From November 28 to December 8, 2023, Mallox, an overseas high-level extortion gang, was suspected of exploiting vulnerabilities in an OA management system, an approval management system, and a resource management system to attack more than 20 enterprises and departments in China. The attack gang tried to steal data by traversing the intranet after implanting a backdoor into the system, and multiple attack targets have been encrypted and extorted by data.
The so-called "intranet traverse" refers to the fact that after a network attacker obtains control of a machine on the intranet, he uses the compromised host as a springboard to access other machines in the intranet domain through some methods, and then repeats the cycle until he obtains the control authority of the entire intranet.
Peng Chuanyue, a SOC threat hunting expert at China Telecom Group Co., Ltd. and a researcher at the Water Drop Lab of China Telecom Security Corporation, told the first financial reporter that after a study of the Mallox extortion gang, it was found that the gang would screen high-value potential "financier" enterprises, and then break through the enterprise Internet entrance and enter the enterprise's internal network. The gang often steals data first, and then encrypts the data for ransom, otherwise sells the data on illegal platforms and realizes secondary extortion.
According to the statistics of Waterdrop Lab, in the attack from November 28 to December 8, the Mallox ransomware gang attackers have successfully implanted backdoors into the networks of 25 Chinese companies and departments, and prioritized intranet lateral attacks on data centers and high-tech networks. The reporter found that the above-mentioned victim enterprises mainly cover energy, high-tech, data center, finance and biopharmaceuticals and other fields that are prone to generate high-value data, and the geographical distribution is dominated by enterprises located in Guangdong, Anhui, Jiangsu and Shandong, and the most affected Guangdong enterprises are the most.
"The Mallox ransomware gang is aimed at data theft and ransom, the eastern coastal provinces are relatively economically developed, and Guangdong Province is one of the 'bridgeheads' for the development of science and technology and digital economy, so it has naturally become the focus of the extortion gang. Peng Chuanyue analyzed.
The Waterdrop Labs study also found that the threat of the Mallox gang peaked on December 3 during the current round of Mallox gang attacks. The attack time is mainly concentrated from 9 a.m. to 6 p.m. every day, and the data encryption operation is concentrated in the early morning (which makes it difficult for O&M personnel to immediately detect anomalies and respond in time).
"There are several impacts on the company's recruitment, first of all, the company's core secrets, business or R&D data are stolen and sold overseas, which will cause unpredictable losses for the company. Secondly, the office operation and production environment of the enterprise may be irreversibly damaged, which will have a great impact on the normal operation of the enterprise. Some companies that are attacked will even go back to the era of handwriting, and in the end, such attacks are often prone to public opinion effects. Peng Chuanyue told reporters.
The reporter learned that Mallox (also known as Target Company, FARGO and Tohnichi) was originally a ransomware that targeted Windows systems, but the public now tends to use the name of the software to name the gangs of criminals who use it to launch attacks. The gang has been active since its appearance in June 2021 and is known for exploiting insecure MS-SQL servers as a means of attack to attack victims' networks. Previously, there were indications that the group was expanding its operations and recruiting members on hacking forums.
Peng Chuanyue told reporters that because the Mallox ransomware Trojan uses certain flaws in the encryption method, it can currently recover 90% of the encrypted data. But Mallox's real "lethality" lies in the fact that it will steal important data and send it back to be sold abroad. "The economic damage caused by this is incalculable and can be severe enough to put a business in a desperate situation. ”
In view of the recent activity of the Mallox ransomware gang, Peng Chuanyue suggested that enterprises should take the initiative to investigate network threats with a higher frequency and upgrade the system version in a timely manner, strengthen the isolation of production and office networks, strengthen the backup of important data and servers, and reduce unnecessary Internet exposure.
"If you have shortcomings in your security operation capabilities, you can choose managed services. In addition, enterprises also need to strengthen the application of threat intelligence and the pre-hunting and tracking of high-value intelligence to achieve the effect of pre-warning. Peng Chuanyue pointed out.
(The charts in this article are all from enterprises)