Ephemeral

Ephemeral is a threat actor, potentially linked to the Splinter and Ephemeral ransomware groups, known for their experience in other ransomware organizations and utilization of the modern Ransomware-as-a-Service (RaaS) ecosystem. The group's malicious activities typically involve the use of Command and Control (C2) traffic for RedLine Stealer, which uses TCP traffic over an ephemeral port. In addition, the group leverages the dynamic and ever-changing nature of Kubernetes ecosystems, using ephemeral tokens created in workflow job runs to interact with GitHub resources. These tokens are automatically-created and used to perform actions against the repository. The cybersecurity challenges posed by Ephemeral extend to serverless environments due to their dynamic and ephemeral nature. The group also exploits vulnerabilities in AI systems that may be “highly ephemeral”. Internal pivots used include SMB on port 445 and TCP bind listeners on ephemeral high ports. Furthermore, the group's campaigns have been noted to differ from others, as they can often be tied to physical action by the target audience, indicating a more strategic and targeted approach to their operations. Mitigation strategies suggested by researchers include updating or shutting down services vulnerable to loop DoS attacks, restricting service access to clients with ephemeral source ports, and identifying the vulnerable software or product in the network and informing the product's vendor of the potential for exploit. Network defenders are advised to assume significant dwell time due to Volt Typhoon’s ability for long-term undetected persistence, and to review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts.