Beginning on March 18, 2024 throughout March 20, 2024, Hunters International (a.k.a. Hunters) claimed attacks on a considerable number of professional service providers across Europe. Based on the actor's claims, European impacted countries include Bulgaria, Germany, Italy and Spain.
A comparative overview of these claims suggests the following:
Small and medium enterprises (SMEs) are consistently a primary target; except a large importer and exporter of pharmaceuticals, all of the presumably impacted entities are small and medium businesses.
Most of the businesses are providers of specialized professional services in a variety of domains, including healthcare, information technology, law and public notary practices, and logistics and transportation.
Targeting of SMEs is aligned with a broader trend that characterizes the modus operandi of majority of ransomware operations; cybercriminals may opportunistically target SMEs as their cyber defenses are often perceived as more vulnerable than large corporations. At the same time, professional service providers may hold sensitive data including personally identifiable information (PII) of employees, clients and vendors. A potential disclosure may be particularly impactful for SMEs; for instances, in the case of law firms, Hunters claimed to have gained access to legal filings with subsequent information security risk for a variety of involved subjects. Sensitive PII may also serve as vector of further social engineering attacks. As a result, they are "marketable" across the hacking underground.
Victimology
A broader look at the data Clipeus collected on Hunters' activities since November 1, 2023 indicates that North America, particularly the United States (US) are consistently the primary target. NAM was impacted in 39 events, of which 34 were localized in the US, with Canada (3) and Mexico (1) being impacted to a significantly lesser extent. The US appear to be targeted due to the magnitude of their economy.
European countries were targeted 16 events within the whole scope of our monitoring. Most of the events impacted large economies in the region, including the United Kingdom (UK), Ireland, Spain, France, Germany, Italy, with Bulgaria being the only non-West European country to be targeted.
Few targets are located outside North America and Europe, impacting large economies in South America (Brazil), Asia (China, Japan, Malaysia) and Oceania (Australia, New Zealand).
List of Impacted Countries By Volume
Country | Event |
Namibia | 1 |
United States of America | 34 |
Germany | 3 |
Japan | 1 |
Australia | 1 |
Italy | 2 |
New Zealand | 1 |
Spain | 5 |
Brazil | 2 |
United Kingdom | 6 |
Canada | 4 |
Tunisia | 2 |
UAE | 1 |
Guatemala | 1 |
France | 3 |
Ireland | 1 |
Malaysia | 1 |
Mexico | 1 |
China | 1 |
Bulgaria | 1 |
With regard to the impacted sectors, healthcare and logistics stand out as the most frequently impacted business areas. Technology providers and services - which includes law firms - constitute a large part of the Hunters' claimed victims.
TTPs and Tooling
Hunters has historically targeted Windows systems. Initial access occurs typically via phishing, or via exploiting vulnerabilities in corporate appliances, particularly internet-facing ones.
Hive, now-defunct predecessor of Hunters, had historically targeted Microsoft Exchange Server and FortiOS, specifically via exploitation of critical and high severity vulnerabilities. "Human" vulnerabilities have been also historically leveraged; these include hijacking valid accounts to penetrate corporate VPN instances.
After gaining access, the actor can spawn a webshell which is executed on the web server via PowerShell commands.
Hunters leverages living-off-the-land (LOL) techniques to further the attack chain. Persistence is achieved via scheduled tasks and creating registry run keys via schtask.exe and reg.exe respectively.
Once persistence has been achieved, the actor carries out a reconnaissance across the target network leveraging utilities such as net.exe, and drops instances of common penetration testing software, e.g. Cobalt Strike.
The cybercriminals cover their tracks using utilities such as mpcmdrun.exe to degrade Microsoft Defender detection capability by deleting malware detection rules, and the wevtutil.exe utility to clear event logs.
Prior to deploying the ransomware payload, Hunters attack system backups and shadow copies via wbadmin.exe and vssadmin.exe respectively. At the same time, the actor leverages open source compression software such as 7-Zip to archive files to exfiltrate which are then uploaded via anonymized cloud storage platforms such as Mega and AnonFiles.