According
to new research from Symantec and the Carbon Black Threat Hunter team, Fog
ransomware hackers are using an uncommon toolset, which includes
open-source pentesting utilities and a legitimate employee monitoring
software called Syteca.
The Fog
ransomware operation was first observed last year in May leveraging
compromised VPN credentials to access victims' networks. Post-compromise, they
used "pass-the-hash" attacks to gain admin privileges, disabled Windows
Defender, and encrypted all files, including virtual machine storage. Later,
the threat group was observed exploiting n-day flaws impacting Veeam
Backup & Replication (VBR) servers, as well as SonicWall SSL
VPN endpoints.
The
researchers discovered the unusual attack toolset during an incident response
last month on a financial institution in Asia. Symantec couldn't determine the
initial infection vector but documented the use of multiple new tools that have
not been previously seen in such attacks. The most unusual and fascinating of
those is Syteca, formerly known as Ekran, a legitimate employee monitoring
software that records screen activity and keystrokes. The attackers could
use the tool to collect information, such as account credentials employees type
in, unaware that they are monitored remotely.
Syteca was
stealthily delivered to the system by Stowaway, an open-source proxy tool for
covert communication and file transfers, and executed by SMBExec, the PsExec
equivalent in the Impacket open-source framework used for lateral movement. The
attack also involved GC2, an open-source post-exploitation backdoor that uses
Google Sheets or Microsoft SharePoint for command-and-control (C2) and data
exfiltration. GC2 has been rarely seen in ransomware attacks, previously
used in attacks attributed to the APT41 Chinese threat group.
Here is what a few cybersecurity experts are saying about
this research:
Mr. Akhil Mittal, Senior
Manager at Black Duck:
The real danger in this case isn't the ransom note-it's how
Fog turns a simple screen-recorder into a hidden camera. Software is an
essential driver of growth and innovation for every company; however, business
apps we install on autopilot can suddenly become spy tools, which means trust
is the weak spot. Security teams should keep a live map of where every
monitoring app is allowed to run and flag it the moment one pops up somewhere
odd. For example, if HR software runs on a database server, that's your warning
sign.
++
Shane Barney, Chief
Information Security Officer at Keeper
Security:
Today's attackers don't loudly break in - they quietly blend
in. The Fog ransomware group is a prime example, orchestrating well-planned
intrusions that blur the line between cybercrime and espionage. Instead of
relying solely on malware, they're combining legitimate employee monitoring
software with open-source penetration tools to build attack chains that are
both covert and highly effective. Living Off The Land (LOTL) is a fileless
malware technique where the cybercriminal uses native, legitimate tools within
the victim's system to sustain and advance an attack. Tools like Syteca,
typically used to track insider activity, are being repurposed to silently
harvest credentials and monitor employee behavior in real time. That's a
chilling evolution.
This level of creativity isn't an outlier - it reflects a
growing trend. Ransomware groups are becoming highly adaptable, resourceful
adversaries who operate outside of traditional playbooks. The damage extends
beyond encrypted files; it's about the loss of control, visibility and trust in
your systems long before the ransom demand is made. LOTL attacks are far
more difficult to detect with common security tools. This provides the
attacker with the dwell time necessary to escalate privileges, steal data and
set backdoors for future access.
To defend against these threats, organizations must take a
modern, proactive approach to security. That means locking down credentials,
limiting privileged access and continuously monitoring for unusual activity
across remote access points and backup infrastructure. Organizations also need
to stop relying on Indicators of Compromise (IOCs) alone and incorporate the
use of Indicators of Attack (IOAs) as part of their security program.
The goal isn't just prevention - it's resilience.
++
Trey Ford, Chief
Information Security Officer at Bugcrowd:
Tactics, techniques, procedures
(TTPs) are used as fingerprints to identify actor groups - when common tools,
platforms, or infrastructure are used, we gain confidence as defenders in our
hypothesis on which Threat Actor group we're dealing with. The appearance of
new tool kits in play could speak to the evolution of existing actors, or a
newly formed group emerging.
The use of ordinary and legitimate corporate tools does two
things for the miscreants:
- It may allow accidental
bypass from other security tools in an environment, as known software is
baked into allow-listing groups which may have been enabled. In this case
the use of Syteca for gathering credentials and monitoring the environment
may have been ignored by security tooling.
- The use of expected
productivity platforms (e.g. Google Sheets or Microsoft SharePoint) for
command and control (C2) would have blended in a bit more with normalized
corporate traffic, increasing the time to detect, and slowed
investigations a bit.
We should expect the use of ordinary and legitimate
corporate software as the norm - we refer to this as 'living off the land'. Why
would an attacker introduce new software, create more noise in logs, and
increase the likelihood of detection when "allowable" software gets
the job done for them?
We have long seen Threat Actors exploiting
vulnerability research in security technologies, and for good reason. The old
adages here ring true ("the cobbler's kids have no shoes" and
"never drive the mechanic's car") in that security software can't
ever have enough scrutiny. The eternal vigilance required to build
self-defending security platforms knows no end. Moments like these should
encourage us to seek diverse perspectives in security testing, transparency in
findings, and active vulnerability disclosure and bounty programs incentivizing
partnership with the research community.
##