Hacktivist Group DragonForce Malaysia Releases Windows LPE Exploit, Discloses Plans to Evolve into a Ransomware Group

DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims.

Updated on

February 27, 2023

Published on

June 30, 2022

Read time

Subscribe to the latest industry news, technologies and resources.

Category: Adversary Intelligence	Threat Type: Latest Attack	Motivation: Hacktivist	Region: India	Source*: D4

Executive Summary

THREAT	IMPACT	MITIGATION
DragonForce Malaysia, the hacktivist group actively involved in targeting Indian entities, announced and shared the exploit for critical Windows servers’ Local Privilege Escalation (LPE) and Local Distribution Router (LDR) vulnerabilities. The group has also announced its plans of converting into a ransomware group.	Actors can scan the internet for vulnerable instances of Windows LPE and leverage this vulnerability to launch attacks against significant Indian entities owned by both the government and private sectors. Further, they might plan to leverage this issue to execute sophisticated ransomware attacks.	Look for patches and workarounds for the vulnerabilities targeting Windows. Audit and monitor anomalies in networks that could be indicators of possible compromise.

CloudSEK’s contextual AI digital risk monitoring platform XVigil identified a post on a Telegram channel where the hacktivist group, DragonForce Malaysia has shared an exploit to bypass the Windows Server LPE LDR for targeting and exploiting Indian servers. The group has also shared a working PoC (Proof of Concept) video to substantiate their claims. [caption id="attachment_19823" align="aligncenter" width="431"]

DragonForce posting updates on their Telegram channel[/caption]

Analysis and Attribution

Information from Cybercrime Forums

On 23 June 2022, DragonForce Malaysia published a post on their Telegram channel, sharing a PoC for the exploit for Windows Server LPE and LDR vulnerabilities. The group has attributed a threat actor named “impossible1337” for the same.
The group also mentioned their plans of converting to a ransomware group and shared a sample ransom note as proof.

[caption id="attachment_19824" align="aligncenter" width="799"]

Sample ransom note shared by DragonForce to substantiate their plans of converting to a ransomware group[/caption]

On the same day, the group published a blog on their official website, thereby announcing their plans to conduct mass spreading and ransomware attacks. Following their blog post, a significant amount of chatter was observed on Twitter, which received a lot of criticism.
Previously, DragonForce was seen discussing an exploit for a critical unauthenticated remote code execution vulnerability present in Confluence Server and Data Center, CVE-2022-26134, in order to actively target and exploit Indian entities. (For more information refer to the Appendix section)

About DragonForce

On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
This group owns and operates a forum where they post announcements and discuss their latest activities.
The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.

DragonForce’s Official Communication Channels

Forum	:	https[:]//dragonforce[.]io
Radio	:	https[:]//radio[.]dragonforce[.]io
Facebook	:	https[:]//fb[.]me/dragonforcedotio
Telegram	:	https[:]//t[.]me/dragonforceio
Twitter	:	https[:]//twitter[.]com/dragonforceio
Instagram	:	https[:]//instagram[.]com/dragonforceio
YouTube	:	https[:]//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Impact & Mitigation

Impact

Mitigation

DragonForce is associated with multiple hacktivist groups for their campaign against Indian entities. This exploit gives them more opportunities to deface and dump the database of Indian entities.
Attackers can use this vulnerability to execute commands remotely.
Threat actors can leverage this opportunity to target victims and deploy ransomware.
Potential loss of revenue, reputation, and intellectual property.

Patch the Windows servers mitigating the currently found vulnerabilities, or resort to the latest workarounds provided by the vendor.
Audit and monitor anomalies in networks that could be indicators of possible compromise.