Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted at 194.48.154.79:80, believed to be operated by an affiliate of the Fog ransomware group, which emerged in mid-2024.
This publicly accessible server revealed a sophisticated arsenal of tools and scripts tailored for reconnaissance, exploitation, credential theft, lateral movement, and persistence.
The toolkit provides a chilling insight into the operational tactics of ransomware affiliates, showcasing their ability to penetrate and compromise networks across multiple industries and geographies, including technology, education, and logistics sectors in Europe, North America, and South America, with notable targets in Italy, Greece, Brazil, and the USA.
.png
)
Exploiting Active Directory and VPN Vulnerabilities
Delving deeper into the contents of this directory, the toolkit includes specialized utilities for exploiting Active Directory (AD) vulnerabilities and gaining initial access through compromised SonicWall VPN credentials.
Tools such as SonicWall Scanner, found within a ZIP file named sonic_scan.zip, automate the process of authenticating to VPN appliances using credentials from a structured data.txt file containing IP addresses, usernames, passwords, and domain names.
Once connected via SonicWall’s NetExtender utility, the script triggers Nmap scans to identify open ports, facilitating further network reconnaissance.
Additionally, the directory hosted offensive tools like Certipy, designed to abuse Active Directory Certificate Services (AD CS) by identifying and exploiting vulnerable certificate templates for high-privilege account impersonation.
Zer0dump, a proof-of-concept exploit for the Zerologon vulnerability (CVE-2020-1472), which targets unpatched Domain Controllers to gain Domain Admin privileges through cryptographic weaknesses in Netlogon’s AES-CFB8 implementation.
Further enhancing their attack capabilities, tools like Pachine and noPac exploit AD vulnerabilities such as CVE-2021-42278 and CVE-2021-42287 to escalate privileges by manipulating the Kerberos Privilege Attribute Certificate (PAC), enabling attackers to impersonate domain administrators.
Credential theft was facilitated by DonPAPI and Impacket’s dpapi.py, which extract Windows DPAPI-protected data like browser credentials and domain backup keys.
For persistence, a PowerShell script named any.ps1 automates the installation of AnyDesk, a remote monitoring tool, preconfiguring it with a hardcoded password for continuous remote access.
The directory also hosted Sliver C2 components for command-and-control operations, observed briefly on port 31337, alongside Proxychains for stealthy traffic routing and Powercat for creating reverse shells and tunneling data, enhancing the attackers’ ability to evade detection.
According to the DFIR Report, this exposure not only highlights the technical prowess of Fog ransomware affiliates but also underscores the urgent need for robust endpoint security and patch management to counter such advanced threats.
The presence of victim data in the directory, correlating with entries on Fog’s Dedicated Leak Site (DLS), reinforces the real-world impact on organizations like ouroverde.net.br and others across diverse sectors.
As cyber threats evolve, this incident serves as a critical reminder for enterprises to fortify their Active Directory environments and VPN infrastructures against exploitation, while staying vigilant for indicators of compromise linked to ransomware operations.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
