An analysis of the operations of Hunters International, the ransomware-as-a-service platform that has been used to compromise more than 200 organizations, conducted by Forescout Technologies reveals the cybercriminal syndicate that created it is employing a wide range of new and old tactics and techniques.
Because the Hunters International platform was developed using the Rust programming language it is difficult for many cybersecurity platforms to detect. Making matters more challenging still, the syndicate after gaining initial access makes use of tools that include gathering system credentials and taking control of domains also employs Plink, Impacket and flaws in the remote desktop protocol (RDP) and the AnyDesk and TeamViewer platforms to laterally spread malware across a distributed computing environment.
The Forescout report specifically examines how cybercriminals were able to access an Oracle WebLogic server via the debug port 8453, which allowed them to execute commands using a java.exe file they used to install a China Chopper web shell to gain wider access to the platform.
Hunters International emerged in 2023 as a ransomware-as-a-service platform that both encrypts and exfiltrates data. Since then, cyberattacks against the U.S. Marshals Service and the Insurance Corporation of British Columbia have been attributed to this syndicate.
Sai Molige, senior manager for threat hunting for the Vedere Labs research arm of Forescout, said it’s clear from the level of investment being made the cybercriminals that developed this ransomware-as-a-service platform have major ambitions. Forescout expects Hunters International will emerge to be as much a threat as Hive, DarkSide, REvil, Dharma and LockBit have been in the past, added Molige.
It’s not clear to what degree international cooperation will be able to thwart the operations of ransomware-as-a-service syndicates. Every time one is disrupted there appears to be another ready to fill the void left behind. The primary challenge is these syndicates have become very adept at creating affiliates that isolate themselves from actual extortion attempts.
Worse yet, with advances in artificial intelligence (AI) it will become easier for cybercriminal syndicates to exploit previously unknown zero-day vulnerabilities. Hopefully, many of those same advances will enable organizations to discover and remediate vulnerabilities before they are exploited.
In the meantime, cybersecurity teams should review the platforms they have in place to ensure they are capable of identifying new types of threats being created using modern programming languages such as Rust. Much like any software development team, the tools that cybercriminals employ to create malware are evolving. Like it or not, cybersecurity teams need to similarly evolve the tactics and techniques they rely on to discover threats that are only going to increase in terms of both volume and sophistication.
Ultimately, it’s not so much a question of whether an organization will be compromised as much as how quickly it can respond to limit the potential blast radius of a breach. The challenge, as always, is that as the overall size of the attack surface that needs to be defended continues to expand, so too does the amount of valuable data worth stealing.