Unmasking ShadowSyndicate: The New Kids on the Cybercrime Block

In the ever-evolving realm of cyberspace, where hackers don the cloak of invisibility to dance around the law, a new troupe has emerged from the shadows. Meet ShadowSyndicate, the latest cybercrime group to hit the headlines, formerly known as Infra Storm. This band of digital marauders has allegedly been wielding a medley of seven different ransomware families over the past year, showcasing a level of collaboration that's akin to a sinister hacker consortium. ??

ShadowSyndicate isn't your run-of-the-mill, one-trick-pony kind of group. They've been playing the field with various ransomware groups and affiliates, orchestrating a symphony of cyber chaos that's as harmonious as it is destructive. Their debut was marked on July 16, 2022, and since then, they've been linked to a plethora of ransomware strains including Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play. ??

Now, let's delve a bit into the technical nitty-gritty. Our cyber sleuths have unearthed a distinct SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) sprawled across 85 servers, 52 of which have been serving as command-and-control (C2) hubs for Cobalt Strike, a notorious post-exploitation tool. Among these servers, eight different Cobalt Strike license keys were found, painting a picture of a well-orchestrated operation. ???

Geographically speaking, these servers are scattered like the pieces of a dark web puzzle, with 23 located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3). It's a global game of hide-and-seek that ShadowSyndicate seems to be winning, for now. ??

The plot thickens as the investigators found infrastructural overlaps linking ShadowSyndicate to other infamous malware operations like TrickBot, Ryuk/Conti, FIN7, and TrueBot. It's like discovering that the usual suspects have been throwing secret soirées to plot their next moves. ??

Out of the 149 IP addresses linked to Cl0p ransomware affiliates, 12 IP addresses from 4 different clusters have changed ownership to ShadowSyndicate since August 2022. This suggests a potential sharing of infrastructure between these groups, akin to criminal enterprises leasing out their nefarious tools to fellow miscreants. ???

In a recent development, German law enforcement swung the hammer of justice, targeting actors associated with the DoppelPaymer ransomware group. A 44-year-old Ukrainian and a 45-year-old German national, alleged key players within the network, found themselves in the crosshairs of the law. The duo is accused of pocketing illicit proceeds from the ransomware attacks, a classic tale of digital Robin Hoods, sans the noble cause. ??

On the other side of the pond, the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory about a double extortion actor called Snatch (formerly Team Truniger). This group has been targeting a wide range of critical infrastructure sectors since mid-2021, employing a variety of methods to infiltrate and maintain persistence on victims' networks. ??

Snatch affiliates have a penchant for exploiting weaknesses in Remote Desktop Protocol (RDP) to brute-force their way into networks, gaining administrator credentials. In some instances, they've been seen scouring criminal forums and marketplaces for compromised credentials, like kids in a candy store. ??

The U.S. Department of Homeland Security (DHS) noted in its latest Homeland Threat Assessment report that ransomware groups are continuously honing their extortion methods. 2023 has been marked as the second most profitable year for these groups, following 2021. They've upped the ante by employing multilevel extortion tactics, encrypting and exfiltrating targets' data, threatening public release of stolen data, launching DDoS attacks, and harassing victims' customers to coerce payment. It's a smorgasbord of cyber terror that keeps on giving. ??

Akira ransomware is a case in point. Emerging as a Windows-based threat in March 2023, it has since expanded its reach to Linux servers and VMWare ESXi virtual machines, showcasing a knack for adapting to trends. As of mid-September, Akira has successfully hit 110 victims in the U.S. and the U.K., a testament to its growing menace. ??

The resurgence of ransomware attacks has also triggered a spike in cyber insurance claims. In the first half of the year, claims frequency in the U.S. increased by 12%, with victims reporting an average loss amount of more than $365,000, a staggering 61% jump from the second half of 2022. It seems like the cost of doing business in the digital age just got a hefty price hike. ??

Businesses boasting more than $100 million in revenue saw the largest increase in claim frequency. While other revenue bands remained relatively stable, they too faced surges in claims, painting a grim picture for the state of cybersecurity. It's a rising tide that's lifting all boats, albeit in a storm of cyber calamity. ???

The threat landscape is in a constant state of flux, with ransomware families like BlackCat, Cl0p, and LockBit remaining some of the most prolific and evolutionary. They've primarily targeted small and large enterprises spanning banking, retail, and transportation sectors. The number of active RaaS (Ransomware as a Service) and RaaS-related groups has grown in 2023 by 11.3%, rising from 39 to 45. It's a booming market for digital doom. ??

A recent report from eSentire detailed two LockBit attacks where the e-crime group leveraged the victim companies' internet-exposed remote monitoring and management (RMM) tools to spread the ransomware across the IT environment. This reliance on living-off-the-land (LotL) techniques is an attempt to avoid detection and confuse attribution efforts by blending malicious and legitimate use of IT management tools. It's like wolves in sheep's clothing, lurking within the very tools designed to protect. ??

In another instance, a BlackCat attack saw the adversaries encrypting Microsoft Azure Storage accounts after gaining access to a customer's Azure portal. During the intrusion, the threat actors leveraged various RMM tools (AnyDesk, Splashtop, and Atera), and used Chrome to access the target's installed LastPass vault via the browser extension. They obtained the OTP for accessing the target's Sophos Central account, modified security policies, disabled Tamper Protection, and encrypted the customer's systems and remote Azure Storage accounts. It's a tale of digital burglary that would make even the most seasoned cat burglar blush. ??

The story of ShadowSyndicate is a stark reminder of the ever-present, ever-evolving threat that looms in the digital shadows. As cybersecurity professionals, it's our duty to shine a light on these dark corners, to unmask the faceless adversaries that lurk within. The battle against cybercrime is a never-ending saga, a game of cat and mouse that requires vigilance, resilience, and a dash of wit to stay one step ahead. ???

In conclusion, the tale of ShadowSyndicate is but a chapter in the larger narrative of cyber warfare. As we delve deeper into the abyss, let's not forget the lessons learned from each skirmish, for they are the stepping stones to forging a safer, more secure digital frontier. ???