Navigating Through The Fog
Essential information
- Published
- 28/04/2025 04:42
- Modified
- 28/04/2025 08:50
- Tags
- 2025-04-28 CVE-2020-1472 CVE-2021-42278 CVE-2021-42287 active directory anydesk credential-theft fog ransomware lateral movement persistence ransomware sliver sonicwall vpn
- Related entities
- 3 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 1 techniques (mitre), 2 malware, 8 others
Description
An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Active Directory vulnerabilities. Persistence was maintained via AnyDesk, automated by a PowerShell script. Sliver C2 executables were used for command-and-control operations. The victims spanned multiple industries across Europe, North America, and South America, highlighting the affiliate's broad targeting scope. The toolkit included SonicWall Scanner, DonPAPI, Certipy, Zer0dump, and Pachine/noPac for various attack stages.