"Quantum Locker Lands in the Cloud"

Computerland, a Belgian company, shared information with the European threat intelligence community about the Quantum Locker gang's tactics, techniques, and procedures (TTPs) used in recent attacks. According to the information shared, the Quantum Locker gang used a specific tactic to target large enterprises in the North Atlantic and Central European (NACE) region that rely on cloud services. The recently disclosed technical details about recent intrusions confirm the Quantum Locker gang's ability to conduct sabotage and ransomware attacks even against companies that rely heavily on cloud environments. TTPs used in a recent attack included the complete takeover of the company's Microsoft cloud services via the compromise of the root account. All Microsoft services and users, including email and regular users, would be rendered inoperable until the Vendor responded, which could take several days depending on the reset request verification process. Furthermore, according to the insights on Q4 2022 attacks, Quantum Locker operators can find and delete all of the victim Microsoft Azure Blob storages in order to achieve secondary backup destruction and business data deletion. Even if cloud services theoretically support the restoration of old blobs and buckets, the recovery of "permanently deleted" data often takes days and may not even be available due to the provider's internal technical constraints. During their recent activities in North Europe, Quantum Locker operators' preferred initial targets were Information Technology (IT) administrators and networking personnel. Threat actors were able to gather sensitive administrative credentials by accessing their personal resources and shared Dropbox folders, allowing them to extend the attack on the cloud surface. Insights from the Belgian firm also confirm that Quantum Locker is combining these new techniques with more traditional ransomware delivery methods, such as the modification of domain Group Policies to distribute ransomware across on-premises Windows machines and users' laptops, as well as the exploitation of legitimate Any Desk software as a remote access tool. This article continues to discuss the use of a specific modus operandi by the Quantum Locker gang to target large enterprises relying on cloud services in the NACE region. 

Security Affairs reports "Quantum Locker Lands in the Cloud"