Hacktivist Group DragonForce Malaysia Releases Windows LPE Exploit, Discloses Plans to Evolve into a Ransomware Group

DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims.
Updated on
February 27, 2023
Published on
June 30, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
 
Category: Adversary Intelligence Threat Type: Latest Attack Motivation: Hacktivist Region: India Source*: D4

Executive Summary

THREAT IMPACT MITIGATION
  • DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit for critical Windows servers’ Local Privilege Escalation (LPE) and Local Distribution Router (LDR) vulnerabilities.
  • The group has also announced its plans of converting into a ransomware group.
  • Actors can scan the internet for vulnerable instances of Windows LPE and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors.
  • Further, they might plan to leverage this issue to execute sophisticated ransomware attacks.
  • Look for patches and workarounds for the vulnerabilities targeting Windows.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.
CloudSEK’s contextual AI digital risk monitoring platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims. [caption id="attachment_19823" align="aligncenter" width="431"]DragonForce posting updates on their Telegram channel DragonForce posting updates on their Telegram channel[/caption]  

Analysis and Attribution

Information from Cybercrime Forums

  • On 23 June 2022, DragonForce Malaysia published a post on their Telegram channel, sharing a PoC for the exploit for Windows Server LPE and LDR vulnerabilities. The group has attributed a threat actor named “impossible1337” for the same.
  • The group also mentioned their plans of converting to a ransomware group and shared a sample ransom note as proof.
[caption id="attachment_19824" align="aligncenter" width="799"]Sample ransom note shared by DragonForce to substantiate their plans of converting to a ransomware group Sample ransom note shared by DragonForce to substantiate their plans of converting to a ransomware group[/caption]  
  • On the same day, the group published a blog on their official website, thereby announcing their plans to conduct mass spreading and ransomware attacks. Following their blog post, a significant amount of chatter was observed on Twitter, which received a lot of criticism.
  • Previously, DragonForce was seen discussing an exploit for a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center, CVE-2022-26134, in order to actively target and exploit Indian entities. (For more information refer to the Appendix section)

About DragonForce

  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum : https[:]//dragonforce[.]io
Radio : https[:]//radio[.]dragonforce[.]io
Facebook : https[:]//fb[.]me/dragonforcedotio
Telegram : https[:]//t[.]me/dragonforceio
Twitter : https[:]//twitter[.]com/dragonforceio
Instagram : https[:]//instagram[.]com/dragonforceio
YouTube : https[:]//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw
 

Impact & Mitigation

Impact Mitigation
  • DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
  • Attackers can use this vulnerability to execute commands remotely.
  • Threat actors can leverage this opportunity to target victims and deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • Patch the Windows servers mitigating the currently found vulnerabilities, or resort to the latest workarounds provided by the vendor.
  • Audit and monitor anomalies in networks that could be indicators of possible compromise.

References

Appendix

[caption id="attachment_19825" align="aligncenter" width="998"]Proof of Concept shared for the exploit of Windows LPE LDR vulnerability Proof of Concept shared for the exploit of Windows LPE LDR vulnerability[/caption]   [caption id="attachment_19826" align="aligncenter" width="585"]Criticism received by DragonForce on their Twitter announcement Criticism received by DragonForce on their Twitter announcement[/caption]   [caption id="attachment_19827" align="aligncenter" width="565"]Cybercrime forum post discussing CVE-2022-26134 Cybercrime forum post discussing CVE-2022-26134[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.