# How a Brute Force Attack Unmasked a Ransomware Infrastructure Network

As cybersecurity professionals, we've all seen our fair share of brute-force alerts on exposed Remote Desktop Protocol (RDP) servers. For the Huntress Tactical Response Team, one such alert turned into something much more significant - a doorway to a ransomware-as-a-service ecosystem and its initial access brokers.

In this post, we'll walk through how a noisy brute-force campaign became our investigation into a complex web of geo-distributed infrastructure and shady VPN services. We've discussed the dangers of exposing RDP servers to the internet in previous webinars, blogs, and social media posts, but often businesses have no choice but to do so for various reasons.

A Brute Force Attack Unleashes Chaos

On March 18, our Security Operations Center (SOC) received an alert for domain enumeration on one of our clients' RDP servers. We got to work, investigating the Windows event logs for the affected hosts and discovered that the RDP service was being brute-forced. Although brute forcing is considered a "bread-and-butter" type attack technique, investigation of brute force attacks can get tricky due to various factors like recorded login attempts overwriting security-relevant telemetry.

In this case, however, we were fortunate to have relevant telemetry available, and a successful brute-force attack was discovered. Although multiple accounts were targeted via this brute force attack, only one account was successfully compromised. Using this compromised account as a pivot point, we discovered that the account had been compromised from multiple IP addresses - a dynamic that is at least somewhat atypical or nonstandard for what we would expect to see in most intrusions.

Enumerating the Network

Once the threat actor gained access to the victim network through the RDP server, they proceeded to enumerate the domain, including various groups and domain configurations. When these enumeration signals were investigated by the SOC and determined to be malicious, network-wide isolation was issued to prevent further lateral movement within the network.

However, what followed was a twist in the normal threat actor activity patterns that we observe. Typically, credential access in such scenarios consists of extracting credentials from the Windows LSASS process through tooling like Procdump or Mimikatz or credential access via registry dumping, via something like Secretsdump. In this intrusion, however, we observed just this - threat actors going after browser cookies as well.

A Hypothesis on Credential Access

Our hypothesis here is that most threat actors have a playbook that follows certain techniques, with commands and tooling differing little from environment to environment. However, passwords in files can be found in many places on the network and may require manual testing to verify whether they grant access to a targeted resource.

In this case, the threat actor chose a manual approach, using notepad to open up text files that ostensibly contained credential materials. This uncharacteristic tradecraft prompted us to investigate further, and upon examining the jumplist artifacts from the affected host, we noticed even more threat actor activity linked to credentials in files.

A Network of Geo-Distributed Infrastructure

An initial look at the offending IP addresses resulted in some hits via Maltrail, indicating that the IP in question was associated with Hive ransomware. Other reporting via CISA also links this particular IP address to BlackSuite. With this information now in our possession, we pivoted from this data point and looked for any interesting domain names.

When examining the TLS certificates associated with the brute-forcing IP address, we discovered an interesting domain name of specialsseason[.]com. Pivoting to the TLS certificates fingerprint revealed surprising results, and we found multiple related IP addresses and domain names: NL-.specialsseason[.]com.

A Geographically Distributed Network

Upon reviewing the IP addresses and their associated domain names, a pattern emerged - each of the IPs resolved with the same naming convention. We can observe a fairly robust network that is geographically distributed, also interesting to note here is multiple "Ru" / Russian codes, as well as multiple US country codes. Many of the IP addresses associated with the above country codes also contained various listening services on various ports.

An Examination of TLS Certificates

An examination of TLS certificates of these IPs presented an opportunity for a further pivot revealing yet another malicious domain name of 1vpns[.]com. Interestingly, this domain name is very similar to the legitimate VPN site, but without the extra "s" after "1vpn": https[:]//1vpn[.]org/. Some domain names may mean nothing and are random, but here we do not believe that to be the case.

The term "Special season" also referred to as "big game hunting" has been a common phrase used to describe financially motivated threat groups, typically ransomware targeting high-value and/or impact organizations. Two public threat reports link the use of this VPN service to two separate ransomware groups.

A Vulnerability in Ransomware Infrastructure

An additional service advertised 1jabber[.]com with a list of "funny" domains specifically focusing on the mention of nologs[.]club, whereas the VPN service FAQ also mentions keeping 0 logs, which would make this an ideal service for any cybercriminal. This case demonstrates how these nefarious actors operate and provides insight into their motivations as well as the kinds of elements that make up their ecosystem.

A Clear Motivation to Gather Credentials

A clear motivation to get as much credential material as possible is evident in this case. This case also demonstrates the need to sometimes "zoom out" from traditional incident response, where a "simple" brute force turned out to unravel an entire ecosystem and infrastructure for ransomware operators.

Conclusion

In conclusion, what started out as a simple brute-force attack turned out to be a doorway to a complex web of geo-distributed infrastructure and shady VPN services. This case highlights the importance of going beyond traditional incident response and taking a more holistic approach to understanding the motivations and tradecraft of threat actors. By analyzing the signals received for intrusions, cybersecurity professionals can gain valuable insights into the behavior and objectives of these threat actors and improve their defensive posture.

At Huntress Labs, we are always looking to "SOC and Awe" and are constantly pulling on every and any investigative thread that we can get our fingers on. We provide real-time intelligence and technical education specifically designed for those responsible for safeguarding their organization's environment.