CloudSEK reports a significant ransomware incident disrupting India’s banking ecosystem, centered on Brontoo Technology Solutions, a C-EDGE collaborator, linked to a misconfigured Jenkins server that enabled exploitation. The analysis identifies RansomEXX as the threat actor, outlines the attack chain and techniques, and offers security recommendations for the BFSI sector. #RansomEXX #BrontooTechnologySolutions
Keypoints
- Industry Impact: Disruption to India’s banking ecosystem, affecting banks and payment providers.
- Attack Vector: Initiated by a misconfigured Jenkins server exploiting CVE-2024-23897 (Local File Inclusion).
- Threat Actor: RansomEXX confirmed as the responsible group.
- Evolution: RansomEXX v2.0 introduces stronger encryption and evasion techniques.
- Initial Access: Common vectors include phishing, RDP vulnerabilities, and credential theft.
- Ransom Demands: Victims receive detailed ransom notes, typically payable in cryptocurrency.
- Recommendations: Regularly update Jenkins servers and critical vendor systems to prevent similar attacks.
MITRE Techniques
- [T1566.001] Phishing – Targeted phishing emails with malicious attachments used for initial access. “Attackers use targeted phishing emails with malicious attachments.”
- [T1190] Exploit Public-Facing Application – Exploiting vulnerabilities in public-facing applications. “Exploiting vulnerabilities in public-facing applications.”
- [T1078] Valid Accounts – Using stolen or brute-forced credentials. “Using stolen or brute-forced credentials.”
- [T1059.001] PowerShell – Utilizing PowerShell scripts to execute malicious commands. “Utilizing PowerShell scripts to execute malicious commands.”
- [T1059.003] Windows Command Shell – Using the command prompt to execute malicious commands. “Using the command prompt to execute malicious commands.”
- [T1569.002] System Services – Using Windows services to execute the ransomware payload. “Using Windows services to execute the ransomware payload.”
- [T1547.001] Boot or Logon Autostart Execution – Modifying registry keys or startup folder items. “Modifying registry keys or adding files to the startup folder.”
- [T1068] Exploitation for Privilege Escalation – Exploiting vulnerabilities to escalate privileges. “Exploiting vulnerabilities to escalate privileges.”
- [T1027] Obfuscated Files or Information – Using obfuscation techniques to avoid detection. “Using obfuscation techniques to avoid detection.”
- [T1003.001] OS Credential Dumping: LSASS Memory – Dumping credentials from the LSASS process. “Dumping credentials from the LSASS process.”
- [T1046] Network Service Discovery – Enumerating network services. “Enumerating network services.”
- [T1021.001] Remote Services: RDP – Using RDP to move laterally within the network. “Using RDP to move laterally within the network.”
- [T1041] Exfiltration Over C2 Channel – Exfiltrating data over an established C2 channel. “Exfiltrating data over an established command and control (C2) channel.”
- [T1486] Data Encrypted for Impact – Encrypting files on the victim’s system. “Encrypting files on the victim’s system.”
Indicators of Compromise
- [SHA256] – RansomEXX related sample hashes and identifiers – 62e9d5b3b4d5654d6ec4ffdcd7a64dfe5372e209b306d07c6c7d8a883e01bead, 6962e408aa7cb3ce053f569415a8e168a4fb3ed6b61283c468f6ee5bbea75452, and many more hashes
- [URLs] – Command and control and distribution domains – iq3ahijcfeont3xx.sm4i8smr3f43.com, iq3ahijcfeont3xx.tor2web.blutmagie.de