Microsoft spokesmen disclosed on 17 August 2023 that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team said in a series of posts on X (formerly Twitter). "This BlackCat version also has the RemCom hack tool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials actors use for lateral movement and ransomware deployment."
RemCom, billed as an open-source alternative to PsExec, has been used by Chinese and Iranian nation-state threat actors like Dalbit and Chafer (aka Remix Kitten) to move across the victim environments in the past. Researchers said it started observing the new variant in attacks conducted by a BlackCat affiliate in July 2023.
The development comes over two months after IBM Security X-Force disclosed details of the updated version of BlackCat, called Sphynx, that first emerged in February 2023 with improved encryption speed and stealth, pointing to continued efforts made by threat actors to refine and retool the ransomware. "The BlackCat ransomware sample contains more than just ransomware functionality but can function as a 'toolkit,'" IBM Security X-Force noted in late May 2023. "An additional string suggests that tooling is based on tools from Impacket."
The cybercrime group, which launched its operation in November 2021, is marked by constant evolution, having recently released a data leak API to boost the visibility of its attacks. Rapid7's Mid-Year Threat Review for 2023 shows that BlackCat has been attributed to 212 out of 1,500 ransomware attacks.
It is not just BlackCat, for the Cuba (aka COLDRAW) ransomware threat group has also been observed utilizing a comprehensive attack toolset encompassing BUGHATCH, a custom downloader; BURNTCIGAR, an antimalware killer; Wedgecut, a host enumeration utility; Metasploit; and Cobalt Strike frameworks. BURNTCIGAR, in particular, features under-the-hood modifications to incorporate a hashed hard-coded list of targeted processes to terminate, likely in an attempt to impede analysis.
One of the attacks mounted by the group in early June 2023 is said to have weaponized CVE-2020-1472 (Zerologon) and CVE-2023-27532, a high-severity flaw in Veeam Backup & Replication software that has been previously exploited by the FIN7 gang, for initial access.
Investigators said it marks the group's "first observed use of an exploit for the Veeam vulnerability CVE-2023-27532. The Cuba ransomware operators continue to recycle network infrastructure and use a core set of TTPs that they have subtly modified from campaign to campaign, often adopting readily available components to upgrade their toolset whenever the opportunity arises.”
Ransomware remains a major money-spinner for financially motivated threat actors, growing both in sophistication and quantity in the first half of 2023 than all of 2022 despite intensified law enforcement efforts to take them down. Some groups have also begun moving away from encryption to pure exfiltration and ransom or resorting to triple extortion, in which the attacks go beyond data encryption and theft to blackmail a victim's employees or customers and carry out DDoS attacks to put more pressure.
"The increasing popularity of Encryptionless Extortion attacks, which skips over the process of encryption, employs the same tactic of threatening to leak victims' data online if they don't pay," Zscaler said in its 2023 Ransomware Report. "This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support. These attacks are also harder to detect and receive less attention from the authorities because they do not lock key files and systems or cause the downtime associated with recovery. Therefore, Encryptionless Extortion attacks tend not to disrupt their victims' business operations, resulting in lower reporting rates."
A second growing trend among ransomware actors is the adoption of intermittent encryption to encrypt only parts of each file to speed up the process as well as sidestep detection by security solutions that "make use of the amount of content being written to disk by a process in their heuristics to identify ransomware." Another tactic is the targeting of managed service providers (MSPs) as entry points to breach downstream corporate networks, as evidenced in a Play ransomware campaign aimed at finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the US, Australia, UK, and Italy.
The attacks leverage Remote Monitoring and Management (RMM) software service providers use to gain direct access to a customer's environment, bypassing most of its defenses and granting threat actors unfettered, privileged access to networks.
The repeated abuse of legitimate RMM software by threat actors has led the U.S. government to release a Cyber Defense Plan to mitigate threats to the RMM ecosystem. "Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers" the US Cybersecurity and Infrastructure Security Agency (CISA) cautioned.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or email@example.com
Weekly Cyber Intelligence Briefings:
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings