SecurityScorecard’s STRIKE Team investigates a ransomware incident affecting a major U.S. city housing authority and concludes with moderate confidence that the event involved ransomware, despite past false claims by LockBit. The analysis ties activity to a known vulnerability (Follina), remote-access tools, and data-exfiltration indicators, suggesting the attackers may have accessed systems and stolen data before deployment. #LockBit #SickKids #Follina #Ramnit #Hupigon #Qbot #LogMeIn
Keypoints
- LockBit claimed responsibility for a ransomware attack on a major U.S. city housing authority; the authority reports disruption but few details.
- SecurityScorecard STRIKE Team assesses with moderate confidence that the incident was ransomware, despite LockBit’s history of false claims.
- Evidence includes traffic to/from IP addresses associated with malicious activity and large data transfers that may indicate exfiltration.
- A known vulnerability (Follina, CVE-2022-30190) and the use of remote-access software (LogMeIn) are highlighted as possible intrusion vectors.
- Malware components like Ramnit and Hupigon are noted as potential data thieves and payload deliverers; Qbot is mentioned as a ransomware-related payload.
- Final assessment suggests local governments remain targets for ransomware, with attacker infrastructure and data-transfer patterns supporting the ransomware narrative.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The attackers leveraged CVE-2022-30190 (Follina) to drop malware, including the Rozena backdoor, AsyncRAT, and Qbot. ‘Threat actors have leveraged Follina to distribute malware, including the Rozena backdoor, AsyncRAT (remote access trojan), and Qbot, which has previously delivered ransomware as a later-stage payload.’
- [T1133] External Remote Services – Remote access tools may have been used to control victim devices: ‘Traffic from a victim network to a LogMeIn-operated IP address may therefore reflect the attacker’s use of LogMeIn to control a victim device.’
- [T1041] Exfiltration – Indicators of data exfiltration through large data transfers and repeated flows to malicious IPs: ‘large transfers of data … may reflect exfiltration by the attackers.’
Indicators of Compromise
- [IP Address] Communications with known malicious activity IPs – 159.65.216.150, 173.199.15.254, and 2 more IPs
- [IP Address] Repeated data exchanges with a single housing authority IP and potential remote-access activity – 173.199.15.254
- [IP Address] Possible ransomware link and reconnaissance activity – 137.184.148.2
- [Malware] Ramnit – Long-standing trojan capable of data theft and delivering additional malware
- [Malware] Hupigon – Long-standing trojan capable of data theft and delivering additional malware
- [Malware] Qbot – Known to have delivered ransomware as a later-stage payload
- [Software] LogMeIn – Remote access service potentially used to control victim devices