This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 20 minutes read

Ankura Cyber Threat Intelligence Bulletin (September 2021)


Over the past thirty days, the Ankura Cybersecurity team has worked with clients to solve cybersecurity challenges involving emerging ransomware groups and tactics, a new set of critical vulnerabilities, emerging Denial-Of-Service technologies, and sophisticated cyber espionage campaigns.

For this month’s report, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) has compiled detailed metrics surrounding the events of the Microsoft Print Spooler vulnerabilities dubbed PrintNightmare, as well as the ForcedEntry iOS vulnerability that was exploited to install NSO Group’s Pegasus spyware on victim devices. Additionally, some unprecedented events have taken place this month involving the Mirai/Meris botnet and the largest, most sophisticated distributed denial-of-service (DDoS) attack in history.

Lastly, during this period, Ankura’s Cybersecurity team has observed the activity of threat actors who behave like an access brokerage that gains the initial access to a victim system and then sells that access to other bad actors like ransomware and malware groups. These actors then use the foothold gained as the vector by which they compromise and exploit their targets.

Waking from the PrintNightmare

Microsoft’s September Patch Tuesday update appears to have fixed the last known PrintNightmare vulnerability—although it may have an affect on network printer functionality for some users. Several administrators reported that network printing was effectively disabled following the patch, causing some to roll back the update to restore operations. [1]

Figure 1: System Administrators Discussing/Troubleshooting PrintNightmare on a Microsoft Support Forum

Despite a few hiccups, the update has helped mitigate CVE-2021-36958, the last known PrintNightmare-related vulnerability. First uncovered in June 2021, PrintNightmare allows an attacker to remotely take control of affected systems that had the Print Spooler service enabled. Several additional Print Spooler CVEs were discovered throughout the summer despite initial patch attempts. Besides being one of the more critical CVEs of 2021, the PrintNightmare saga is a valuable case study of the challenges that companies and security researchers face when addressing vulnerabilities in critical services.

Print Spooler Overview

As its name suggests, Print Spooler is a service that manages print requests in Windows. The service is on by default and is present in Windows clients, domain controllers, and servers. In addition to requesting updates on print jobs, authenticated users can connect to Print Spooler and request notifications via unconstrained delegation, which can potentially expose account credentials. Because of Print Spooler’s ubiquity in different Windows environments, the PrintNightmare vulnerability affected services not necessarily tied to printing, including servers and domain controllers. [2]

While PrintNightmare is a novel challenge in some aspects, it is hardly the first critical vulnerability or zero-day in Print Spooler. One of the most notable Print Spooler zero-days was used over a decade ago, when it was exploited by the notorious operational technology malware, Stuxnet. [3] Previous Escalation of Privilege (EOP) CVEs, such as CVE-2020-1030, were discovered and patched as recently as 2020. [4] Prior to PrintNightmare’s disclosure, Microsoft was aware of Print Spooler-related potential vulnerabilities as recently as January 2021 and warned administrators to disable Print Spooler in domain controllers. [5]

PrintNightmare Timeline

The timeline for PrintNightmare can be hard to untangle, in part because the initial vulnerability kicked off a series of patches and the discovery of additional zero-days. Initially, various outlets used the term “PrintNightmare” to refer to two distinct but related Print Spooler CVEs, CVE-2021-1675 and CVE-2021-34527. This was later expanded to nearly half a dozen distinct Print Spooler vulnerabilities.

On June 8, 2021, Microsoft released a patch for CVE-2021-1675, an Escalation of Privilege (EOP) vulnerability in Print Spooler. [6] While not initially considered a significant vulnerability, security researchers at Tencent and NSFOCUS TIANJI Lab found that the vulnerability could be used for Remote Code Execution (RCE). [7] On June 30, 2021, a proof-of-concept exploit was released on GitHub, detailing an exploit in the Windows Print Spooler service that leveraged CVE-2021-1675 to perform RCE. The CVE-2021-1675 POC was quickly taken down from GitHub but was up long enough for other users to copy the code.

Additional research found a second, more serious CVE later tracked as CVE-2021-34527. Microsoft described this vulnerability as “similar but distinct” from CVE-2021-1675 while explicitly labeling CVE-2021-34527 as the PrintNightmare bug. This lack of clear delineation between these two CVEs in many channels contributed to confusion as to what specific vulnerability was patched. [8] Microsoft initially attempted to patch CVE-2021-1675 in its June Patch Tuesday, and a second out-of-band patch addressed CVE-2021-34527. Later research found that the patch failed to fully remove the RCE vulnerability and left the local privilege escalation (LPE) intact. [9]

By the end of the summer, Microsoft and security researchers disclosed seven unique Print Spooler vulnerabilities. The most recent vulnerability, CVE-2021-36958, was revealed on August 18 by security researcher Victor Mata. Like previous PrintNightmare vulnerabilities, this was an RCE vulnerability. [10] Microsoft’s willingness to deploy the patch despite potential issues with network printing speaks to the lengths it is willing to go to secure Print Spooler and prevent another similar vulnerability in the near future.

Mirai on the Rise

CTAPT analysts have been closely monitoring the increase in usage of the Mirai botnet on recently released vulnerabilities. The original Mirai botnet has been dismantled, but the project is open-source, meaning anyone can see the code and modify it as they wish. Various other threat actors have created variations or strains from the source code of the Mirai botnet, such as Dark.IoT and Meris. Threat actors use the Mirai source code to increase their botnet capabilities for distributed denial-of-service (DDoS) attacks and install crypto miners. Throughout the different strains, one consistent tactic, technique, and procedure (TTP) is the reliance on publicly disclosed vulnerabilities.


The Dark.IoT botnet has been in development since February of 2021. It takes its name from the filenames of its malware, “Dark.[architecture]”, and the hostnames used for its command-and-control (C2) servers, “” (pronounced as LMAO-IoT). [11] Dark.IoT has since been known as one of the quickest botnets to weaponize new exploits in their malware. In early August of 2021, the Dark.IoT Mirai variant started targeting a series of eleven (11) recently disclosed vulnerabilities in nearly two dozen different router vendors just days after the exploits were published. The routers used vulnerable versions of the Arcadyan firmware, Realtek SDK, or Seagate Blackarmor Network Attached Storage (NAS).

Dark.IoT install themselves by using a loader script, typically named “”, which installs the necessary compilers, blocks other botnets from infecting the computer, and then installs the botnet code. [12] The botnet then calls back to its C2 server, where it then receives commands for DDoS attacks and updates. It then utilizes multiple modules to scan the internet to find other vulnerable devices to exploit. The scanners have also been found to brute force Secure Shell (SSH) connections using a combo-list combined with the malware. This gives the botnet worm-like capabilities where it can spread itself without any interaction from its operator.

More recently, the Dark.IoT botnet has been targeting the OMIGOD remote code execution (RCE) exploit. This exploit is caused by a flaw in the OMI agent, which is preinstalled in every Linux virtual machine (VM) in Azure. The OMI software runs as root with high privileges, and any user can send commands to it. Some Azure applications expose the port associated with the OMI agent, allowing attackers to remotely infect the target system without any initial access. By sending an HTTP request without an authentication header and a malicious payload, the OMI application will then run the payload as root. [13] A few hours after the proof-of-concept was released, Dark.IoT started targeting servers with vulnerable versions of OMI agents exposed to the internet by sending their “” script as the payload to be executed. The botnet code has also added new scanning modules to spread through the OMI vulnerability. [14] It is clear the Dark.IoT developers are continuing to use new vulnerabilities to enhance their botnet and will likely evolve with future trends.


On the five-year anniversary of the creation of Mirai, another strain named Meris appeared in June 2021. It soon became one of the fastest growing botnets on the internet. The botnet used a flaw in MikroTik routers that was unknown for some time and appeared in multiple versions of the firmware. Once the vulnerability was discovered, future versions were patched starting in 2018. Approximately three (3) years later, the Meris botnet was found exploiting the RouterOS vulnerability in the built-in application “winbox.exe”. This small utility “allows the administration of MikroTik RouterOS using a fast and simple GUI.” [15] An attacker can send a malicious request to the MickroTik router’s Winbox utility if port 8291 is exposed to the internet. This allows any file on the router to be read, which includes the username and password database. [16] This exposure would give the attacker full access to any user account on the router. The Meris botnet utilizes this exploit to plant their malware on the targeted device.

The Meris botnet has implemented many specific features over its lifespan that has made it suitable for large-scale DDoS attacks. Their most malicious addition is their implementation of a technique called HTTP Pipelining. This feature allows multiple HTTP requests to be sent without waiting for a response from the victim. Using this allows Meris to multiply their requests per second (RPS) by around three times per device they infect. [17] The botnet also attempts to keep a hold on devices even after they are updated. It does this by utilizing SOCKS proxies, L2TP VPN clients, as well as keeping the passwords used for initial access. Following the creation of the Meris botnet, it has been used in several DDoS attacks that have broken multiple records and is predicted to continue its operations in the future.

The Confluence Connection

In late August 2021, a vulnerability was identified affecting the Atlassian documentation application Confluence. This exploit uses Object-Graph Navigation Language (OGNL) injection to execute arbitrary code. OGNL simply allows code to be run inside of a string (for example, the string “#{1+1}” would evaluate to “2”). Using this feature, attackers can send a query with malicious code embedded that will be executed by the server. [18] A patch was released from Atlassian on August 25, yet thousands of servers remained vulnerable. Security research completed by Censys identified that this vulnerability affected 11,689 servers initially and has dropped to 8,119 servers by September 8. [19]

Figure 1: Servers Vulnerable to Censys’ “CVE-2021-26084: Confluenza” [20]

CTAPT has observed Mirai binaries being used to exploit the recent Confluence bug. The threat actor utilizing the Mirai botnet leaves a minimal trace on an affected machine. Post-exploitation indicates communication to the IP address 185.142.236[.]33, which is likely the C2 server used by the threat actor. Palo Alto researchers explained that this IP had been shown to be hosting the “mirai.x86” payload, which is a generic version of the Mirai botnet. [21] This connection is likely not linked to existing, well-known strains of Mirai and maybe an opportunist attempting to start their botnet. CTAPT analysts are continuing to investigate this threat actor for more information as well as the Mirai botnet as a whole.

Record-Breaking DDoS Attacks

2021 has witnessed two distributed denial-of-service (DDoS) attacks that have broken the record of number of requests-per-second (rps) of all time. The first of the attacks was conducted on an undisclosed financial company that is a customer of Cloudflare, and the second was conducted on Yandex, the Russian internet giant. Both attacks involved a variant, or strain, of the Mirai botnet. The Mirai-based botnets spread in various ways, such as gaining access to vulnerable machines via brute forcing factory default credentials [22] or by exploiting zero-day vulnerabilities in routers and other network devices.


In July 2021, a client of Cloudflare, a website infrastructure and security company based in the United States, was recently hit with the largest HTTP DDoS attack that was ever witnessed to date. [23] The attack involved 330 million attack requests in total and was targeting one of Cloudflare’s customers operating in the financial industry. The DDoS attack was launched by an undisclosed, extremely powerful Mirai variant and peaked at 17.2 million requests-per-seconds. Cloudflare emphasized that the DDoS attack was so massive that it accounted for approximately “68% of [their] total second quarter average rps rate of legitimate HTTP traffic”, as the company typically servers over 25 million HTTP requests-per-second on average. The attack involved over 20,000 bots across 125 countries, with the most amount of the bots’ IP addresses originating from Indonesia, India, and Brazil. The bots utilized were comprised of infected Internet of Things (IoT) devices, servers, and computers. [24] Cloudflare’s security infrastructure detected and mitigated the attack automatically (without the need for human intervention), and Cloudflare recommended that organizations or legacy DDoS protection systems have “active, always-on cloud-based protection” as, with the ever-advancing DDoS attacks seen today, “it can be challenging or impossible for humans to react to it in time”. [25]

Figure 1: Cloudflare’s Timeline of DDoS attack 17.2 Million Requests/Second Peak (Source)


In August 2021, Yandex was the target of a Mirai strain, named the Meris botnet, in a DDoS attack that broke the record for DDoS requests-per-second set in Cloudflare’s earlier attack. The attack on Yandex peaked at 21.8 million requests-per-second and is described as “the largest in the history of Russian internet [aka Runet]” [26]. Qrator Labs, Yandex’s partner in administering DDoS protection services, investigated the attack and uncovered approximately 56,000 attacking hosts targeting Yandex’s servers. Further research, however, estimated that the number of infected machines involved nearly 250,000 hosts. Qrator Labs explained that the majority of the attack’s traffic led back to MikroTik devices. [27] After this research was unveiled, MikroTik, a Latvian network equipment provider, explained that the DDoS attack utilized routers that had a RouterOS vulnerability (CVE-2018-14847) dating back to 2018, as the newer firmware versions had the specific vulnerability patched. [28] Yandex and Qrator Labs, however, identified that a great range in RouterOS versions in the Meris botnet attack that also included devices running the newer firmware versions. In late September, engineers at Rostelecom-Solar, the cybersecurity division of telecom giant Rostelecom based in Russia, published a report that identified the threat actors responsible for the Meris botnet attempted to involve over 45,000 new MikroTik devices in the botnet, which could have increased the power by 20%. [29] The engineers analyzed some of the infected routers and found calls to a command-and-control (C2) domain that was unregistered. This discovery allowed for the engineers to register the domain and convert it into a “sinkhole” domain, which revealed pings from approximately 45,000 infected devices that would not have communication with the desired C2 server. DDoS attacks involving the Meris botnet are on the rise, as the threat actors behind the variant have launched several DDoS attacks against financial institutions and internet service providers (ISPs) across the globe this year. With the attempt to inject additional devices into the botnet as well, Meris will continue to be on the radar as the year continues.

Figure 2: Qrator Lab’s Timeline of DDoS attack 21.8 Million Requests/Second Peak (Source)

The record-breaking DDoS attacks provide insight into threat actors’ current capabilities and emphasized how these actors’ abilities can only advance with time. In the first half of 2021 alone, NetScout identified that 5.4 million DDoS attacks occurred globally, and Microsoft analyzed that the top three locations targeted by these attacks were the United States, Europe, and East Asia. [30], [31] The operators behind the Mirai strains have the potential to advance their tactics, techniques, and procedures (TTPs) to currently unmeasured strengths, resulting in future, continuous record-breaking attacks. Organizations around the globe must acknowledge this possibility and put the security protocols in place to help mitigate future risks.

ForcedEntry Vulnerability

In September of 2021, Apple released a critical patch for CVE-2021-30860, a vulnerability exploited by NSO group to infect the latest iOS devices with its Pegasus spyware. CVE-2021-30860 discovered by citizen lab and labeled as ForcedEntry was used to bypass the iOS blast door security. ForcedEntry is a result of an integer overflow error that enabled the threat actor to craft malicious PDFs to execute arbitrary code on victim devices. Moreover, ForcedEntry was known to be exploited by Israeli’s NSO Cyber Defense group to deploy their Pegasus Spyware.

Discovered by Citizen Labs in August and labeled ForcedEntry, CVE-2021-30860 is the latest vulnerability to affect Apple’s iMessage application. The impact of ForcedEntry comes from its ability to skirt one of Apple’s newest security features, Blastdoor. Introduced in iOS 14, Blastdoor is a new service used inside of Apple’s iMessage application [32]. This new service inspects the content of all incoming messages within a secure environment within the iMessage application. This environment, more commonly known as a sandbox, prevents any malicious code inside of a message from interacting with the operating system or accessing personal data located on the device [33].

ForcedEntry’s ability to skirt Apple’s Blastdoor is due to an integer overflow error within their CoreGraphics [34]. An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits, either below or above the maximum/minimum representable value [35]. This error gave threat actors the ability to inject malicious code onto a device. More specifically, threat actors would craft malicious PDF files that when opened would execute malicious code or commands on the vulnerable device. In fact, Citizen Labs claim to have found artifacts linking CVE-2021-30860 to NSO’s Pegasus spyware.

Citizen Labs claim to have found NSO Group’s Pegasus spyware installed on the iOS devices of nine Bahraini activists, including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq. [36] NSO Group Technologies is an Israeli technology firm primarily known for its controversial spyware Pegasus. Pegasus, which has been sold to countries such as United Arab Emirates, claims to give authorized governments the ability to fight terrorism and crime. It does this by targeting most iOS and Android mobile devices. Once installed, Pegasus grants authorized governments the ability to read text messages, track calls, collect passwords for various applications and websites, geolocation tracking, as well as access to users’ camera and microphone. [37]

In summary, CVE-2021-30860 aka ForcedEntry is a vulnerability affecting the latest iOS devices. The patch for ForcedEntry was released September 13, 2021, and it fixes the integer overflow error inside CoreGraphics. This error gives threat actors the ability to completely bypass iOS Blastdoor and execute malicious commands. Citizen Lab has made credible claims to have found NSO Groups Pegasus spyware exploiting the ForcedEntry vulnerability for the purpose of espionage and counterespionage in the Middle East. Pegasus, which has been sold to multiple countries in the Gulf is alleged to provide agencies the ability to “fight terror and crime” by spying on infected end users’ text messages, geolocation tracking, and access to their camera and microphone.

BlackMatter Targeting Critical Infrastructure

The BlackMatter ransomware-as-a-service gang is a group that was founded as a successor to several ransomware groups, including DarkSide which recently bounced from the criminal world after the high-profile ransomware attack on the Colonial Pipeline, and REvil which went silent for months just after the Kaseya attack flooded hundreds of companies with ransomware. Threat-actors like BlackMatter typically steal data from a company’s network before encrypting it and later threaten to publish the files online if the ransom is not paid to decrypt the files [38]. There have been a number of incidents involving BlackMatter targeting multiple victims.

A U.S. farmer cooperative was targeted and hit by a sophisticated BlackMatter ransomware attack. The threat actors demanded a $5.9 million ransom which would increase to $11.8 million if the ransom was not paid within five days. NEW Cooperative recently identified a Cybersecurity incident that impacted some of the company’s devices and systems. Following the incident, systems were proactively taken offline to contain the threat and it can be confirmed that the threat was successfully contained. [39] Law Enforcement was quickly notified and worked in close proximity with data security experts to investigate and remediate the situation.

Security experts initially became aware of the compromise after a sample of the BlackMatter ransomware code, and other associated data, was posted anonymously to a popular malware analysis site. Along with the code snippet, the actor also posted the ransom note, the negotiation page that the victims must use to communicate with the actors, and a private link to a site containing screenshots of allegedly stolen data.

BlackMatter is believed by researchers to be a rebrand of the DarkSide ransomware group that disappeared after attacking the Colonial Pipeline in May. Upon first appearance, BlackMatter stated they would not target “critical Infrastructure facilities such as nuclear power plants, power plants, water treatment facilities, etc.” Their actions, however, indicate that they do not consider NEW Cooperative and other food supply-chain entities to be a part of critical infrastructure.

Figure 1: Twitter Post regarding Recent BlackMatter Attack on Critical Infrastructure.

On their private data leak page, the threat actors claim to have stolen the source code for the project, R&D results, sensitive employee information, financial documents, and an exported database for the KeePass password manager. The data leak page includes screenshots of allegedly stolen data including legal documents, application screenshots, as well as financial information. [40] The Food and Agriculture critical infrastructure sector has been targeted heavily throughout 2021, and threat groups may begin to follow in BlackMatter’s lead, after Darkside’s hiatus caused a power vacuum which has created opportunities for other actors to take advantage of. Ransomware groups will always come and go as the threat landscape changes. Whether it be to evade authorities, or preserve/begin partnerships, security researchers will have to keep identifying these groups based on their tactics, techniques, and procedures (TTPs) as opposed to who the threat actors claim to be.

Threat Actor of the Month

CTAPT analysts routinely monitor dozens of underground forums to identify threat actor activity, detect tactic shifts, and analyze transaction activity involving sensitive data of interest. As a result, CTAPT enumerates and tracks the most active threat actors over a thirty (30) day period as well as leverages this data to develop indicators, warnings, and emerging risk. During these reviews, CTAPT analysts often detect specific actors that are of interest for one reason or another. The following includes some highlights of one of those actors:

We have deviated slightly from the typical ransomware/malware group activity we report on and have instead focused on the brokers who facilitate acquiring access to the victim environments targeted by ransomware groups. Gaining a foothold within an environment is very resource and personnel-intensive and outsourcing these portions of an overall attack frees up high-level threat-actors to do what they do best.

Figure 1: nei’s Profile on the Exploit Dark-Web Forum

“nei”, also known as “Asatru” and “Rakuda” is a member of the elite dark-web forums Exploit and XSS, where the threat actor routinely sells remote access into unsuspecting companies. This type of service is still growing rapidly among dark-web forums and marketplaces, as ransomware groups are evolving alongside the ever-changing trends of desired information.

Figure 2: Recent Post by nei

The rise of initial access brokers (IABs) on the dark web is still early on, as ransomware groups are still running rampant. Their operators are often too busy dealing with their victims to look for their next target. Therefore, an IAB -is often contacted offline to see what stock is available. If the IAB is not capable of selling their stock to ransomware operators directly, they will often post on dark web forums as secondary means of selling access. “nei” has conducted and completed multiple deals/transactions on both elite forums Exploit and XSS. “nei” has also been a member on Exploit since March 11, 2021, which emphasizes that the threat actor is now established as an initial access broker. Based on the intelligence gathered so far, CTAPT analysts assess with medium to high confidence that the actor is credible. Ankura investigations have responded to several ransomware matters with the exfiltration of sensitive information that had the possibility of initially being sold by an initial access broker.

Trending IOCs


3f9a28e8c057e7ea7ccf15a4db81f362 (Linux Variant)HashBlackMatter
Bc1qlv2qdmylyuw62zw8qcd4n3uh84cy2edckv3ds7Bitcoin AddressBlackMatter










































© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cybersecurity & data privacy, data privacy & cyber risk, cyber response, f-risk, report

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with