Hacktivist Group DragonForce Malaysia Releases Windows LPE Exploit, Discloses Plans to Evolve into a Ransomware Group

Summary

DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims.
 
Category: Adversary Intelligence Threat Type: Latest Attack Motivation: Hacktivist Region: India Source*: D4

Executive Summary

THREAT IMPACT MITIGATION
  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit for critical Windows servers’ Local Privilege Escalation (LPE) and Local Distribution Router (LDR) vulnerabilities.
  • The group has also announced its plans of converting into a ransomware group.
  • Actors can scan the internet for vulnerable instances of Windows LPE and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Further, they might plan to leverage this issue to execute sophisticated ransomware attacks.
  • Look for patches and workarounds for the vulnerabilities targeting Windows.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.
CloudSEK’s contextual AI digital risk monitoring platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims.
DragonForce posting updates on their Telegram channel
DragonForce posting updates on their Telegram channel
 

Analysis and Attribution

Information from Cybercrime Forums

  • On 23 June 2022, DragonForce Malaysia published a post on their Telegram channel, sharing a PoC for the exploit for Windows Server LPE and LDR vulnerabilities. The group has attributed a threat actor named “impossible1337” for the same.
  • The group also mentioned their plans of converting to a ransomware group and shared a sample ransom note as proof.
Sample ransom note shared by DragonForce to substantiate their plans of converting to a ransomware group
Sample ransom note shared by DragonForce to substantiate their plans of converting to a ransomware group
 
  • On the same day, the group published a blog on their official website, thereby announcing their plans to conduct mass spreading and ransomware attacks. Following their blog post, a significant amount of chatter was observed on Twitter, which received a lot of criticism.
  • Previously, DragonForce was seen discussing an exploit for a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center, CVE-2022-26134, in order to actively target and exploit Indian entities. (For more information refer to the Appendix section)

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https//dragonforce[.]io
Radio : https//radio[.]dragonforce[.]io
Facebook : https//fb[.]me/dragonforcedotio
Telegram : https//t[.]me/dragonforceio
Twitter : https//twitter[.]com/dragonforceio
Instagram : https//instagram[.]com/dragonforceio
YouTube : https//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw
 

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • Patch the Windows servers mitigating the currently found vulnerabilities, or resort to the latest workarounds provided by the vendor.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.

References

Appendix

Proof of Concept shared for the exploit of Windows LPE LDR vulnerability
Proof of Concept shared for the exploit of Windows LPE LDR vulnerability
 
Criticism received by DragonForce on their Twitter announcement
Criticism received by DragonForce on their Twitter announcement
 
Cybercrime forum post discussing CVE-2022-26134
Cybercrime forum post discussing CVE-2022-26134
 

Table of Contents

Request an easy and customized demo for free