Executive Summary

• On January 3, local media reported that a major U.S. city’s housing authority had suffered a ransomware attack.

• The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.

• As of this publication, the housing authority has announced a disruption, but has not elaborated on the nature of the event.

• Despite the LockBit group’s previous false claims, SecurityScorecard assesses with moderate confidence that the organization in question did in fact suffer a ransomware attack.

Background

On January 2, the LockBit ransomware group added an entry for a major U.S. city’s housing authority to its data leak site, claiming to have exfiltrated 15 TB of data from its systems during the attack.

Image 1: SecurityScorecard’s ratings platform reports the LockBit group’s January 2 claim to have breached the housing authority in question.

The affected organization has advised citizens that it is experiencing “technical difficulties” and warned of the possibility of resulting service disruptions, but has not acknowledged LockBit’s claims. While LockBit is a relatively long-standing ransomware group, it has recently made false claims regarding its attacks, which may, at first glance, call this recent claim into question.

Despite the group’s recent history of making questionable claims regarding its attacks, its affiliates remain willing and able to mount actual attacks, including a December incident that disrupted the operations of the Hospital for Sick Children (SickKids) in Toronto, Canada, for which the group apologized. Similarly, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team’s investigation into the more recent housing authority attack suggests that it did in fact suffer a ransomware attack, despite the LockBit group’s previous false claims.

The group’s claim, moreover, comes alongside other evidence that ransomware groups have targeted housing authorities: on January 23, another local housing authority disclosed that a previously unconfirmed ransomware attack in September 2022 had exposed the personally identifiable information of over 200,000 people.

Findings

Following LockBit’s claim, STRIKE consulted internal and external data sources to identify evidence of a compromise affecting the housing authority. Data reflecting traffic to and from vulnerable IP addresses belonging to the affected organization indicates that they exchanged data with IP addresses previously observed conducting malicious activity. This data includes communication with IP addresses also observed communicating with previous ransomware victims and repeated and large data transfers that may reflect exfiltration by the attackers.

Researchers collected traffic data for eight IP addresses that SecurityScorecard’s ratings platform attributes to the housing authority; its Digital Footprint contains 319 IP addresses, so researchers limited their query to those addresses where SecurityScorecard also detected issues affecting the organization’s rating. Prioritizing those IP addresses where our ratings platform observes issues helped researchers focus their investigation upon the assets threat actors are more likely to target (attackers could begin their efforts by focusing on exploiting the observed issues and vulnerabilities). They additionally focused their query on a two-month period leading up to January 2 (the day LockBit published its claim on its leak site). This yielded 27,759 flows involving 607 IP addresses from outside the housing authority’s network.

Findings: Possible Exploitation of Known Vulnerability and Deployment of Remote Access Software

Two IP addresses other cybersecurity vendors have linked to malicious activity merit attention due to the frequency with which they communicated with a housing authority IP address. The first such IP address, 159.65.216[.]150, appeared in almost a fifth of all flows within the dataset. It and a single housing authority IP address exchanged data 5,904 times between November 2 and December 30. One vendor has linked this IP address to malicious activity. A domain linked to phishing and other malicious activity resolved to it as recently as December 30. Two malicious files communicate with it, and members of the VirusTotal community have linked it to exploitation of CVE-2022-30190, a Microsoft Support Diagnostic Tool (MSDT) vulnerability also known as Follina. Threat actors have leveraged Follina to distribute malware, including the Rozena backdoor,AsyncRAT (remote access trojan), and Qbot, which has previously delivered ransomware as a later-stage payload. SecurityScorecard’s ratings platform observed an outdated version of Windows running at the housing authority IP address involved in this traffic. It is possible that Follina still affected the version observed because a user had not yet applied the relevant update and attackers exploited it to drop information-stealing malware to the affected device, with the thousands of transfers observed reflecting the operation of that malware.

The second such IP address, 173.199.15[.]254, exchanged data with a single housing authority IP address 2,896 times between November 2 and January 2. SecurityScorecard has previously observed this IP address communicating with other ransomware victims. This communication likely reflects the remote access software attackers could have used to deploy ransomware.

Remote access software company LogMeIn, Inc. is the organization that operates 173.199.15[.]254. While the software has many legitimate uses, threat actors often induce their targets to install legitimate remote access software (TeamViewer is especially common) on their devices as a means of granting control of the device to the attacker, which can facilitate the deployment of ransomware. Traffic from a victim network to a LogMeIn-operated IP address may therefore reflect the attacker’s use of LogMeIn to control a victim device. In addition to vendors’ links to malware, members of the wider cybersecurity community have included 167.172.240[.]54 in collections referring to “remote IPs,” which may indicate that they have observed it attempting to access target systems remotely in other incidents, just as the STRIKE Team observed it communicating with previous ransomware victims.

Findings: Other Links to Previous Ransomware Attacks

Of the 607 IP addresses observed communicating with the housing authority in the sample period, 157 appeared in traffic samples the STRIKE Team collected from previous ransomware victims. This may suggest that those 157 IP addresses may have been involved in the attack, given that they also appeared in traffic collections from other ransomware victims. Moreover, of these IP addresses, other cybersecurity vendors have already linked twenty-eight to malicious activity, indicating that they are especially likely to have been part of the compromise. Both groups of IP addresses (those observed communicating with previous ransomware victims and those detected as malicious by other cybersecurity vendors) are available in the appendices below.

Additionally, a collection of related files that vendors have deemed malicious have communicated with forty of the IP addresses that also communicated with both the housing authority and previous ransomware victims. Communication between housing authority assets and these IP addresses may therefore reflect the use of malware within the housing authority’s network. The words “Ramnit” and “Hupigon” appear particularly frequently in the communicating files’ detections. Ramnit and Hupigon are both long-standing trojans that can facilitate data theft and the delivery of additional malware. Either could have been involved in the theft of credentials attackers later reused to access the housing authority’s system, but researchers have also observed Ramnit delivering ransomware as a second-stage payload, which communication with these IP addresses could also reflect. However, the traffic could also reflect the theft of credentials and other data or the delivery of a second-stage payload that enables the theft (rather than encryption) of victim data.

Findings: Possible Exfiltration

Of the 617 IP addresses with which the housing authority IP addresses communicated, other vendors have linked 114 to malicious activity. Of the traffic involving that more limited group, traffic to eighteen not previously discussed is likely to reflect exfiltration of housing authority data. This traffic involved large transfers of data most of these flows transferred 12.28 MB from a single housing authority IP address to these possibly malicious IP addresses. All vendor-detected IP addresses involved belong to either DigitalOcean or Rackspace (eighteen to DigitalOcean and one to Rackspace). Threat actors often abuse these hosting provider-owned IP addresses and members of the VirusTotal community have specifically linked one, 137.184.148[.]2, to ransomware–it has served downloads of a file that appears in a VirusTotal community graph titled “RU Ransomware Node Map.” Given their vendor detections and the size of the data transfers involved, traffic involving these IP addresses may suggest that this traffic reflects the exfiltration of data from the housing authority. However, it is also possible that large data transfers to and from provider assets could easily reflect more benign behavior like transfers to and from backups. Without internal visibility into the housing authority’s network, STRIKE cannot confirm if this was exfiltration, but the organization should have SIEM logs that describe these flows and can offer further insights. These IP addresses are also available in an appendix below.

Conclusion

While some commentators have noted a downward trend in the total number of ransomware attacks over the past year, the recent confirmation of a previous attack against another local housing authority suggests that local governments are still targets for ransomware groups, even if the overall number of successful attacks has been trending downward. Similarly, the available traffic data suggests that the housing authority in this more recent incident also suffered a ransomware attack. Not only did it communicate with the same IP addresses as previous ransomware victims in the months leading up to the attack, but the available traffic data also suggests a number of possible avenues by which an attacker like the LockBit group could have accessed their systems. Other researchers have linked one IP address that communicated regularly with a housing authority asset where SecurityScorecard observed an outdated (and possibly vulnerable) operating system in use to the exploitation of a vulnerability known to affect that operating system. Previous research has linked exploitation of this vulnerability to the distribution of malware that can facilitate data theft and the delivery of ransomware. Another IP address that frequently communicated with this same vulnerable IP address reflects the use of remote access software that attackers may have used against previous ransomware victims. Finally, a series of large data transfers leading up to the LockBit group’s addition of the organization to its data leak site may reflect theft of the data the group claims to have stolen. Based on this evidence, and despite the LockBit group’s previous false claims, SecurityScorecard assesses with moderate confidence that the organization in question did suffer a ransomware attack, which may in turn indicate that LockBit can pose a threat to both the private and public sectors even while researchers anticipate its demise.