Pierluigi Paganini
October 03, 2023
NOTE: This version of the report has been redacted for TLP:WHITE disclosure.
Digging into ransomware infections always provides valuable insights. This time, we investigated peculiar details of a recent Lockbit-based intrusion that happened in Q3 2023, and we uncovered connections between a wide range of cybercriminal activities, highlighting some of the constants characterizing a dangerous threat actor operating deeply in the digital underground.
In this article, we present our findings from examining the exfiltration infrastructure associated with one of the most notorious LockBit affiliates, which has also been tracked by CISA. We elucidate how these findings are interconnected within a broader threat landscape encompassing numerous other criminal business verticals, all seemingly under the control of a single enigmatic administration.
At some point, the Lockbit incident investigation landed at a very interesting point: the ransomware affiliate conducted the data exfiltration phase through an FTP channel tunneled over a TLS connection. As reported by CISA in their “AA23–165A” joint advisory back in June 2023, the operator ingeniously exploited the FileZilla FTP client and employed Ngrok tunneling services to facilitate this process. Notably, in this specific instance, the ransomware affiliate utilized a server located in Moscow, which was administered by a Hong Kong-based hosting provider known as Chang Way Technologies Co. Limited.
A quick examination of the publicly accessible profile of the Moscow-based server swiftly uncovered a peculiarity. Among the array of exposed services, there was an active RDP (Remote Desktop Protocol) service running on the machine, disclosing not only its operating system version but also, of greater interest, its hostname.
At first sight, the particular hostname does not mean much: the format “WIN-XXXXXXXXXXX” resembles the typical default, randomly generated hostname chosen by the Windows operating system during the installation phase. But here we noticed the interesting part: multiple past LockBit victims show this hostname within their dedicated page on the gang’s data leak site. This re-use might not be just aesthetic, the chance of multiple LockBit affiliates randomly matching their hostname is almost zero, so this correlation enables us all to spot the connection between this particular affiliate and its victims.
In addition, the machine presenting this hostname presents the system language configured to the Russian one, but this is not the only interesting fact. Pivoting on the infrastructure we found 105 hosts with the same hostname serving an IIS-based FTP service. Such servers have been deployed in 16 countries spread worldwide: Russia, Netherlands, Finland, United States, Kazakhstan, Turkey, Ukraine, Czech Republic, Latvia, Norway, Poland, Romania, Uzbekistan, Germany, France, and Greece.
After the discovery of this hidden connection, we moved forward to investigate what else could be linked to this LockBit affiliate through its infrastructure, and was astonishing: many researchers were stumbling up into that hostname for various malicious operations. For instance:
This hostname connection is particularly heterogeneous, but it technically makes sense. As specified above, the Windows operating system typically generates a random hostname only during the installation phase, and typical system administration and DevOps practices do not require the Windows installation from scratch so often. Frequently, Sysadmins rely on the so-called Golden Images: snapshots of a pre-installed operating system ready to be customized for the particular application.
So, with a good degree of confidence, we are looking at multiple instances generated from the same base image, likely linked to a single organization, and the extension of this linked infrastructure involves more than 8 thousand hosts worldwide, and at least a third of it is located in CIS countries.
All these pieces draw a very unsettling picture. In fact, since 2019, the hostname has linked a wide range of eCrime activities such as ransomware and data extortions, info-stealing malware spreading, botnet infections, and scams. Basically, seems we are observing a piece of infrastructure linked to a very well-organized criminal gang operating in the full depth of the eCrime ecosystem: stealing initial access credentials, deploying banking bots and ransomware precursors, conducting digital extortions, and laundering money through unaware individuals. And, to make it worse, this hostname seems also related to an ex-Conti sysadmin, dreading a link with the Wizard Spider criminal group.
The curious fact of all this investigation is the potential connection with a Russian DevOp professional specialized in managing these machines.
Due to the sensitive nature of this information, we are not going to disclose any details publicly. This TLP:RED information can only be shared with vetted researchers.
Our investigation into a recent LockBit incident led us to unwrap the enigmatic mystery of the “golden hostname”, which painted a disturbing portrait of a highly organized criminal enterprise operating deeply into the eCrime ecosystem. The evidence we’ve uncovered points to a single organization using multiple instances likely generated from the same base image.
Since 2019, this hostname has been implicated in a wide array of cybercriminal activities, ranging from ransomware attacks and data exfiltrations to info-stealing malware distribution and scams. Furthermore, the potential link to the ex-Conti sysadmin hints at ties to the notorious Wizard Spider criminal group, raising concerns about the scale and scope of their operations.
In a curious twist, our investigation has led us to a curious overlap between a Russian DevOps professional and the same LockBit incident where we investigated, pointing to a potential connection between this individual and one of the largest cybercriminal enterprises.
This LockBit incident serves as a reminder that shared intelligence and collaboration among cybersecurity professionals are our most potent weapons against the dark forces of the digital world. By piecing together the puzzle of cybercrime, we can better prepare companies and organizations to protect against these modern and extensive threats.
The full report containing the Indicator of Compromise (IoCs) and details on the exfiltration infrastructure is available here:
About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager
In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber wargame teams born back in 2011.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Makop ransomware gang)
