f43.comhxxps://iq3ahijcfeont3xx.tor2web.blutmagie.dehxxp://iq3ahijcfeont3xx.fenaow48fn42.comhxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com