The initial access broker (IAB) operation behind the credential-harvesting FortiBleed campaign is working in concert with ransomware actors, indicating the victims of the massive operation are now facing an even greater threat.

Research published by SOCRadar this week connects FortiBleed actors with two ransomware-as-a-service (RaaS) gangs, Inc Ransom and Lynx. SOCRadar researchers discovered an operator behind the campaign’s infrastructure that was actively logged into the ransom negotiation panels for both groups, and “engaging directly with ransom demands.”

“Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment,” according to the SOCRadar blog post

The connection to ransomware gangs marks the latest development in this saga. The attacks against insecure Fortinet FortiGate firewalls were initially discovered last month by security consultant Volodymyr “Bob” Diachenko. SOCRadar then later found that the attacks were part of a global campaign it dubbed “FortiBleed,” which had compromised thousands of devices and used a Golang-based sniffer to turn firewalls into credential stealers.

Related:Safe Events Start With Threat Intel & Digital Security

The initial-access campaign targeted 430,000 FortiGate devices across the globe. SOCRadar said the FortiBleed sniffer is currently installed on approximately 12,000 FortiGate firewalls, though previous research indicated the IAB had credentials for more than 30,000 devices.

Ransomware Attacks Next Up for FortiBleed Victims?

SOCRadar’s findings stemmed from an “operational security lapse” in the FortiBleed campaign’s infrastructure, which allowed researchers to gain access to the IAB operation’s internal files, logs, and operational documentation. In addition to the FortiBleed operator’s activity, SOCRadar’s Threat Research Unit (STRU) found an Inc-linked open directory that contained datasets with overlapping victims. 

The STRU also discovered an internal tracking document that contained the campaign’s list of FortiGate targets, including data about which credentials were used, which networks were accessed, and whether ransomware was deployed.

The STRU found that threat actors had achieved admin-level access on 409 targets. “On 354 of those, the actor completed the full attack chain: VPN compromise, access to the domain controller, and domain admin,” according to the vendor. “STRU has confirmed at least 12 ransomware deployments stemming from this access, with hundreds of endpoints encrypted across affected organizations.”

Related:China-Linked Group Targets Southeast Asia Critical Systems

SOCRadar chief information security officer (CISO) Ensar Seker tells Dark Reading that while the company has not yet seen widespread ransomware deployment directly tied to FortiBleed attacks, “access to perimeter security devices can create a clear pathway for ransomware groups, so organizations should treat exposure as a serious pre-ransomware intrusion risk.”

To date, he says most of the activity we have observed is “more consistent with credential theft, victim profiling, access brokering, and data theft-extortion risk,” with SOCRadar’s current assessment being that the IAB group is separate from the Inc and Lynx RaaS gangs, who are likely paying for the access.

“The evidence points to an access-supply layer where compromised Fortinet environments and related victim data are being collected, validated, and potentially monetized or passed downstream,” he says, with Inc and Lynx acting as the downstream users of that access and data rather than the initial actors behind the compromised devices.

Actors Exploit Possible Nextcloud Zero-Day Bug

SOCRadar’s research also noted that the FortiBleed IAB group, which while so far unnamed is known to be a structured operation with around 20 people and a small group of core operators, has more up its sleeve besides credential harvesting — namely, “at least one” zero-day vulnerability, according the report.

Related:Russian APT ‘Gamaredon’ Upgrades Its Arsenal, Requiring New Defenses

The undisclosed zero-day was not named in the report, but in emails to media outlets SOCRadar confirmed that the affected vendor is Nextcloud, and that threat actors tied to FortiBleed were actively exploiting the bug to expand zero-day access.

Dark Reading contacted Nextcloud for comment. Christoph Weissthaner, senior communications manager at Nextcloud, says the company has not been contact by SOCRadar. “We run a public bounty program and have not yet received a report of such a kind. When learning about potential issues, we will fix them ASAP,” Weissthaner says.

Seker says the STRU assesses the Nextcloud zero-day activity is associated with the “access-brokering/intrusion phase” of FortiBleed rather than the Inc and Lynx attacks: “In other words, the exploitation appears to support initial compromise or access expansion, while the ransomware brands may represent possible downstream monetization channels.”

SOCRadar said it will continue investigating the activity to validate attribution and will present further analysis in a forthcoming white paper.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *