By: Huntress Tactical Response Team

To most defenders, another brute-force alert on exposed RDP is background noise — bread-and-butter activity you triage and move past. For the Huntress Tactical Response Team, one of those “routine” alerts turned into something very different.

As we pulled on a single successful login, we uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service that all pointed toward a ransomware-as-a-service ecosystem and its initial access brokers.

This post walks through how a noisy brute-force campaign became our doorway into that operation.

Attack Narrative 

In this case, a network was exposing a Remote Desktop (RDP)  server to the broader internet. We’ve talked about the dangers of this dynamic through different webinars, blogs and social media posts, yet often businesses have no choice but to expose RDP for a myriad of reasons. 

In this instance, our SOC received an alert for some domain enumeration and got to work. 

Brute Force

Although intrusions are often written about in a linear fashion, neatly mapped to frameworks like ATT&CK, the reality is that analysts often receive signals for intrusions that are normally found in the “middle” of a threat actor’s kill chain. This means that once a signal is received, we have to work both backwards and forwards in time to find both the source of the intrusion as well as any go-forward attack paths. 

In this case, upon investigation of the Windows event logs for the affected hosts, we discovered that the RDP service was being brute forced. 

Although brute forcing is considered a “bread and butter” type attack technique, investigation of brute force attacks, particularly in networks with default logging configurations, can get a little tricky. Often, recorded login attempts fill up the log channels with security-relevant telemetry being overwritten or discarded.

Adding to this dynamic is various service accounts for inventory or vulnerability scanning tooling that often generates failed logins to various services. 

In this case however, the relevant telemetry was thankfully available and a successful brute force attack was discovered. Although a multitude of accounts were targeted via this brute force attack, only one account was successfully compromised. 

Using this compromised account as a pivot point, we discovered that the account had been compromised from multiple IP addresses. This dynamic is at least somewhat atypical or nonstandard for what we would expect to see in most intrusions.

Upon further review of the timestamps of the successful logins, evidence suggested that this compromise was not from multiple threat actors, but from one threat actor utilizing infrastructure that allowed compromise from various servers. 

The successful brute force of the exposed RDP server meant that the threat actor now had access to the victim network. Once this access was established, the threat actor proceeded to enumerate the domain, including various groups and domain configurations. 

When these enumeration signals were investigated by the SOC and determined to be malicious, network-wide isolation was issued to prevent further lateral movement within the network. 

At first glance, this may seem like a straightforward incident: a successful brute force occurs, the threat actor lands in the network, proceeds to enumerate said network prior to being discovered and shut down by the SOC. This time however, upon reviewing other bits of telemetry after isolating the network, we discovered something particularly interesting and out of step with the normal threat actor activity patterns that we observe.

Something feels off

When threat actors land inside a network, either through an RDP intrusion like we’ve covered so far or through other means such as VPN compromise, they will typically enumerate the network, gather credentials and move laterally. 

Typically, credential access in these scenarios consists of extracting credentials from the Windows LSASS process through tooling like Procdump or Mimikatz or credential access via registry dumping, via something like Secretsdump. In some cases, we’ve also observed threat actors going after browser cookies as well. 

We often do not observe threat actors going through file systems or file shares to look for credentials in files. In this intrusion, however, we observed just this. 

Absent hard evidence, we can only offer educated speculation as to why this dynamic plays out the way it does. Our hypothesis here is that most threat actors have a playbook that is followed. Extracting passwords from the registry or from LSASS can be performed in a playbook type fashion, with commands and tooling differing little from environment to environment.

This is not the case for passwords in files, as these can be found in many places on the network. In addition, once credentials are extracted from the registry and from LSASS, we can surmise that these credentials are utilized in one way or another within the network, making them attractive to threat actors.

In contrast, credentials found in files may be historical, old or outdated and need manual testing to verify whether they actually grant access to a targeted resource. 

In this particular instance, the threat actor chose a manual approach, using notepad to open up text files that ostensibly contained credential materials:

When we examined the jumplist artifacts from the affected host, we noticed even more threat actor activity linked to credentials in files. 

This uncharacteristic tradecraft prompted a second and closer examination of the IP addresses associated with the brute force attack.

Unraveling the Infrastructure

An initial look at the offending IP addresses resulted in some hits via maltrail which indicated that the IP in question was associated with Hive ransomware: 

Other reporting via CISA also links this particular IP address to BlackSuite. 

With this information now in our possession, we wanted to pivot from this data point and look for any interesting domain names. When examining the TLS certificates associated with the brute-forcing IP address, we discovered an interesting domain name of: specialsseason[.]com: 

Now that we had a domain name associated with the offending IP address, we pivoted to the TLS certificates fingerprint to see if we could identify further malicious infrastructure consisting of either IP addresses or domain names. 

This yielded surprising results, and we found multiple related IP addresses and domain names: 

When reviewing the IP addresses and their associated domain names, a pattern emerged. Each of the IPs resolved with the same naming convention: NL-.specialsseason[.]com

Below is a full listing of all the various country codes found associated with the TLS certificate of the IP address used in the original brute force attack:

NL-SE

NL-SP

NL-TR

NL-SG

NL-RS

NL-AU

NL-RU4

NL-CY

NL-US

NL-LU

NL-NL

NL-FR

NL-AT

NL-CA

NL-LV

NL-DE

NL-BE

NL-US2

NL-US3

33

NL-HK

NL-IM

NL-IT

NL-FI

NL-RU2

NL-UA

NL-PL

NL-RU

NL-CH

NL-RU3

NL-GB

NL-MD

NL-PA

NL-RO

Gist Link: https://gist.github.com/AntonHuntress/482dbb9312c19a9f97a9e8f3f86bc5ee

We can observe a fairly robust network that is geographically distributed = also interesting to note here is multiple “Ru” / Russian codes, as well as multiple US country codes. 

Many of the IP addresses associated with the above country codes also contained various listening services on various ports. An examination of TLS certificates of these IPs presented an opportunity for a further pivot revealing yet another malicious domain name of 1vpns[.]com: 

Interestingly, this domain name is very similar to the legitimate VPN site, but without the extra “s” after “1vpn”:  https[:]//1vpn[.]org/ 

Specifically focusing on the mention of nologs[.]club, whereas the VPN service FAQ also comments on the fact they keep 0 logs, which would make this an ideal service for any cyber criminals. 

We often read about ransomware cases through a lens of techniques, tactics, procedures and other abstract elements. We often hear terms like “initial access brokers” but often do not get an inside view into their operations, particularly through an infrastructure lens.

In this case, we can see how these nefarious actors operate and can get a glimpse into their motivations as well as the kinds of elements that make up their ecosystem. A clear motivation to get as much credential material as possible is evident in this case.

This case also demonstrates the need to sometimes go beyond traditional incident response, where a “zooming out” is required. In this case, a “simple” brute force turned out to unravel an entire ecosystem and infrastructure for ransomware operators. 

Most intrusions do not facilitate this kind of analysis, either due to lack of telemetry or many other factors, this intrusion is different in that a tiny little thread of evidence led to an unraveling of a proverbial yarn of ransomware infrastructure. The evidence also provides us insight into the behavior and objectives of these threat actors in a manner that is difficult to convey through static IOCs or TTPs. 

Conclusion 

Ransomware continues to disrupt businesses large and small alike – to many security professionals, a brute force is a “bread and butter” type technique that has been covered and written about for many years. Many analysts may see a brute force attack and will move on with their day.

At Huntress, however, we are always looking to “SOC and Awe” and are constantly pulling on every and any investigative thread that we can get our fingers on.

In this case, what started out as a simple brute force attack turned out to unravel a rather large suspected ransomware-as-a-service ecosystem, specifically one that is suspected to be utilized by initial access brokers who facilitate this illicit dynamic. 

Tradecraft Tuesday: No Products. No Pitches. Just Hacks.

Tradecraft Tuesday provides cybersecurity professionals with an in-depth analysis of the latest threat actors, attack vectors, and mitigation strategies. Each weekly session features technical walkthroughs of recent incidents, comprehensive breakdowns of malware trends, and up-to-date indicators of compromise (IOCs).

Participants gain:

• Detailed briefings on emerging threat campaigns and ransomware variants
• Evidence-driven defense methodologies and remediation techniques
• Direct interaction with Huntress analysts for incident response insights
• Access to actionable threat intelligence and detection guidance

Register for Tradecraft Tuesday →

Advance your defensive posture with real-time intelligence and technical education specifically designed for those responsible for safeguarding their organization’s environment.

Indicators of Compromise

Sponsored and written by Huntress Labs.