Summary:
Sophos uncovered details on a new ransomware operation dubbed Mad Liberator, which uses social engineering to obtain access to victim environments, targeting users who use remote access tools installed on endpoints and servers. Since initiating operations in mid-July, 2024. Mad Liberator has been observed targeting users of Anydesk, a popular software used by IT teams to manage their environments, particularly when working with remote users and devices. "Anydesk works by allocating a unique ID, in this a case a ten-digit address, to each device it is installed on. Once the application is installed on a device, a user can either request to access a remote device to take control by entering the ID, or a user can invite another user to take control of their device via a remote session," note researchers at Sophos.

The exact method of how Mad Liberator is targeting Anydesk IDs is unclear at this time. However, it is possible for the actors to cycle through potential addresses until someone accepts a connection request. In this case, if the user accepts the incoming connection, Mad Liberator will proceed to drop a binary masquerading as a Microsoft Windows Update on the victim's system. This binary is designed to display a fake Windows Update splash screen, which is animated, making it seem as if the system is actually updating. The purpose of the splash screen is to distract the victim so that the actors can carry out their malicious operations. While Mad Liberator notes on its data leak site that it uses AES/RSA algorithms to encrypt files, this gang's main priority seems to be data extortion. In the latest campaigns spotted by Sophos, researchers state that Mad Liberator did not perform any data encryption. Rather the group has been focused on using Anydesk's File Transfer tool to steal data from OneDrive accounts, network shares, and the local storage.

Security Officer Comments:
Sophos has not seen any interactions between Mad Liberator and the victim prior to an Anydesk connection request being made. Nor has it logged phishing attempts supporting the attack. In one of the incidents handled by Sophos' IR team, the victim was aware that Anydesk was used by their company's IT department. As such, the victim assumed the incoming connection request was just a usual instance of the IT department performing maintenance, and proceed to click 'Accept.' While carrying out the data exfiltration activities, the actors utilized a feature within Anydesk to disable input from the user's keyboard and mouse. As such this would prevent the victim from exiting the program via the "Esc" key and interrupting the exfiltration process.

Suggested Corrections:
The latest attacks from Mad Liberator highlight the importance for organizations to update and train staff on the emerging threats and trends. For organizations where remote access software is used, there should be clear policies regarding how IT departments will contact and arrange remote sessions. In general, to mitigate these types of attacks, administrators should also implement Anydesk Access control lists to only allow connections from specific devices.

Link(s):
https://www.bleepingcomputer.com/ne...ake-windows-update-screen-to-hide-data-theft/
https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise/