Analysis Summary

Cybersecurity researchers have discovered an open directory at IP address 194.48.154.79:80, believed to be operated by an affiliate of the Fog ransomware group, which emerged in mid-2024. This exposed server revealed a comprehensive toolkit designed for various stages of cyberattacks, including reconnaissance, exploitation, credential theft, lateral movement, and persistence. The tools reflect the group’s capability to target organizations across industries such as technology, education, and logistics in regions including Europe, North America, and South America—with notable victims in Italy, Greece, Brazil, and the USA.

A key focus of the toolkit is exploiting Active Directory (AD) and VPN vulnerabilities. One ZIP file, sonic_scan.zip, includes a SonicWall Scanner utility that automates authentication to VPN appliances using credentials listed in a data.txt file. It integrates with SonicWall’s NetExtender to run Nmap scans post-login for further reconnaissance. Offensive tools like Certipy were also present, used to abuse Active Directory Certificate Services (AD CS) by exploiting misconfigured certificate templates for privilege escalation.

Among the more dangerous exploits were Zer0dump, which targets the Zerologon vulnerability (CVE-2020-1472) to gain Domain Admin access, and Pachine and noPac, which exploit CVE-2021-42278 and CVE-2021-42287 to manipulate Kerberos PAC attributes for admin impersonation. Credential theft tools included DonPAPI and Impacket’s dpapi.py, capable of extracting sensitive data protected by Windows DPAPI.

For persistence, a PowerShell script named any.ps1 automates the installation of AnyDesk with hardcoded credentials. The server also hosted command-and-control infrastructure, including Sliver C2, Proxychains for traffic obfuscation, and Powercat for reverse shell creation and data tunneling.

The discovery highlights the technical sophistication of Fog affiliates and stresses the need for organizations to strengthen endpoint security, patch vulnerabilities promptly, and closely monitor for indicators of compromise. Victim data found in the directory also matched entries on Fog’s Dedicated Leak Site, confirming the widespread and real-world impact of their operations.

Impact

• Reconnaissance
• Credential Theft
• Lateral Movement

Indicators of Compromise

SHA1

• b51c17119a5ce356aa67ad219356196e2338f4f0

• eaf6e93737c74f1ea5b91a8054362e5d7f888775

• dee5a5f2c7a9e440ee96d55455a4581d0b85c2e6

• df0c4cf7c76c463077e4c8f38cec419be97473ea

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.