Threat Alert: Russian-Backed Threat Actors, Avaddon Ransomware

May 12, 2021 - In the last week, a host of federal agencies released insights on ongoing cyber campaigns led by Avaddon ransomware and Russian-backed threat actors targeting a range of global private sector entities, including those in healthcare and COVID-19 vaccine developers.

The FBI and the Australian Cyber Security Center (ACSC) alerts on Avaddon warns its threat actors are actively leveraging phishing campaigns and hacking coupled with double extortion attempts.

The actors have also been observed using the victim’s geolocation and system language to determine whether or not to attack the system. Previous campaigns employed phishing to target entities: Proofpoint observed more than 1 million messages featuring Avaddon between June 4 and June 10, 2020.

Avaddon was first spotted in the wild in February 2019 and is offered as a ransomware-as-a-service model. RaaS allows affiliate hackers to leverage the ransomware for their desired means, as long as a portion of profits are returned to Avaddon developers.

The actors have successfully exploited a number of healthcare entities and posted data allegedly stolen from its victims, including Capital Medical Center in Washington, Intensive Care Online Network (ICON), and Bridgeway Senior Healthcare in New Jersey.

READ MORE: Joint Fed Guidance on Russian APT Cyberattacks, Exploits, Malware

“When opened, the included attachment downloads Avaddon using PowerShell,” researchers explained, at the time. “Once Avaddon runs, it shows the ransom message… and later demands $800 payment in bitcoin via TOR.” 

“The Avaddon attackers also provide 24/7 support and resources on purchasing bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom,” they added.

The latest alert on Avaddon shows its affiliates are targeting healthcare, manufacturing, and a host of private sector entities on a global scale.

The FBI noted that the threat actors are threatening victims with DDoS attacks in addition to traditional encryption methods. However, there’s currently no evidence that the group has followed through with the threat.

ACSC noted that the attackers have a strong presence on dark web cybercriminal forums, with the RaaS variant featured on multiple high-tier cybercrime forums. The typical ransom demand asks for bitcoin valued at approximately $40,000, on average.

READ MORE: Russian Hackers Target COVID-19 Vaccine Developers with Cyberattacks

The variant enables a host of nefarious activities, including capturing operating system information, network interfaces, network configurations, payment card data, hostname, disk information, and keyboard layout, as well as deleting services, Volume Shadow Copy files, and other files, among a range of other capabilities.

To prevent a successful Avaddon exploit, ACSC recommended entities ensure all operating systems and applications are promptly patched and antivirus signatures must be up to date. Backups should be encrypted, maintained offline, and regularly tested.

Administrators should scan emails and attachments to detect and block malware, ensuring that employees are well-trained in identifying phishing attacks and other malicious emails. 

Russian-Backed Cyberattacks

Since determining the massive SolarWinds Orion compromise was deployed by nation-state actors with ties to Russia, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency has released several insights detailing the actors’ tactics.

As previously disclosed, the threat actors employ widespread scanning to find these vulnerabilities and exploit them. System administrators must ensure that all software patches are applied promptly after disclosures to close these potential footholds.

READ MORE: 77% of Ransomware Spurs Data Extortion, Driven by Accellion Hack

After the release of these reports, the Russian Foreign Intelligence Service (SVR) shifted their tactics to avoid further detection and previous remediation efforts.

The latest alert from CISA, the FBI, and NSA on these cyberattacks shed light on the current campaigns targeting a range of global entities, including those in healthcare. The threat actors are also actively targeting COVID-19 vaccine developers to gain intel.

Further, the hackers have since deployed the open-source tool Sliver to maintain access to victims’ networks. They’ve also been observed exploiting multiple publicly known vulnerabilities, including the recently disclosed zero-days in Microsoft Exchange.

The group has also been observed using Cobalt Strike after the initial exploit, as well as GoldFinder, GoldMax, and Sibot malware variants.

The alert also shows the actors often target administrator mailboxes to gain additional information or access on the network. Researchers believe the targeting is an effort to gain better insights into the network, to obtain greater privileges or credentials, or for lateral movement.

In one observed incident, the actors used access gained from the SolarWinds exploit to compromise a certificate issued by Mimecast.

“The actor used that access to authenticate a subset of Mimecast’s products with customer systems,” according to the alert. “In this way, the actor was able to abuse the Mimecast Azure app in order to compromise the final target.”

“The Mimecast Azure application's default application permissions allowed the application full access to all mailboxes in the victim organisation's tenant,” it added. “Once the actor had gained access to this application, they were able to utilise the applications permissions in order to extract emails from any mailbox used by the victim organization.”

The alert contains indicators of compromise and other tactics employed by this highly sophisticated threat group. Entities should review these insights, as well as previous research on Russian-backed actors to ensure they’re employing the best possible remediation strategies.