Quantum Locker lands in cloud security affairs

The group behind Quantum Locker uses a particular modus operandi to target large enterprises in the NACE region that rely on cloud services.

executive Summary

  • The Quantum Locker gang demonstrated the ability to run ransomware ransomware even in cloud environments like Microsoft Azure.
  • Criminals from the Quantum gang demonstrated the ability to hunt down and delete secondary backup copies stored in cloud storage buckets and blobs.
  • The Quantum Locker gang targets IT managers to collect sensitive network information and credentialed access.
  • During the intrusion, Quantum operators would steal access to enterprise cloud file storage services like Dropbox to harvest sensitive credentials.
  • Cloud root account takeovers were observed during the Quantum gang intrusion in the Nordics in Q4 2022.

Event Insights

In recent weeks, Belgian company Computerland has shared insights with the European threat intelligence community about the Quantum TTP employed in recent attacks. Shared information revealed that the Quantum gang used specific modus operandi to target large enterprises in the NACE region that rely on cloud services.

The disclosed technical details about the recent breach confirm the Quantum Locker gang’s ability to carry out sabotage and ransomware attacks against companies that rely heavily on cloud environments.

For example, a TTP used in a recent attack involved a complete takeover of the company’s Microsoft cloud services by compromising the root account (T1531). This behavior is especially distressing for the victim company: all Microsoft services and users, including email services and ordinary users, will be unavailable until the supplier responds, which may last for several days, depending on the severity. configuration request verification process.

Additionally, Insights into Attacks in Q4 2022 reported that Quantum Locker operators were able to locate and delete all victim Microsoft Azure blob storage for secondary backup destruction and business data deletion (T1485). Even though cloud services can theoretically provide support for recovery of old blobs and buckets, recovery of “permanently deleted” data typically takes days and may not even be possible due to technical limitations within the provider.

A favorite initial target of the Quantum operator’s recent Nordic campaign was IT administrators and network personnel. By accessing their personal resources and shared Dropbox folders, threat actors are able to harvest sensitive administrative credentials to extend their attack on the cloud surface (T1530).

Incident insights from the Belgian firm also confirmed that Quantum is combining these new techniques with more traditional ransomware delivery techniques, such as modifying domain group policy (T1484.001) to distribute on local Windows machines and users’ laptops Ransomware, and misuse of legitimate Any Desk software as a remote access tool (T1219).

Additionally, Quantum operators made extensive configuration changes to endpoint defense tools such as Microsoft Defender (T1562.001) during the recent breach. In fact, threat actors are able to programmatically insert temporary exclusions to blind the onboard endpoint protection system without any shutdown warnings.

The Belgian company also reported that Quantum Locker had an average encryption speed of around 13 MB/s in a real-cloud hybrid scenario, which is much slower than other ransomware families that employ intermittent encryption, prolonging the time it takes for responders to intercept and the window of opportunity for containment.

Introduction to Threat Actors

Quantum Locker ransomware was originally born from the hashes of the MountLocker ransomware program run by Russian-speaking cybercriminals in 2020. Before its actual name, Quantum Locker was renamed several times, first under the name AstroLocker, then under the alias XingLocker.

Quantum Locker has also been involved in a number of high-profile attacks, such as the Israeli security firm BeeSense, alleged attacks on local governments in Italy’s Sardinia region, and government agencies in the Dominican Republic.

indicators of compromise

  • Intrusion and Exfiltration of Infrastructure
    • 146.70.87,66 M247 – Los Angeles, USA
    • 42.216.183,180 Polaris China
  • Distribution infrastructure:
    • hxxp://146.70.87,186/load/powerDEF
    • 146.70.87,186 M247 – Los Angeles

About the Author: Luca Mella, Cyber ​​Security Expert

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Quantum Locker)

Leave a Reply

Your email address will not be published. Required fields are marked *