Cybersecurity Researchers at Sygnia recently discovered Linux ransomware Cheerscrypt which is linked to the Chinese cyber espionage group Bronze Starlight (aka DEV-0401, APT10).
“Emperor Dragonfly deployed open source tools that were written by Chinese developers for Chinese users,” the company said in a report. “This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based in China.”
The ransomware gang is tracked under different names, such as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft), and has been seen using a wide variety of ransomware families since 2021.
The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.
Previously some research indicates that many of their victims are targets of interest for the Chinese government.
Cheerscrypt was first documented by Trend Micro in May 2022, calling out its abilities to target VMware ESXi servers as part of a tried-and-tested tactic called double extortion to coerce its victims into paying the ransom or risk facing data exposure.
Unlike other ransomware gangs, the DEV-0401 group doesn’t rely on a network of affiliates, it directly manages every single phase of the attack chain, from the initial access to the data exfiltration.
It has also claimed to be pro-Ukrainian, displaying a “Glory to Ukraine!” message on its dark web data leak site.
Like Secureworks, Microsoft also found them constantly switching between ransomware brands, including additional strains, such as LockFile and LockBit 2.0.
Some Suggestions for Defending yourself Against DEV-0401’s attacks
- Identify and patch critical vulnerabilities:- If you are running VMware Horizon, follow the VMware advisory to ensure the currently installed version is patched against the Log4Shell vulnerability, which was exploited as the initial infiltration vector. More generally, it is essential to conduct frequent vulnerability scans and swiftly mitigate discovered issues, with a special focus on internet-facing systems. External Attack Surface Management (EASM) tools, or even more traditional vulnerability or port scanners, can be leveraged to identify publicly exposed vulnerable interfaces.
- Limit outbound internet access from servers:- Denying egress traffic by default would’ve blocked the ability to communicate with the threat actor’s C&C server, as well as with the cloud storage services (Alibaba, Mega), thus mitigating persistence and data exfiltration activities. Allow outbound connectivity to only specific destinations (FQDN or IP addresses), on a strict need-to-have basis.
- Protect the virtualization platform:- Ransomware attacks targeting virtualization platforms is a growing trend, due to their simplicity and efficiency from the perspective of threat actors. Among the most prominent security controls for VMware against this threat are allowing traffic towards vCenter and ESXi hosts only from protected bastion hosts, enabling strict lockdown mode, and restricting unsigned scripts by enabling the ‘execInstalledOnly’ flag. In addition, ensure virtual machines are securely backed-up; for example, if VM backups are made using snapshots that are stored on the same folder as the machine, threat actors may encrypt backups as well.
- Limit lateral movement through the network:- Threat actors often leverage common management ports to move laterally between hosts, and Emperor Dragonfly is no different, with the use of SMBExec and WMIExec. Restricting traffic over such ports (namely SMB 445, RPC 135, WinRM 5985-5986, RDP 3389, SSH 22), and allowing traffic only from designated specific hosts, may be cumbersome in complex networks, but brings immense value. This may be achieved by host-based firewalls, proper network segmentation, or modern microsegmention technologies.
- Protect privileged accounts:- Minimize the risk of privilege escalation by hardening the Active Directory environment, applying the principle of least privilege and AD administrative tier model, employing robust credential and password hygiene practices, and considering the implementation of Privileged Identity and Access solutions. While these security measures are by no means unique to Emperor Dragonfly TTPs, compromising privileged accounts and using them to move laterally and execute the ransomware is a practice noticed in the described incidents as well.