Ransomware, Threat Intelligence

Spacecolon toolset spreads ransomware worldwide by CosmicBeetle group

worldwide network connection

Ransomware operators CosmicBeetle were observed leveraging the Spacecolon toolset to distribute Scarab ransomware all over the world.

In a blog post Aug. 22, ESET researchers said they tracked the origins of Spacecolon back to at least May 2020 and continue to see new campaigns, with the latest build compiled in May of this year. The Scarab ransomware dates back to June 2017.

While the researchers have not found any one pattern in terms of the threat actor’s focus, ESET researchers observed Spacecolon at the following sites: a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.

“Ransomware groups previously focused on specific geographies or sectors, capitalizing on regional vulnerabilities,” said Ani Chaudhuri, chief executive officer at Dasera. “CosmicBeetle's widespread range, affecting entities from hospitals in Thailand to schools in Mexico, signals a shift to a more opportunistic approach, where everyone is potentially a target. Given the indiscriminate nature of these attacks, it’s not a matter of if, but when a U.S. company will fall victim.”

The ESET researchers said Spacecolon “probably” finds its way into victim organizations by its operators compromising vulnerable web servers or via brute-forcing RDP [remote desktop protocol] credentials. Several Spacecolon builds contain several Turkish strings, therefore the ESET researchers suspect a Turkish-speaking developer.

ESET’s researchers also said they observed an entirely new ransomware family being developed, with samples uploaded to VirusTotal from Turkey. They believe with high confidence that it’s written by the same developer as Spacecolon, therefore they refer to it as ScRansom.

This attribution is based on similar Turkish strings in the code, usage of the IPWorks library, and the overall GUI similarity. ScRansom attempts to encrypt all hard, removable and remote drives using the AES-128 algorithm with a key generated from a hardcoded string. The ESET researchers have not observed ScRansom being deployed in the wild at the time of writing and they believe it’s still in the development stage.

“ScRansom's discovery in the development phase indicates proactive detection by cybersecurity researchers,” said Dasera’s Chaudhuri. “However, its emergence also underlines a pivotal concern: threat actors are continually innovating, and our defenses must keep pace. While one might be quick to jump to geopolitical conclusions based on the Turkish strings in the code, it’s crucial to approach attribution with caution. Cyber mercenaries, developers for hire, and false flags are common. A Turkish-speaking developer does not necessarily imply a Turkish origin for the attacks.”

Take down publicly exposed RDP systems

SpaceColon’s methods of targeting web servers and publicly exposed RDP systems wouldn’t be possible if those systems were not directly exposed to the internet, said John A. Smith chief executive officer at Conversant Group. In light of breach activity over the past seven years, and public education efforts regarding RDP during the COVID-19 pandemic, Smith said no company should have RDP publicly exposed.

“Further, the breach capabilities of publicly exposed web servers can often largely be mitigated by keeping them patched,” Smith said. “In both cases, threat actor activities could be detected and lateral movement limited or prevented if these same organizations had implemented SOC services and lateral movement defenses through the application of MFA on administrative functions.”

Timothy Morris, chief security advisor at Tanium, added that most of the victims appeared to run unpatched servers. Morris said many of the vulnerabilities are also older CVEs and they're using RDP that the security researchers affectionately refer to as the Ransomware Deployment Protocol.

“Those attacks are brute force,” said Morris. “Using robust MFA, turning off RDP, or configuring the network, such as Admin CAN, so that it isn't exposed to the internet are all ways to thwart attacks against RDP. The report also does suggest that exploitation of FortiOS vulnerabilities is another attack vector. Organizations need to be sure to patch the FortiOS vulnerabilities as there have been several in the last few months.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.