Navigating Through The Fog
Summary:
In December 2024, an open directory (hosted at 194.48.154.79:80) was identified by The DFIR Report's Threat Intel Group, likely associated with an operator of the Fog ransomware group, which emerged in mid-2024. The exposed directory contained a significant arsenal of tools designed for reconnaissance, exploitation, credential theft, and command-and-control activities. These included the SonicWall Scanner for targeting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for exploiting Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for leveraging Active Directory vulnerabilities such as CVE-2020-1472.
The affiliate also utilized AnyDesk for establishing persistence via an automated PowerShell script and hosted Sliver C2 components for managing implants. For covert lateral movement and establishing reverse shells, Proxychains and Powercat were present in DFIR’s observations. Victim data found within the directory revealed a diverse range of targeted industries, including technology, education, and logistics, with a geographical focus spanning Italy, Greece, Brazil, and the USA. DFIR assesses with moderate confidence the directory's association with Fog ransomware, based on the overlap of victim data with Fog's leak site and VirusTotal community notes.
Security Officer Comments:
The discovery of this open directory provides valuable insights to defenders into the TTPs of a possible Fog ransomware operator (assessed with moderate confidence). The diverse toolkit indicates an adroit attacker capable of exploiting various initial access points and maintaining a persistent presence within compromised networks. The focus on VPN credential exploitation (SonicWall Scanner) for initial access highlights the necessity of robust VPN security measures. The inclusion of tools for credential theft (DonPAPI) and Active Directory exploitation (Certipy, Zer0dump, Pachine/noPac) underscores the affiliate's ability to escalate privileges and move laterally within a victim's environment. The use of AnyDesk for persistence, automated through a PowerShell script, demonstrates an effort to maintain long-term access. The broad range of targeted industries and geographic locations suggests a widespread and opportunistic approach that dynamically approaches the infiltration of targets. The moderate confidence assessment by The DFIR Report, based on victim data correlation and VirusTotal information, warrants further investigation and proactive monitoring utilizing Fog ransomware TTPs provided in various reports from ArcticWolf, SentinelOne, or, more recently, Trend Micro, as well as in this report.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thedfirreport.com/2025/04/28/navigating-through-the-fog/
In December 2024, an open directory (hosted at 194.48.154.79:80) was identified by The DFIR Report's Threat Intel Group, likely associated with an operator of the Fog ransomware group, which emerged in mid-2024. The exposed directory contained a significant arsenal of tools designed for reconnaissance, exploitation, credential theft, and command-and-control activities. These included the SonicWall Scanner for targeting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for exploiting Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for leveraging Active Directory vulnerabilities such as CVE-2020-1472.
The affiliate also utilized AnyDesk for establishing persistence via an automated PowerShell script and hosted Sliver C2 components for managing implants. For covert lateral movement and establishing reverse shells, Proxychains and Powercat were present in DFIR’s observations. Victim data found within the directory revealed a diverse range of targeted industries, including technology, education, and logistics, with a geographical focus spanning Italy, Greece, Brazil, and the USA. DFIR assesses with moderate confidence the directory's association with Fog ransomware, based on the overlap of victim data with Fog's leak site and VirusTotal community notes.
Security Officer Comments:
The discovery of this open directory provides valuable insights to defenders into the TTPs of a possible Fog ransomware operator (assessed with moderate confidence). The diverse toolkit indicates an adroit attacker capable of exploiting various initial access points and maintaining a persistent presence within compromised networks. The focus on VPN credential exploitation (SonicWall Scanner) for initial access highlights the necessity of robust VPN security measures. The inclusion of tools for credential theft (DonPAPI) and Active Directory exploitation (Certipy, Zer0dump, Pachine/noPac) underscores the affiliate's ability to escalate privileges and move laterally within a victim's environment. The use of AnyDesk for persistence, automated through a PowerShell script, demonstrates an effort to maintain long-term access. The broad range of targeted industries and geographic locations suggests a widespread and opportunistic approach that dynamically approaches the infiltration of targets. The moderate confidence assessment by The DFIR Report, based on victim data correlation and VirusTotal information, warrants further investigation and proactive monitoring utilizing Fog ransomware TTPs provided in various reports from ArcticWolf, SentinelOne, or, more recently, Trend Micro, as well as in this report.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thedfirreport.com/2025/04/28/navigating-through-the-fog/