According to Group-IB, Iranian hackers using the Dharma ransomware are successfully attacking companies in Japan, China, Russia and India.
Based on the low level of complexity of the detected attacks, as well as the simplicity of the tactics and tools used, the researchers describe this hack group as “newbies”.The fact is that attackers use exclusively publicly available tools for their operations: either open source, downloaded from GitHub, or downloaded from hacker Telegram channels. So, the group’s arsenal includes: Masscan, NLBrute, Advanced Port Scanner, Defender Control and Your Uninstaller.
Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally”, — tell Internet security experts.
Apparently, the group is not yet able to create its own tools, or does not have the financial resources to buy access to more advanced utilities. The use of the Dharma ransomware fits well into this picture, the source code of which was put up for sale in the spring of 2020, and then completely leaked online for free.
According to the researchers, the hack group infiltrates their targets’ networks using RDP attacks. This is not surprising at all, because today RDP is the second most popular vector of attacks among ransomware operators.
All the affected organizations had hosts with Internet-facing RDP and weak credentials. The hackers typically demanded a ransom between 1-5 BTC. The newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals”, — write Group-IB specialists.
The researchers note that the Iranian hack group does not demand ransoms in hundreds of thousands or millions of US dollars from its victims, which has already become normal for most ransomware. Instead, the attackers ask the affected companies for relatively small amounts, approximately 1-5 bitcoins ($10,000 to $50,000).
Obviously, in this way, hackers are trying to increase their chances of getting ransom, and also do not want to attract too much attention, because law enforcement officers focus their efforts on larger groups that extort millions from companies.
Mitigation:
The pandemics exposed a great number of vulnerable hosts with many employees working from homes and the vector became increasingly popular among cybercriminals. Therefore, the default RDP port 3389 should be edited by changing it to any other. As the attackers usually need several attempts to brute force passwords and gain access to the RDP, it is important to enable account lockout policies by limiting the number of failed login attempts per user.