A recently discovered open directory linked to the Fog ransomware group contained various tools and scripts used for cyber intrusions. Initial access was gained through compromised SonicWall VPN credentials, and lateral movement was facilitated by several offensive tools. Persistence in the compromised systems was maintained using AnyDesk. The affected industries include technology, education, and logistics, spanning across North and South America, as well as Europe. Affected: Fog ransomware, technology sector, education sector, logistics sector
Keypoints :
- An open directory related to the Fog ransomware group was discovered in December 2024.
- It contained tools for reconnaissance, exploitation, lateral movement, and persistence.
- Initial access was achieved using compromised SonicWall VPN credentials.
- AnyDesk was used for persistence, automated through a PowerShell script.
- Victims were identified in technology, education, and logistics sectors across multiple regions.
- The directory also hosted Sliver command-and-control operations and other offensive tools.
MITRE Techniques :
- Initial Access (T1078): The threat actor leveraged valid accounts obtained from compromised SonicWall VPN credentials.
- Lateral Movement (T1021): Remote services, such as SMB/Windows Admin Shares, were utilized.
- Persistence (T1543): AnyDesk’s installation was automated via PowerShell to maintain persistent access.
- Credential Access (T1003): Tools like DonPAPI were used to retrieve DPAPI protected credentials and other saved credentials.
- Privilege Escalation (T1068): The exploit of CVE-2020-1472 via Zer0dump allowed privilege escalation.
- Command and Control (T1071): Proxychains and Sliver were used for command-and-control communications, routing traffic stealthily.
Indicator of Compromise :
- [IP Address] 194.48.154.79
- [Domain] ouroverde.net.br
- [File] sonic_scan.zip
- [File] AnyDesk.exe
- [File] Certipy.zip
Full Story: https://thedfirreport.com/2025/04/28/navigating-through-the-fog/