Executive Summary

The recent ransomware attack on Smart Media Group Bulgaria by the notorious Sarcoma group has brought to light significant vulnerabilities within the advertising and media sector in Bulgaria. Discovered on October 9, 2024, this attack resulted in a substantial data leak of approximately 40 GB, comprising sensitive files related to the company's operations. The Sarcoma group, known for its sophisticated tactics, has once again demonstrated its capability to exploit security weaknesses, emphasizing the urgent need for enhanced cybersecurity measures in the industry.

Technical Information

The Sarcoma group's attack on Smart Media Group Bulgaria is a textbook example of how advanced persistent threats (APTs) can infiltrate and exploit organizational networks. The group employed a series of Tactics, Techniques, and Procedures (TTPs) as outlined in the Ransomware-Tool-Matrix. Initially, they utilized Remote Monitoring and Management (RMM) tools to conduct a thorough discovery of the network, identifying potential vulnerabilities that could be exploited. This phase is critical as it allows the attackers to map out the network architecture and pinpoint weak spots.

Following the discovery phase, the Sarcoma group implemented defense evasion techniques to bypass existing security measures. This involved the use of sophisticated methods to maintain persistence within the network, ensuring that their presence remained undetected for as long as possible. By doing so, they were able to extract sensitive credentials, a tactic known as credential theft, which facilitated further access to the network and enabled the exfiltration of data.

The exfiltration process involved the transfer of approximately 40 GB of data outside the organization. This data leak is significant not only because of its size but also due to the sensitive nature of the information contained within the files. The Sarcoma group is known to leverage such data for extortion purposes or to sell it on the dark web, posing a severe threat to the affected organization and its stakeholders.

Exploitation in the Wild

The Sarcoma group has been actively targeting organizations within the advertising sector, particularly those with inadequate security measures. The attack on Smart Media Group Bulgaria is a clear indication of the group's focus on exfiltrating large volumes of data. This modus operandi is consistent with their previous attacks, where they have exploited vulnerabilities to gain unauthorized access and extract valuable information. The lack of specific CVEs in this case suggests that the group may have used zero-day vulnerabilities or custom exploits to achieve their objectives.

APT Groups using this vulnerability

The Sarcoma group is the primary APT group involved in this attack. Known for their expertise in ransomware attacks, they have a history of targeting organizations with insufficient cybersecurity defenses. Their geographical focus on Bulgaria and the advertising sector highlights their strategic approach to selecting targets that are likely to yield high-value data.

Affected Product Versions

While specific product versions have not been disclosed, the attack underscores the importance of maintaining up-to-date security patches across all systems. Organizations are advised to conduct comprehensive security audits to identify and address potential vulnerabilities that could be exploited by groups like Sarcoma.

Workaround and Mitigation

To mitigate the risk of similar attacks, organizations should implement a multi-layered security strategy. This includes conducting regular security audits to identify and patch vulnerabilities, deploying robust monitoring systems to detect unauthorized access and data exfiltration attempts, and educating employees on recognizing phishing attempts and other social engineering tactics used by ransomware groups. Additionally, organizations should consider investing in advanced threat detection and response solutions to enhance their overall security posture.

References

For further information on the Sarcoma group's attack on Smart Media Group Bulgaria, please refer to the following resources: Ransomware.live: Smart Media Group Bulgaria (https://www.ransomware.live/id/U21hcnQgTWVkaWEgR3JvdXAgQnVsZ2FyaWFAc2FyY29tYQ==) and Hudson Rock: Cybercrime intelligence tools for monitoring Infostealer infections.

Rescana is here for you

At Rescana, we understand the complexities of the cybersecurity landscape and are committed to helping our customers navigate these challenges. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and proactive security measures to safeguard your organization against sophisticated cyber threats. Should you have any questions about this report or require assistance with your cybersecurity strategy, please do not hesitate to contact us at ops@rescana.com. We are here to support you in protecting your valuable assets and ensuring the resilience of your operations.