Threat Report

PROJECT AK47 A sophisticated threat cluster exploiting recent SharePoint vulnerabilities for financial gain.

Threat Overview

Project AK47 is a complex and evolving threat identified by Unit 42, which has significant overlaps with Microsoft’s reported ToolShell activity. This threat cluster utilizes a diverse tool set that includes a multi-protocol backdoor, custom ransomware, and loaders. The activities associated with Project AK47 are linked to the exploitation of recent SharePoint vulnerabilities and appear to be financially motivated. The threat group behind this activity, tracked as CL-CRI-1040, has previously been associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client.

The analysis reveals a complex threat landscape that may involve both cybercriminal and nation-state actors. This report provides an in-depth look at the tactics, techniques, and procedures (TTPs) employed by Project AK47, along with recommendations for mitigation.

Detailed Analysis

Project AK47 represents a sophisticated and multifaceted threat that leverages various tools to achieve its objectives. The tool set includes a multi-protocol backdoor, custom ransomware, and loaders, all of which are designed to exploit vulnerabilities in SharePoint and other systems.

The multi-protocol backdoor allows attackers to maintain persistent access to compromised networks, enabling them to execute commands remotely and exfiltrate data. This tool is particularly dangerous because it can operate over multiple protocols, making it difficult to detect and block.

Custom ransomware is another key component of Project AK47’s arsenal. This malware encrypts critical files on the victim’s system, rendering them inaccessible until a ransom is paid. The use of custom ransomware indicates that the attackers have invested significant resources into developing their tools, making them more effective and harder to defend against.

Loaders are used to deliver additional payloads onto compromised systems. These loaders can be configured to download and execute various types of malware, allowing the attackers to adapt their tactics based on the specific environment they encounter.

The activities associated with Project AK47 are believed to be financially motivated, as evidenced by the group’s connection to LockBit 3.0 and Warlock Client. These double-extortion sites not only encrypt the victim’s data but also threaten to release it publicly if the ransom is not paid, adding another layer of pressure on the victims.

The threat group behind Project AK47, CL-CRI-1040, has a history of targeting various industries and organizations. Their use of sophisticated tools and techniques indicates that they are well-resourced and capable of adapting to new challenges.

Operational Security Measures

While Project AK47 implements several operational security measures, its activities can still be detected through careful monitoring and analysis. The use of a multi-protocol backdoor and custom ransomware makes the threat more challenging to defend against, but there are steps that organizations can take to mitigate the risk.

The attackers’ reliance on exploiting SharePoint vulnerabilities highlights the importance of keeping software up to date and patching known issues promptly. Additionally, the use of double-extortion tactics underscores the need for robust backup and recovery strategies.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by Project AK47. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes SharePoint, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like Project AK47.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to Project AK47 and other sophisticated malware threats.