The Cat Came Back

10448389092?profile=RESIZE_400x

 

There are many things you can do to protect yourself against cyberattacks but if you still do not remember the basics, then your organization is an easy target for cyber criminals.  Please review what Red Sky Alliance recommends at the end of this article.

A security vulnerability that was left unpatched for three years allowed a notorious cyber-criminal gang to breach a network and plant ransomware.  The BlackCat ransomware attack against the undisclosed organization took place in March 2022 and has been detailed by cybersecurity researchers who investigated the incident.  BlackCat ransomware, also known as ALPHV, is quickly becoming one of the most active ransomware groups. The group has compromised 60 organizations globally, warranting an FBI Flash report highlighting Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) of the ransomware operation.

See link for past reporting:
https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty

BlackCat has a reputation for running a sophisticated ransomware operation, however, it was a simple technique that allowed malicious cyber criminals to gain initial access to the network exploiting an SQL injection vulnerability in an internet-exposed, unpatched, and end-of-life SonicWall SRA appliance. 

A security patch has been available to fix the vulnerability since 2019, but it had not been applied in this case, providing cyber criminals with an easy entry point into the network.  From there, the attackers were able to gain access to usernames and passwords, using them to gain access to ESXi servers, where the ransomware payload was ultimately deployed.  

BlackCat deploys several techniques not used by other ransomware groups designed to make attacks successful.  For starters, the ransomware is written in the Rust programming language, which is unusual for malware and makes it more difficult to detect, examine, and reverse engineer.  The ransomware also uses a unique binary for each victim, based around information found in the target environment. The unique binary makes it more difficult to identify attacks as the code used in each campaign will be slightly different.  Investigators have reported a unique binary for each victim makes the detection harder.

In the case of the March 2022 incident, the attack was partially successful.  BlackCat ransomware successfully encrypted servers and files, but the attack was not able to spread to other parts of the network because it had been segmented. While the attackers could control one area of the network, they could not move into other sections.  The segmentation was well done in this case and that is the reason why it was contained.

BlackCat operates as a Ransomware-as-a-Service (RaaS) platform, and it is suspected that this attack was carried out by a new cybercriminal who was learning how to properly conduct attacks.  Despite the inexperience of the attacker, some servers were still infected with malware.  While no ransom was paid, and the network segmentation reduced the impact of the attack, the whole incident could have been avoided if some basic cybersecurity hygiene advice had been followed. 

Those steps would have included applying the relevant security updates to fix a vulnerability that was first disclosed in 2019.  It is also recommended that organizations monitor their networks for external access from known IP addresses or unusual patterns of behavior.

It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks.  No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.

The following is what Red Sky Alliance recommends:

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication-company wide.
  • For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures and test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services, and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Your company/organization can enroll in our RedXray service for daily cyber threat notifications, which help to protect your valuable domain(s). RedXray service is only $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, without having to connect to your network.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Pictured below are some IoCs provided by the FBI:

10448389855?profile=RESIZE_710x

10448389699?profile=RESIZE_710x

10448389891?profile=RESIZE_710x

10448390092?profile=RESIZE_710x

10448390658?profile=RESIZE_710x

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee. gotowebinar. com/register/3702558539639477516

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!