CyberSecurityBoard
Sponsor Register Login

Fog Ransomware Directory With Active Directory Exploitation Tools & Scripts Uncovered - Cyber Security News

Analysis of the directory’s contents revealed that initial access to victim networks was primarily achieved through compromised SonicWall VPN credentials, followed by systematic exploitation of Active Directory environments to gain domain administrator privileges. The discovery of this directory provides valuable intelligence for organizations seeking to protect themselves against the Fog ransomware group and highlights the importance of securing VPN credentials and monitoring for unauthorized remote access tools. Cybersecurity analysts have uncovered an open directory linked to the Fog ransomware group, revealing a comprehensive toolkit used by threat actors to compromise corporate networks. These tools enable threat actors to quickly escalate privileges within compromised environments, moving from initial access to domain dominance in relatively short timeframes. What makes this discovery particularly concerning is the comprehensive nature of the toolkit, which includes multiple exploits for Active Directory vulnerabilities such as Zerologon (CVE-2020-1472) and domain controller impersonation flaws (CVE-2021-42278 and CVE-2021-42287). The directory, discovered in December 2024 and hosted at IP address 194.48.154.79:80, contains an arsenal of tools designed for reconnaissance, exploitation, lateral movement, and persistence within victim environments. The script, found in a file named “sonic_scan/main.py,” automates the authentication process to SonicWall VPN appliances and executes port scans to identify potential entry points into victim networks. The DFIR Report analysts identified a Python script within the directory specifically designed to test compromised SonicWall VPN credentials. The toolkit also includes specialized credential theft utilities like DonPAPI, which can extract Windows Data Protection API (DPAPI) protected credentials from various sources, including browser passwords, cookies, certificates, and Windows credential manager. This approach ensures the threat actors maintain access to compromised systems even if their initial entry point is remediated. By using the official AnyDesk download and implementing it with startup parameters, the threat actors create a backdoor that appears as normal remote support software to many detection systems.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Apr 2025 07:20:11 +0000


Cyber News related to Fog Ransomware Directory With Active Directory Exploitation Tools & Scripts Uncovered - Cyber Security News

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
5 months ago Cybersecuritynews.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
4 months ago Cybersecuritynews.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
1 month ago Cybersecuritynews.com
Avoid high cyber insurance costs by improving Active Directory security - Insurance broker and risk advisor Marsh revealed that US cyber insurance premiums rose by an average of 11% in the first quarter of 2023, and Delinea reported that 67% of survey respondents said their cyber insurance costs increased between 50% and ...
1 year ago Bleepingcomputer.com
Top 10 Best Active Directory Management Tools in 2025 - SolarWinds Access Rights Manager (ARM) is a robust Active Directory management tool designed to enhance security and simplify user permissions management. Dameware Remote Everywhere (DRE) is a powerful Active Directory management tool that provides ...
4 months ago Cybersecuritynews.com
New FOG Ransomware Attack Mimic as DOGE Attacking Organization Via Weaponized Email - The campaign, identified through analysis of nine samples uploaded to VirusTotal between March 27 and April 2, 2025, shows a concerning evolution in ransomware tactics that blend political references with advanced technical capabilities. ...
3 months ago Cybersecuritynews.com
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
The Rise of Cyber Insurance - What CISOs Need to Consider - Cyber insurance offers not just financial protection against potentially devastating cyber incidents but also provides frameworks for improving security posture, access to specialized resources, and support during crisis scenarios. Beyond financial ...
3 months ago Cybersecuritynews.com
Fog Ransomware Directory With Active Directory Exploitation Tools & Scripts Uncovered - Cyber Security News - Analysis of the directory’s contents revealed that initial access to victim networks was primarily achieved through compromised SonicWall VPN credentials, followed by systematic exploitation of Active Directory environments to gain domain ...
3 months ago Cybersecuritynews.com CVE-2020-1472
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
4 months ago Cybersecuritynews.com
Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
1 year ago Scmagazine.com
Prince Ransomware - An Open Source Ransomware Builder That Automatically Build Ransomware Freely Available in GitHub - Cyber Security News - WithSecure Labs security analysts noted multiple instances of Prince Ransomware-based attacks, including a prominent case in February 2025, when Taiwan’s Mackay Memorial Hospital fell victim to “CrazyHunter” ransomware. This ...
4 months ago Cybersecuritynews.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
10 months ago Cyberdefensemagazine.com Akira
Three Key Threats Fueling the Future of Cyber Attacks - Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber threat landscape is continually evolving. Protecting an organization against intrusion remains a cat and mouse game, in ...
1 year ago Cyberdefensemagazine.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
Uncertainty Is the Biggest Challenge to Australia's Cyber Security Strategy - Political shifts could lead to changes in Australia's cyber security strategy. Early in 2023, as the Australian government started to craft its cyber security vision, it met with opposition at both ends of the political spectrum. On the right wing, ...
1 year ago Techrepublic.com
RansomHub Ransomware Group Compromised 84 Organization, New Groups Emerging - Cyfirma researchers noted a custom backdoor called “Betruger” being deployed in recent RansomHub operations, representing a significant evolution in ransomware tactics. Unlike some ransomware operations that rely heavily on publicly ...
3 months ago Cybersecuritynews.com Ransomhub
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
1 year ago Bleepingcomputer.com LockBit BianLian Akira Cactus
IT Professionals in ASEAN Confronting Rising Cyber Security Risks - The ASEAN region is seeing more cyber attacks as digitisation advances. In July 2023, the Association of Southeast Asian Nations officially opened a joint cyber security information sharing and research centre, or Cybersecurity and Information Centre ...
1 year ago Techrepublic.com
Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
1 year ago Cyberdefensemagazine.com
8 Tips on Leveraging AI Tools Without Compromising Security - Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. How can companies employ these powerful AI/ML tools without ...
1 year ago Darkreading.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
1 year ago Securityzap.com
Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities - Cyber Security News - The group’s recent campaign has primarily leveraged critical vulnerabilities in Fortinet’s enterprise security appliances, specifically targeting CVE-2024-21762 and CVE-2024-55591 in unpatched FortiGate and FortiProxy devices. The ...
4 weeks ago Cybersecuritynews.com CVE-2024-21762 LockBit Qilin

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)