Ignoble Scorpius Attack Highlights the danger of VPN Credential Compromise
Unit 42 recently assisted a prominent manufacturer who experienced a severe ransomware attack orchestrated by Ignoble Scorpius, the group that distributes BlackSuit ransomware. This incident serves as a reminder of how a seemingly minor issue – a single set of compromised VPN credentials – can lead to a full-scale corporate crisis with tremendous impact to the bottom line.
The Attack: A Combination of Reconnaissance and Ransomware
The Ignoble Scorpius attack began with a voice phishing (vishing) call. The attacker impersonated the company’s IT help desk and tricked an employee into entering their legitimate VPN credentials on a phishing site.
With these credentials, the threat actor gained initial network access and immediately escalated their privileges. They executed a DCSync attack on a domain controller to steal highly privileged credentials, including a key service account. Using these compromised credentials, they moved laterally across the network using RDP and SMB, employing tools like Advanced IP Scanner and SMBExec to map the network and identify high-value targets.
The attackers established persistence by deploying AnyDesk and a custom RAT on a domain controller, configured as a scheduled task to survive reboots. (It is vital to note that threat actors often abuse and take advantage of legitimate products like AnyDesk for malicious purposes. we are not implying that the legitimate product is flawed.)
The attackers then compromised a second domain controller, extracting the NTDS.dit database containing all user password hashes, and exfiltrated over 400 GB of data using a renamed rclone utility. To cover their tracks, the threat actors deployed CCleaner to erase forensic evidence before unleashing the final blow: BlackSuit ransomware, orchestrated through Ansible, concurrently encrypted hundreds of virtual machines across approximately 60
Related reading